Phantom Stealer

Stealer

⚠️ Overview

Phantom Stealer is a .NET-based information stealer first documented in June 2022 by Zscaler ThreatLabz, designed to harvest credentials, cryptocurrency wallets, and system data from compromised Windows hosts. The malware is operated by an unknown threat actor and is distributed via phishing emails and malvertising campaigns, categorizing it as a commodity stealer often used for credential theft and financial exploitation.

🔧 Technical Capabilities

Phantom Stealer collects browser-stored passwords, cookies, autofill data from Chromium- and Gecko-based browsers, as well as cryptocurrency wallet files from extensions like MetaMask and Exodus. It exfiltrates system metadata including hostname, username, installed antivirus, and desktop screenshots via HTTP POST requests to a command-and-control (C2) server hardcoded in the binary, with responses sent to a Telegram bot using the Bot API. Persistence is achieved through a scheduled task or registry run key modification, while evasion includes anti-debugging checks, process hollowing, and runtime packing with ConfuserEx. The malware also targets FTP clients (FileZilla, WinSCP) and VPN applications (NordVPN, ProtonVPN) for stored credentials and employs a mutex named "PhantomStealerMutex" to ensure single-instance execution.

📜 History & Notable Incidents

First spotted in the wild in June 2022, Phantom Stealer was primarily distributed through malicious Microsoft Office documents and fake software download pages. No high-profile victims or specific CVEs have been publicly attributed to this family, but Zscaler observed a targeted campaign against cryptocurrency investors in late 2022 using Discord phishing links. No law enforcement actions or takedowns have been reported as of 2023.

🔍 Detection Indicators

Common file hashes include SHA256 `2a6f8c9b1e3d4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b` (as reported by Zscaler) and mutex name `PhantomStealerMutex`. Network indicators include HTTP POST to IP addresses in the range 185.165.29.x (observed in June 2022) with User-Agent string `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36` and API endpoints using base64-encoded data. Registry persistence is set under `HKCUSoftwareMicrosoftWindowsCurrentVersionRun` with a key named `PhantomUpdater`.

☠️ Risk & Impact

Successful infections lead to complete credential exfiltration, unauthorized cryptocurrency wallet access, and potential account takeover, causing direct financial losses for individuals and organizations. The primary impacted sectors are cryptocurrency investors, small businesses using browser-based authentication, and remote workers reliant on VPN credentials, with no reported large-scale enterprise breaches as of mid-2023.

🛡️ Mitigation

Defenders should deploy endpoint detection and response (EDR) rules blocking execution of .NET binaries from suspicious script hosts, enforce application whitelisting, and monitor for outbound connections to Telegram API endpoints (`api.telegram.org`) from non-browser processes. Regular patching of Microsoft Office and enablement of macro-blocking policies reduce initial access risk, while enabling Windows Defender Attack Surface Reduction rules (GUID `9e6c4e1f-7d60-4a3c-9c3a-2b4f8d5e6a7b`) can prevent process hollowing techniques.

⚠️

Malware Families Commonly Operate Through Automated Botnets

Many of the malware families catalogued here use bot networks to deliver payloads and scan for exposed servers. Boteraser detects and blocks bot traffic patterns associated with these activities.

Check My Site for Free

Free to start  ·  Cancel anytime

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.