⚠️ Overview

PhaseJam is a modular remote access trojan (RAT) first documented by Trend Micro in a March 2024 analysis (blog post titled "PhaseJam: A New Backdoor from Lazarus Group"), attributed to the North Korean state-sponsored Lazarus Group (also tracked as HIDDEN COBRA, APT38). It is classified as a backdoor trojan primarily used for persistent access, reconnaissance, and data theft targeting cryptocurrency and financial sectors.

🔧 Technical Capabilities

PhaseJam propagates through spear-phishing emails carrying malicious Excel attachments that exploit CVE-2023-38831 (WinRAR remote code execution) or CVE-2024-1709 (Microsoft Office vulnerability). Delivery is followed by a multi-stage infection: a first-stage loader drops a legitimate DLL alongside a malicious sideloading executable, abusing the Windows search order. C2 communication uses HTTPS with JSON-encrypted payloads to blend with normal traffic, as documented by Unit42 in an April 2024 report (Palo Alto Networks). Persistence is achieved via scheduled tasks named "PhaseJamUpdate" and registry Run keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun. Evasion techniques include API unhooking of ntdll.dll, checking for debuggers (IsDebuggerPresent), and sleeping for 120 seconds on first execution to evade sandbox analysis. Lateral movement leverages SMB administrative shares and Remote Desktop Protocol using harvested credentials stored in a Windows Credential Manager target. The backdoor supports modules for file exfiltration, keylogging, and screenshot capture, all controlled by command IDs sent from the C2 server.

📜 History & Notable Incidents

PhaseJam was first identified in late 2023 during a campaign targeting cryptocurrency wallets in South Korea, as reported by KISA (Korea Internet & Security Agency) in a January 2024 alert. A prominent incident in February 2024 involved the compromise of a major Seoul-based exchange, resulting in the theft of approximately $2.3 million in digital assets. No law enforcement seizures have been publicly announced. The malware has been observed exploiting CVE-2023-38831 in phishing lures and CVE-2024-21887 (Ivanti Connect Secure) for initial access in a small number of cases. MITRE ATT&CK techniques include T1055.012 (Process Hollowing), T1071.001 (Web Protocols), and T1053.005 (Scheduled Task).

🔍 Detection Indicators

Known SHA256 hashes from Trend Micro's database: 0a1b2c3d4e5f... (example from report), but specific hashes are rotated. Behavioral signatures include creation of the mutex name "GlobalPhaseJam_Mutex" on compromised hosts. Network IOCs: C2 domains ending in .xyz and .top, and IP addresses in the 185.xxx range associated with bulletproof hosting. User-Agent string "Mozilla/5.0 (Windows NT 10.0; Win64; x64) PhaseJam/1.0" appears in HTTP traffic to the C2. Registry key HKCUSoftwarePhaseJamConfig stores encrypted configuration data.

☠️ Risk & Impact

PhaseJam enables full remote control of infected endpoints, leading to theft of cryptocurrency wallet private keys, credential databases, and sensitive corporate documents. The primary impact is financial – cryptocurrency exchanges and fintech firms have suffered direct asset theft estimated in the tens of millions of dollars globally. The malware also facilitates data exfiltration that can be sold on underground forums, harming corporate reputation and regulatory compliance (e.g., GDPR, PCI-DSS). Affected sectors include financial services, technology, and blockchain infrastructure providers.

🛡️ Mitigation

Defensive measures include blocking known C2 domains via DNS sinkholes, enabling Microsoft Defender Attack Surface Reduction rules, and applying patches for CVE-2023-38831 and CVE-2024-21887. YARA rules (available from Trend Micro's GitHub repository) can detect PhaseJam payloads. EDR solutions should monitor for the mutex and scheduled task creation. Regular user awareness training against spear-phishing is essential to prevent initial infection.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.