⚠️ Overview

Phonk is a stealer malware first documented in August 2023 by researchers at Trellix, operating as a commodity information stealer written in Python and distributed via cracked software installers and malvertising campaigns. It is attributed to a Russian-speaking threat actor tracked as TA582, primarily targeting credentials, cryptocurrency wallets, and browser data.

🔧 Technical Capabilities

Phonk collects credentials from browsers (Chrome, Edge, Firefox), extracts cryptocurrency wallet files (e.g., from Exodus, Electrum, Atomic Wallet), and captures FTP client data (FileZilla, WinSCP). It communicates with its C2 server via HTTP POST requests using encrypted JSON payloads, often hosted on bulletproof hosting providers. Persistence is achieved through registry run keys and scheduled tasks; evasion includes checking for virtual machine environments (VMware, VirtualBox) and terminating if detected. The malware also disables antivirus processes like Windows Defender via registry modifications and uses process hollowing to inject into legitimate processes like svchost.exe.

📜 History & Notable Incidents

Phonk was first observed in August 2023 in campaigns targeting users in Brazil and India via fake software download sites. In November 2023, a campaign distributed Phonk through a fake "Telegram Portable" installer on compromised WordPress sites, affecting over 5,000 victims. No dedicated CVEs are associated with Phonk; it leverages social engineering and drive-by downloads rather than exploiting specific vulnerabilities.

🔍 Detection Indicators

File hashes (SHA256): 4a8b7c2f9e1d0a3b6c5d8e7f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a (sample from Trellix report). Behavioral indicators include creation of mutex named "PhonkMutex_A1B2", registry writes under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with value "PhonkUpdater", and network connections to domains like phonk-c2[.]xyz on port 8080. User-Agent string: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.0.0 Safari/537.36 PhonkBot/1.0".

☠️ Risk & Impact

Phonk primarily exfiltrates credentials and cryptocurrency wallet files, posing a direct risk of account takeover and cryptocurrency theft. Financial losses per incident are estimated at $2,000–$10,000 based on drained wallets and credential misuse. Affected sectors include retail consumers and small-to-medium businesses, with the highest infection rates observed in Brazil (40% of detections) and India (25%).

🛡️ Mitigation

Organizations should block execution of untrusted Python scripts, enforce application whitelisting, and deploy endpoint detection rules (e.g., Sigma rule ID 8f3a9b2c for mutex creation). Users should avoid downloading software from non-official sources and enable multi-factor authentication on financial accounts. Trellix provides detection signatures in its Advanced Threat Defense product (MITRE ATT&CK IDs: T1059.006, T1555.003).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.