Malware

PhantomVAI Loader

PhantomVAI Loader is a .NET/C# malware loader tracked by Palo Alto Networks Unit 42 and also referred to in the provided content as the Katz Stealer Loader. It has been distributed in phishing campaigns, including shipment-themed lures, and is used to deliver multiple follow-on payloads such as AsyncRAT, XWorm, Formbook, DCRat, stealers, and specifically Katz Stealer. Reported infection chains use phishing emails carrying archives with ISO or IMG disk images or obfuscated JavaScript/VBS droppers; the first stage contains a Base64-encoded PowerShell script, which then downloads a GIF or image file containing a hidden Base64-encoded DLL payload via steganography. One reported sample used the markers "<<sudo_png>>" and "<<sudo_odt>>" to delimit hidden payload data inside an image. The loader performs anti-analysis checks including VM detection, establishes persistence, and loads the final payload. It has been reported to inject payloads through process hollowing into legitimate processes, most commonly MSBuild.exe from .NET Framework directories. The use of steganography in images and injection of Katz Stealer were specifically highlighted as techniques to evade sandbox analysis.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique

T1566PhishingEvidence1

Group-IB зафиксировала устойчивую фишинговую кампанию между ноябрём 2025 и январём 2026 года... Два основных вектора доставки: ISO-образы... JavaScript/VBS-дропперы.

Execution

5 techniques

T1059.001PowerShellEvidence1

Этап 1. Обфусцированный JavaScript/VBS содержит Base64-кодированный PowerShell-скрипт, который исполняется для загрузки следующей стадии.

T1059.005Visual BasicEvidence1

JavaScript/VBS-дропперы. Архив содержит обфусцированный скрипт, который запускает многоступенчатую цепочку загрузки.

T1059.007JavaScriptEvidence1

T1127.001MSBuildEvidence1

...в большинстве случаев целью служит MSBuild.exe из каталогов .NET Framework - злоупотребление доверенной утилитой разработчика (T1127.001).

T1204User ExecutionEvidence1

Внутри - исполняемый файл, замаскированный под документ... Двойной клик - и малварь запущена.

Privilege Escalation

2 techniques

T1055Process InjectionEvidence1

"...Uses Steganography in Images to Inject Katz Stealer..."

T1055.012Process HollowingEvidence1

Инъекция payload - через process hollowing (T1055.012) в легитимный процесс. По наблюдениям Unit 42, в большинстве случаев целью служит MSBuild.exe.

Stealth

5 techniques

T1027.003SteganographyEvidence2

PowerShell скачивает GIF или изображение, внутри которого скрыт payload методом стеганографии... это Base64-закодированная DLL.

T1055Process InjectionEvidence1

"...Uses Steganography in Images to Inject Katz Stealer..."

T1055.012Process HollowingEvidence1

T1127.001MSBuildEvidence1

T1497Virtualization/Sandbox EvasionEvidence2

Лоадер (C#) делает три вещи: проверяет окружение на виртуальную машину... если VM обнаружена, выполнение может прерываться или модифицироваться... Антианализ включает проверку окружения на наличие антивирусных продуктов, виртуальных машин и песочниц.

Discovery

1 technique

T1497Virtualization/Sandbox EvasionEvidence2

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

codebyNews

Jun 9, 2026

Phantom Stealer MaaS - разбор инфостилера Phantom Project

Related .NET loader used in phishing campaigns to deliver stealer payloads through a multi-stage chain involving obfuscated scripts, PowerShell, steganography, environment checks, persistence, and final payload injection via process hollowing.

risky biz rssNews

Oct 16, 2025

Risky Bulletin: F5 says an APT stole source code, vulnerability reports

Phishing-delivered loader used to deploy follow-on payloads including RATs and information stealers; originally used to deliver Katz Stealer.

security online infoNews

Oct 16, 2025

Stealth Stealer: PhantomVAI Loader Uses Steganography in Images to Inject Katz Stealer and Evade Sandboxes

A loader reported to use image steganography to inject a secondary payload (Katz Stealer) and evade sandbox analysis.

the hacker newsNews

Oct 16, 2025

ThreatsDay Bulletin: $15B Crypto Bust, Satellite Spying, Billion-Dollar Smishing, Android RATs & More

Malware loader distributed via phishing, delivers stealers and RATs, uses VM checks, persistence, and process hollowing.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.