A sophisticated multi-stage malware campaign is targeting organizations globally, utilizing the PhantomVAI Loader to distribute dangerous information-stealing malware.
The attack chain, which begins with carefully crafted phishing emails, has emerged as a significant threat to businesses across manufacturing, education, healthcare, technology, utilities, and government sectors.
This malware family, previously known as Katz Stealer Loader, has evolved to deliver multiple infostealer variants including AsyncRAT, XWorm, FormBook, and DCRat, making it a versatile tool in the cybercriminal arsenal.
The infection begins when unsuspecting users receive phishing emails containing malicious attachments disguised as legitimate business communications.
These emails employ social engineering themes such as sales inquiries, payment notifications, and legal matters to lure victims into opening archived JavaScript or VBS files.
What makes these attacks particularly insidious is the use of homograph attacks, where threat actors replace Latin characters with visually similar Unicode characters, effectively bypassing email security filters.
.webp "PhantomVAI Loader Attacking Organizations Worldwide to Deliver AsyncRAT, XWorm, FormBook and DCRat 3")
After the initial phishing stage, Palo Alto Networks analysts identified that the attack progresses through multiple sophisticated layers.
The malicious scripts are heavily obfuscated and contain Base64-encoded PowerShell commands that execute automatically upon opening.
These PowerShell scripts download what appears to be an innocuous GIF or image file from attacker-controlled servers.
.webp "PhantomVAI Loader Attacking Organizations Worldwide to Deliver AsyncRAT, XWorm, FormBook and DCRat 4")
However, these image files conceal the loader payload using steganography techniques, where Base64-encoded DLL files are embedded within the image data between specific delimiter strings such as <
Infection Mechanism and Evasion Techniques
Once the encoded text is extracted, the PowerShell script decodes it and loads the PhantomVAI Loader DLL written in C#. The loader executes a method called VAI, which performs multiple critical functions before deploying the final payload.
It conducts comprehensive virtual machine detection checks using code based on the VMDetector GitHub project.
The malware examines system attributes including computer information, BIOS details, hard disk characteristics, and Windows services to determine if it runs in a virtualized environment.
If any check returns positive, PhantomVAI Loader immediately terminates.
The loader establishes persistence through scheduled tasks that execute PowerShell commands to download and run files from attacker-controlled URLs, or by creating Windows Registry Run keys.
.webp "PhantomVAI Loader Attacking Organizations Worldwide to Deliver AsyncRAT, XWorm, FormBook and DCRat 5")
Finally, it downloads the final payload from a command-and-control server and injects it into legitimate system processes using process hollowing, most commonly targeting MSBuild.exe in the .NET Framework directory.
This evasion mechanism allows the malware to operate undetected while delivering information-stealing capabilities.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
