Phantom Project Sells Infostealer, Crypter, and RAT Bundle
▼ Summary
– Phantom Stealer is a .NET-based infostealer sold as a commercial toolkit that harvests browser data, credentials, and payment information from infected systems.
– A phishing campaign from November 2025 to January 2026 delivered this malware to European logistics, manufacturing, and tech firms using impersonated business emails.
– The phishing emails contained archive attachments with malicious scripts or executables and showed consistent technical flaws like SPF failures and spelling errors.
– Cybersecurity firm Group-IB detected the campaign through sender authentication, content analysis, and malware detonation in a controlled environment.
– Stolen credentials from such infostealer services are often used for subsequent attacks like ransomware or business email compromise.
A commercial cybercrime toolkit bundling a .NET-based infostealer, crypter, and remote access tool (RAT) under a subscription model has been the subject of a detailed security analysis. This malware, identified as Phantom Stealer, systematically harvests a wide array of sensitive data from compromised systems. Its targets include browser credentials, cookies, saved passwords, autofill details, and stored payment card information. The stealer also collects session data from messaging and email clients, along with Wi-Fi credentials, before exfiltrating everything through channels like messaging apps, SMTP, and FTP.
From November 2025 through January 2026, a persistent phishing operation aimed at European businesses was observed delivering this malware. The campaign focused on organizations within the logistics, manufacturing, and technology sectors. Activity unfolded in five distinct waves, with phishing emails being intercepted before they could reach their intended victims. A notable pattern emerged where attackers targeted several unrelated companies on the same day, a hallmark of stealer-as-a-service campaigns.
The emails cleverly impersonated a legitimate equipment trading firm. They used procurement-related subject lines to mimic authentic business communication. Messages were typically brief, often just two or three sentences, and included professionally formatted signature blocks to enhance their deceptive appearance.
Each malicious email contained an archive attachment. Inside was either an obfuscated JavaScript dropper or a directly malicious executable file. While subject lines and attachment names changed, several consistent technical and behavioral indicators linked the campaign together. These phishing indicators included failures in SPF authentication, a lack of DKIM signatures, and the repeated use of the same email templates with impersonal greetings. Consistent spelling errors across messages, a spoofed corporate identity, and rotating infrastructure further pointed to a coordinated, automated operation.
Security analysts detected the campaign using a layered approach. This methodology combined sender authentication checks, content analysis, and the controlled detonation of malware in a sandbox environment. By tracing the full execution chain from the initial script to the final payload, researchers confirmed the stealer’s credential harvesting functions, its use of anti-analysis techniques, and its data exfiltration behavior.
The proliferation of tools like Phantom Stealer illustrates a dangerous trend. Credential theft is being industrialized through commercial service offerings, leading directly to identity-driven compromises. These initial breaches frequently serve as a gateway for more severe attacks, including ransomware deployments and business email compromise fraud. In essence, infostealers have become a critical and persistent threat, as stolen credentials are a primary enabler for data breaches and sophisticated financial fraud schemes.
(Source: Infosecurity Magazine)
