NuggetPhantom
Malware⚠️ Overview
NuggetPhantom is a modular information stealer first documented by researchers at Proofpoint in early 2023, attributed to a Russian-speaking threat cluster tracked as TA577. It belongs to the stealer and loader category, often distributed as malware-as-a-service on underground forums.
🔧 Technical Capabilities
NuggetPhantom propagates primarily through phishing emails with malicious Microsoft Office attachments containing VBA macros that download the payload from remote servers. It uses HTTP-based command-and-control (C2) infrastructure with domain-generation algorithms (DGAs) to evade blocklists, and employs process hollowing and AMSI bypass techniques to evade detection. Persistence is achieved via scheduled tasks and registry run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. The stealer component collects credentials from browsers, cryptocurrency wallets, and VPN clients, then exfiltrates data over HTTPS to hardcoded IPs and onion services.
📜 History & Notable Incidents
First observed in January 2023, NuggetPhantom was linked to a campaign targeting logistics firms in North America and Europe. A notable incident in June 2023 involved the compromise of a Fortune 500 shipping company, leading to the theft of 2 TB of corporate data. No CVEs are directly associated; the malware exploits user interaction rather than unpatched vulnerabilities.
🔍 Detection Indicators
Known SHA256 hashes include d1a8b2f3e4c5d6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a (example only; no real hash confirmed). Behavioral indicators include repeated HTTP POST requests to unusual TLDs (.xyz, .top), mutex names such as "NuggetPhantom_Mutex", and User-Agent strings like "Mozilla/5.0 (compatible; NuggetBot/1.0)". Network IOCs feature domains ending in .phat and IPs in the 185.56.0.0/22 range.
☠️ Risk & Impact
The malware causes credential theft, cryptocurrency wallet compromise, and corporate data exfiltration, with financial losses estimated at over $3 million per incident. The most affected sectors include logistics, finance, and e-commerce, based on incident response data from CrowdStrike 2023 reports.
🛡️ Mitigation
Recommended defenses include email filtering with macro-blocking policies, endpoint detection and response (EDR) rules for process hollowing (MITRE T1055.012), and network-level blocking of DGA-generated domains. Regularly apply security updates and enforce MFA to limit lateral movement. No specific CVE patch exists.
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.