Malware, Threat Intelligence

Report sheds more light on Phantom Stealer

cyber threat risk management , malware and virus prevention , security awareness

Attacks involving the .NET-based Phantom Stealer, which has been bundled with a crypter and a remote access tool under the Phantom Project cybercrime kit, have been aimed at manufacturing, technology, and logistics organizations in Europe as part of a multi-wave phishing operation between November 2025 and January 2026, reports Infosecurity Magazine.

Such a campaign, which has been successfully averted, was characterized by phishing emails purporting to be from a legitimate equipment trading firm that included an archive attachment with an illicit executable or an obfuscated JavaScript dropper, but lacked DKIM signatures and had SPF authentication failures, an analysis from Group-IB researchers revealed. Attackers also recycled email templates, used impersonal greetings, and spoofed business identity in the campaign. Further examination of Phantom Stealer, which was launched by researchers into a controlled environment, showed its abilities to pilfer credentials, evade analysis, and exfiltrate data.

"Phantom Stealer is one example of a broader pattern: credential theft scaling through commercial stealer-as-a-service operations, where the outcome is identity-driven compromise that often leads to ransomware or business email fraud," said researchers.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds