Sophisticated malware employs a multi-stage infection chain and advanced evasion techniques to exfiltrate sensitive information.
Phantom, a sophisticated stealer malware variant, is conducting targeted attacks to harvest sensitive data from infected systems, including passwords, browser cookies, credit card information, and cryptocurrency wallet credentials.
Security researchers have identified Version 3.5 of the malware, which employs a complex multi-stage infection chain and advanced evasion techniques to bypass security controls and steal victims’ personally identifiable information.
The malware’s attack chain begins with a deceptive file masquerading as “Adobe 11.7.7 installer,” first observed on VirusTotal on October 29, 2025.
Upon execution, the obfuscated XML file containing embedded JavaScript initiates a sophisticated infection sequence.
The malware contacts a remote command server to download a PowerShell script (“floor.ps1”), which is executed with hidden attributes and PowerShell execution policy bypassed, circumventing user warnings and security prompts.
How Phantom Stealer Operates
The downloaded PowerShell script contains RC4-encrypted payloads that, when decrypted, reveal a malicious .NET assembly called “BLACKHAWK.dll.”
This injector DLL employs process injection techniques to load the actual stealer payload directly into the memory space of the legitimate Windows executable “Aspnet_compiler.exe.”
By leveraging .NET Common Language Runtime’s AppDomain isolation, Phantom evades traditional endpoint detection mechanisms that rely on file-based indicators.
The stealer component demonstrates extensive data exfiltration capabilities. It systematically harvests browser credentials, cookies, and autofill data from Chromium-based browsers including Chrome and Edge.
The malware extracts AES master keys used for browser data encryption, enabling decryption of stored passwords and payment information. Additionally, Phantom captures cryptocurrency wallet credentials, desktop wallet data, and Discord account information.
Beyond browser-based theft, Phantom implements comprehensive surveillance functionality. The malware features keylogging capabilities that capture user keystrokes while intelligently differentiating words by tracking space, tab, and return keys.
It harvests Wi-Fi credentials stored in system memory, steals Outlook email data with timestamps and computer identifiers, and captures system information including hardware details and network configuration.
Impact on Online Security
To evade security analysis and monitoring, Phantom employs multiple advanced evasion techniques.
The malware implements anti-analysis checks that verify execution environment by matching usernames against a hardcoded list of 112 known sandbox and analyst usernames, including both standard and lowercase variants.
Upon detection of analysis environment indicators, the malware triggers a self-destruct mechanism that terminates its process and deletes traces from the system.
Most critically, Phantom utilizes “Heaven’s Gate,” a sophisticated x86-to-x64 mode switching technique that enables the malware to execute 64-bit code and native syscalls directly from a 32-bit process.
This technique bypasses x86-specific user-mode hooks employed by security software, allowing Phantom to operate beneath the visibility of 32-bit monitoring tools.
The malware exfiltrates stolen data through multiple channels including SMTP, FTP, Telegram, and Discord. Hardcoded SMTP credentials, stored in base64-encoded format within the malware, enable direct email transmission of exfiltrated datasets.
The combination of automated data harvesting, multi-channel exfiltration, and advanced evasion makes Phantom a formidable threat to individual and enterprise users.
Security researchers recommend deploying reputable endpoint protection solutions, maintaining current operating system patches, and practicing cyber hygiene including verification of downloaded software authenticity.
Users should remain vigilant when downloading files from unfamiliar sources and consider utilizing sandbox environments for suspicious executables prior to execution on production systems.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.