A new threat called PhantomVAI, a custom “loader” used to launch cyberattacks worldwide. A loader is a type of malicious software designed to secretly download and start other dangerous programs on a victim’s computer. What makes PhantomVAI special is that it is built on top of an old, publicly available tool called “RunPE”.
This loader has been seen in many different attack campaigns, delivering various types of malware that steal information or take control of computers.
The core technology behind PhantomVAI is a utility named “Mandark”. This tool was originally created and shared years ago by a user named “gigajew” on HackForums, a popular website for hackers.
Mandark uses a technique called “process hollowing.” This allows the malware to hide itself inside a legitimate, safe-looking program running on Windows.
By using this old code, the attackers created PhantomVAI to inject their malicious payloads into trusted processes.
This makes it much harder for security software to spot the attack because it looks like a normal program is running.
The researchers named it “PhantomVAI” because it uses a unique custom method called “VAI” in its code and “Phantom” refers to its sneaky hiding technique.
Worldwide Attacks and “Loader-as-a-Service”
In fact, the namespace to load x64 payloads we encountered follows the same structure as
the Mandark utility.
PhantomVAI is not just used by one person. Evidence suggests it is being sold or rented out as a service, known as “Loader-as-a-Service“. This means different cybercriminals can pay to use PhantomVAI to distribute their own malware.
It has been used to deliver many dangerous threats, including:
- Remcos and AsyncRAT: Tools that let attackers control a victim’s computer remotely.
- XWorm and DarkCloud: Malware designed to steal data.
- SmokeLoader and Lokibot: Programs that download even more malware or steal passwords.
These attacks are happening globally, targeting users with a wide variety of phishing emails to trick them into downloading the loader.
Inside a sample of the loader, the Mandark utility is called at the end of the “VAI” method as
x64.Load() with 3 different parameters: array3, text2, args.
The payloadbuffer (array3) corresponds to the downloaded content, which is the ultimate
payload to be injected and executed.
Disguises and Portuguese Roots
To avoid detection, PhantomVAI tries to look like a harmless file. It often disguises itself as a legitimate file named Microsoft.Win32.TaskScheduler.dll, which is actually a real tool used by developers. It also masquerades as popular software like AnyDesk.
As explained earlier, instances of the loader masquerade as a legitimate tool named
“Microsoft Windows Task Scheduler”, created by the GitHub user Dahall.
Interestingly, the code inside PhantomVAI contains several words in Portuguese, such as caminhovbs, nativo, and nomenativo.
This suggests that the person who developed this loader might be from Portugal or Brazil. The loader also includes a “VMDetector” feature, which checks if it is running in a test environment (used by researchers) and stops running to avoid being analyzed.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.