MalwareRansomware

Phantom Stealer

Phantom Stealer is a commercially sold .NET-based information stealer, also described as part of the Phantom Project malware-as-a-service kit that bundles an infostealer with a crypter and a RAT. Multiple sources in the content state it is derived from the open-source Stealerium codebase, with reported code overlap with Stealerium and Warp Stealer. It has been marketed via phantomsoftwares.site and the Telegram handle @Oldphantomoftheopera, and some reporting refers to versions including Phantom Stealer v3.5/v3.5.0.

Observed delivery vectors are primarily phishing-based. Campaigns described in the content used archive attachments containing ISO or IMG disk images, malicious executables, obfuscated JavaScript or VBS droppers, ZIP archives, fake payment confirmations, adult-content and payment-themed lures, fake Adobe installer themes, and DLL sideloading chains. Specific infection chains included JavaScript-to-PowerShell loaders, steganographically hidden payloads in image files, reflective .NET loading, AutoIt droppers, and XLoader-assisted delivery. Process injection or hollowing into legitimate Windows binaries was repeatedly reported, including MSBuild.exe, RegAsm.exe, aspnet_compiler.exe, msiexec.exe, and AddInProcess32.exe.

Capabilities consistently described in the content include theft of browser credentials, cookies, session tokens, credit card data, Discord tokens, Telegram artifacts, email and messaging data, Wi-Fi credentials, VPN/FTP credentials, clipboard contents, screenshots, keystrokes, and file grabbing. It also targets cryptocurrency data, including browser-extension wallets and desktop wallet applications. Reported exfiltration channels include Telegram, Discord webhooks, SMTP, FTP, Zulip, and GoFile, and some analyses state stolen data is archived into a password-protected ZIP before exfiltration.

Behavior and evasion features mentioned in the content include optional persistence via HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run, Run/RunOnce registry keys, scheduled tasks, VBS launchers in AppData, file copies in AppData or Temp, Windows Defender exclusions, VM/sandbox detection, CIS locale checks, anti-analysis logic, and in one report self-deletion when analysis environments are detected. One analysis also reported process monitoring for injected hosts and repeated relaunch behavior.

Campaign targeting in the content spans multiple regions and sectors. Group-IB-linked reporting described multi-wave phishing operations between November 2025 and January 2026 against manufacturing, technology, logistics, and industrial organizations in Europe. Seqrite and other reporting described Operation MoneyMount-ISO targeting Russian finance, accounting, treasury, procurement, legal, payroll, and related Russian-speaking organizations using ISO-based phishing. Additional reporting noted malspam activity affecting Italy and broader targeting of retail, construction, industrial, and IT sectors.

High-confidence infrastructure and identifiers directly mentioned in the content include phantomsoftwares.site, Telegram contact @Oldphantomoftheopera / t.me/Oldphantomoftheopera, and IP address 199.188.201.183. Sample and payload hashes explicitly tied to Phantom Stealer delivery or payload stages in the content include 129ad6e221e949303456a7b3cf381d9f1b1e97b203c689b9b1205d4d37693b28, 195e3d859d8fa9d0c12cd38beef8898e307b71422c8a18c2c3648f5f0220b447, 481fd4fefa706e606cfc368c68f1ef313f07c6e2849a26d7c94f7c8433884a1b, and 7eb8ae8f1216a377da6ccd0cee0b21f2700e9bbc46ae3ebfa876e70296aa4539.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

31 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

2 techniques

T1566PhishingEvidence1

Group-IB зафиксировала устойчивую фишинговую кампанию между ноябрём 2025 и январём 2026 года... Два основных вектора доставки: ISO-образы... JavaScript/VBS-дропперы.

T1566.001Spearphishing AttachmentEvidence1

Фишинговое письмо содержит архив (.rar) с ISO/IMG-образом внутри. При открытии ISO на Windows система автоматически монтирует его как виртуальный CD-привод. Внутри - исполняемый файл, замаскированный под документ.

