PhantomNet
PhantomNet, also referred to as DOWNTOWN and described in one source as SManager, is a remote access trojan/backdoor used in cyberespionage operations. Reported capabilities include collecting victim information, command-and-control communications, file read/write functionality, and installing or loading additional malicious plugins/payloads. It has been observed deployed via DLL sideloading and via trojanized software packages, including in a supply-chain compromise involving the Vietnam Government Certification Authority website, where post-compromise plugins were deployed using PhantomNet. Sophos observed multiple PhantomNet backdoor samples in the Crimson Palace intrusion set, including sslwnd64.exe, oci.dll, and nethood.exe, used for C2 communications and payload loading. PhantomNet has been linked in public reporting to Chinese state-aligned activity: Elastic associated DOWNTOWN/PhantomNet with the Chinese-nexus actor REF5961, Sophos reported overlaps between PhantomNet use and Cluster Alpha activity assessed with high confidence to support Chinese state interests, and other reporting cited in the content attributes PhantomNet to TA428 and notes Worok’s use of shared espionage toolsets including PhantomNet. Targeting mentioned in the content includes high-profile Southeast Asian government organizations and broader espionage-focused operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
PhantomNet (aka SManager, DOWNTOWN) is a simple backdoor capable of collecting victim information and installing malicious plugins that has been previously attributed to Chinese APT TA428.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
1 techniqueThe actor was then seen attempting a known DLL hijacking technique, phantom DLL sideloading. By placing the malicious oci.dll in a location read by the MSDTC service’s executable—a location the file does not usually occur in—the malicious code was called when the service was stopped and restarted
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
4 techniquesThe attacker created two DLLs (swprvs.dll and appmgmt.dll)... An ‘s’ was added to the filename of the legitimate swprv.dll and the ‘s’ was removed from the legitimate appmgmts.dll.
the HUI loader (msedge_elf.dll), which de-obfuscated the file log.ini to reveal a Cobalt Strike reflective Loader
the actor frequently abused endpoint protection software binaries to sideload their malicious payloads.
The actor was then seen attempting a known DLL hijacking technique, phantom DLL sideloading. By placing the malicious oci.dll in a location read by the MSDTC service’s executable—a location the file does not usually occur in—the malicious code was called when the service was stopped and restarted
Command and Control
2 techniquessetDesktopMonitorHook function, which establishes communications with the domain cloud.keepasses[.]com ... PowHeartBeat backdoor ... connect to msudapis[.]info over port 443
the actor created a SOCKS proxy to be used by the Microsoft Distributed Transaction Coordinator (MSDTC) service
Exfiltration
1 techniqueThroughout the intrusion, the actor in Cluster Alpha leveraged the PhantomNet implants ... to establish C2 communications and load additional payloads... PowHeartBeat ... now known to be an exfiltration domain.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A simple backdoor used to establish C2 communications, collect victim information, and load additional plugins or payloads.
Espionage toolset component used in campaigns attributed to Worok/shared tooling ecosystems.
RAT with plugin/command support; in newer activity, persistence changed to storing an encrypted payload in the Windows registry with a loader to retrieve it.
Backdoor used for persistent access/C2; referenced as DOWNTOWN by Elastic and observed in Cluster Alpha with overlaps to REF5961/TA428 reporting.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.