Phantom
Phantom is an overloaded malware/spyware name used in multiple distinct contexts in the provided content. High-confidence reporting identifies one Phantom as an NSO Group mobile spyware product marketed to U.S. government agencies under the Westbridge brand and described as effectively the U.S. version of Pegasus, with the two tools otherwise identical. It was reportedly demonstrated to U.S. officials, designed to hack U.S. phone numbers under a special Israeli license, and considered by the FBI and other U.S. agencies including the CIA, DEA, U.S. Secret Service, and U.S. Africa Command. The content also identifies Phantom as an information stealer seen in criminal malware campaigns. This Phantom infostealer has been distributed via fake Adobe installers and disguised Adobe updates; a reported Phantom v3.5 variant uses SMTP to exfiltrate stolen data. Additional reporting states Phantom has been delivered by a malware loader, was tracked alongside Stealerium by Proofpoint, and was used in campaigns involving social engineering around software installers/updates. Separate mentions in the content also refer to Phantom as an Android malware family, including references to Android click-fraud activity and ad-fraud behavior in game-mod distributions, but the supplied material does not provide enough detail to confidently merge all of these references into a single malware family. Because the name is reused across unrelated tooling, attribution, capabilities, infection vectors, and victimology should be interpreted carefully by context rather than assumed to refer to one unified malware strain.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Fortinet Secure Sockets Layer (SSL) VPN is vulnerable to unauthenticated directory traversal... Multiple malware campaigns have taken advantage of this vulnerability. The most notable being Cring ransomware (also known as Crypt3, Ghost, Phantom, and Vjszy1lo).
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
That spyware system, dubbed “Phantom,” was offered secretly to U.S. government agencies by the NSO Group... During a presentation to officials in Washington, the company demonstrated a new system, called Phantom, that could hack any number in the United States that the F.B.I. decided to target.
Techniques & procedures
7 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
1 techniqueinject and run a DLL inside the memory space of the w3wp.exe worker pool process
Privilege Escalation
1 technique...uses reflective loading techniques to inject and run a DLL inside the memory space of the w3wp.exe worker pool process. | Phantom is project created to perform loading and executing .NET assemblies directly in memory within an IIS environment running in full-trust mode.
Stealth
3 techniques"Standalone apps on Google Play... embed modules like Nova clicker"; "Google removed these after notification"
...uses reflective loading techniques to inject and run a DLL inside the memory space of the w3wp.exe worker pool process. | Phantom is project created to perform loading and executing .NET assemblies directly in memory within an IIS environment running in full-trust mode.
Phantom is project created to perform loading and executing .NET assemblies directly in memory within an IIS environment running in full‑trust mode. Instead of relying on file‑based approach, it uses reflective loading techniques to inject and run a DLL inside the memory space of the w3wp.exe worker pool process
Credential Access
2 techniquesIsrael-based NSO Group develops Pegasus, a spyware that allows its government customers near-unfettered access to a victim’s device, including their personal data and their location.
Pegasus is a so-called zero-click hacking tool that can invade a target’s mobile phone and extract messages, photos, contacts, messages and video recordings.
Collection
2 techniquesPegasus is a so-called zero-click hacking tool that can invade a target’s mobile phone and extract messages, photos, contacts, messages and video recordings.
IOCs tracked for this family
3 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
9 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as one of 17 Android malware families detected in the wild over four months.
Android click-fraud trojan family using TensorFlow.js to detect/interact with ad elements in a hidden WebView; includes a WebRTC-based mode to stream the virtual browser screen to attackers for interactive control; distributed via mobile games in Xiaomi GetApps and other third-party stores.
Phantom is an information stealer malware delivered by loaders such as BlackHawk, used to exfiltrate sensitive data from infected systems.
Information stealer malware distributed via fake Adobe installers.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.