Execution

6 techniques

T1053Scheduled Task/JobEvidence1

После запуска Phantom Stealer использует несколько механизмов persistence одновременно: ... Создание задачи в планировщике Windows

T1059.001PowerShellEvidence3

Further the DLL make sure the current directory is not “C:\\Windows\\System32” or “C:\\Windows\\SysWOW64” then execute the PowerShell and kill below 3 processes.

T1059.005Visual BasicEvidence2

JavaScript/VBS-дропперы. Архив содержит обфусцированный скрипт, который запускает многоступенчатую цепочку загрузки.

T1059.007JavaScriptEvidence2

T1127.001MSBuildEvidence1

...в большинстве случаев целью служит MSBuild.exe из каталогов .NET Framework - злоупотребление доверенной утилитой разработчика (T1127.001).

T1204User ExecutionEvidence1

Внутри - исполняемый файл, замаскированный под документ... Двойной клик - и малварь запущена.

Persistence

2 techniques

T1053Scheduled Task/JobEvidence1

T1547.001Registry Run Keys / Startup FolderEvidence2

Запись в ключ реестра Run для автозапуска (T1547.001, Registry Run Keys / Startup Folder).

Privilege Escalation

4 techniques

T1053Scheduled Task/JobEvidence1

T1055Process InjectionEvidence2

After that the DLL download the actual payload from url passed as argument to the DLL and replace “Dtre” with “/d” or “Dgtre” with “+” and inject the executable in RegAsm.exe process upon execution.

T1055.012Process HollowingEvidence1

Инъекция payload - через process hollowing (T1055.012) в легитимный процесс. По наблюдениям Unit 42, в большинстве случаев целью служит MSBuild.exe.

T1547.001Registry Run Keys / Startup FolderEvidence2

Запись в ключ реестра Run для автозапуска (T1547.001, Registry Run Keys / Startup Folder).

Stealth

8 techniques

T1027.002Software PackingEvidence1

Криптер - обфускатор для обхода антивирусных движков (T1027.002, Software Packing).

T1055Process InjectionEvidence2

T1055.012Process HollowingEvidence1

T1070.004File DeletionEvidence3

then execute the PowerShell and kill below 3 processes. RegAsm.exe Vbc.exe MsBuild.exe

T1127.001MSBuildEvidence1

T1497Virtualization/Sandbox EvasionEvidence2

Лоадер (C#) делает три вещи: проверяет окружение на виртуальную машину... если VM обнаружена, выполнение может прерываться или модифицироваться... Антианализ включает проверку окружения на наличие антивирусных продуктов, виртуальных машин и песочниц.

T1497.001System ChecksEvidence3

Отдельный механизм - CIS-чек... сравнивает значения с хардкодированным списком LCID/LANGID стран СНГ. При совпадении - выполнение прекращается.

T1620Reflective Code LoadingEvidence1

Framework PowerShell .NET reflection ( [System.Reflection.Assembly]::Load() )

Credential Access

5 techniques

T1056.001KeyloggingEvidence1

Surveillance-модуль: ... захват нажатий клавиш (T1056.001, Keylogging).

T1528Steal Application Access TokenEvidence1

Discord tokens are extracted from local storage LevelDB files and validated against https://discord.com/api/v9/users/@me .

T1539Steal Web Session CookieEvidence1

Browser credential harvesting. It reads Login Data (SQLite), Cookies (SQLite), and Web Data from all Chromium user profiles.

T1555Credentials from Password StoresEvidence1

Notably, it bypasses Chrome v127+ App-Bound Encryption by extracting app_bound_encrypted_key, and falls back to DPAPI-protected master keys for older Chrome versions.

T1555.003Credentials from Web BrowsersEvidence2

Браузерные данные (T1555.003, Credentials from Web Browsers): сохранённые пароли из десятков браузеров, cookies и session tokens, данные автозаполнения, информация о платёжных картах.

Discovery

6 techniques

T1012Query RegistryEvidence1

T1012 Query Registry Telegram, Outlook, WinSCP, crypto wallet registry queries

T1016System Network Configuration DiscoveryEvidence1

WiFi passwords : Executes netsh wlan show profile name="<SSID>" key=clear for each saved network.

T1057Process DiscoveryEvidence3

Further it checks every 60 seconds that if the RegAsm.exe is running or not and if there is error it will run previously mentioned VBS script.

T1083File and Directory DiscoveryEvidence2

T1083 File and Directory Discovery Browser/wallet directory enumeration

T1497Virtualization/Sandbox EvasionEvidence2

T1497.001System ChecksEvidence3

Collection

3 techniques

T1056.001KeyloggingEvidence1

Surveillance-модуль: ... захват нажатий клавиш (T1056.001, Keylogging).

T1113Screen CaptureEvidence2

Surveillance-модуль: скриншоты экрана (T1113, Screen Capture).

T1560.001Archive via UtilityEvidence1

All stolen data is archived as a password-protected ZIP file.

Command and Control

2 techniques

T1105Ingress Tool TransferEvidence2

After that the DLL download the actual payload from url passed as argument to the DLL... The final payload is stored as “wrffite.bat” file at “C:\Users\<Username>\AppData\Local\Temp” path.

T1219Remote Access ToolsEvidence1

RAT - модуль удалённого доступа для постэксплуатации (T1219, Remote Access Tools).

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence3

Каналы эксфильтрации (T1041, Exfiltration Over C2 Channel): Telegram-бот... Discord webhook, SMTP, Zulip... и GoFile.

Other

1 technique

T1562.001Disable or Modify ToolsEvidence1

Добавление исключения для себя в Windows Defender через PowerShell ( Add-MpPreference -ExclusionPath )

INDICATORS OF COMPROMISE

IOCs tracked for this family

17 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

6 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

8 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

3 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in apptoday

domain●●●●●●●●●●●●View more in app3 months ago

uri●●●●●●●●●●●●View more in app3 months ago

domain●●●●●●●●●●●●View more in app3 months ago

hash.md5●●●●●●●●●●●●View more in app3 months ago

ACTIVITY FEED

Recent activity

22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

22 SOURCESView more in app

codebyNews

Jun 9, 2026

Phantom Stealer MaaS - разбор инфостилера Phantom Project

Commercial malware-as-a-service kit centered on a .NET infostealer that steals browser credentials, cookies, session tokens, payment data, messenger/email data, crypto-wallet data, screenshots, and keystrokes. It uses phishing delivery, multi-stage loaders, persistence, anti-analysis checks, and exfiltration via Telegram, Discord, SMTP, Zulip, and GoFile.

scworldNews

Apr 1, 2026

Report sheds more light on Phantom Stealer | brief | SC Media

A .NET-based stealer used in phishing campaigns to steal credentials, evade analysis, and exfiltrate data. It is offered as part of the Phantom Project cybercrime kit and is associated with identity-driven compromise.

breakglass intelNews

Mar 12, 2026

PhantomStealer: A Four-Stage .NET Infostealer Hidden Inside a 4.4 MB JavaScript File - Breakglass Intelligence - Breakglass Intelligence

Commercially sold .NET infostealer delivered through a multi-stage JavaScript and PowerShell dropper chain, culminating in in-memory execution inside aspnet_compiler.exe. It steals browser credentials, cookies, session tokens, Discord and Telegram data, crypto wallet data, email and FTP client credentials, WiFi passwords, clipboard contents, and also includes keylogging, screenshot capture, optional persistence, file grabbing, and multiple exfiltration channels including Discord webhook, Telegram bot, FTP, and SMTP.

breakglass intelNews

Mar 12, 2026

PhantomStealer - Multi-Stage .NET Credential & Data Stealer - Breakglass Intelligence - Breakglass Intelligence

Commercially sold .NET infostealer delivered through a multi-stage chain involving an obfuscated WSH JavaScript dropper, PowerShell loader, and DEV.DOWN injector. It steals browser credentials, cookies, session tokens, Discord and Telegram data, crypto wallets, email and FTP client data, WiFi passwords, clipboard contents, and also includes keylogging and screenshot capture. Exfiltration is performed via Discord webhook, Telegram bot, FTP, or SMTP.

+18 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching17

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping31

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.