Oldphantomoftheopera is the branding used by an actor associated with the PhantomStealer malware-as-a-service ecosystem. The actor is described as operating PhantomStealer as a commercial service and advertising capabilities and selling builder licenses via Telegram under the "Oldphantomoftheopera" name. Supporting reporting links this branding to PhantomStealer v3.5.0 delivery activity observed in a four-stage infection chain using an invoice-themed JScript dropper, a large PowerShell rotational XOR decryptor, a .NET process-hollowing loader, and a final .NET stealer payload. In the analyzed intrusion chain, the malware executed via Windows Script Host, used extensive string encoding and runtime decoding for evasion, dropped and launched PowerShell with hidden execution, and used process hollowing into Aspnet_compiler.exe. The final PhantomStealer payload is a .NET Framework 4.8 stealer that uses Costura packing, enforces single-instance execution with a mutex, implements Heaven's Gate for x86-to-x64 transitions under WOW64, and stores configuration encrypted with AES-256-CBC using PBKDF2-SHA1. PhantomStealer steals browser credentials, cookies, credit card data, email and messaging artifacts, cryptocurrency wallets, Wi-Fi passwords, and selected local files, and also includes a crypto-clipper that replaces BTC, ETH, LTC, BCH, TRX, and SOL wallet addresses with attacker-controlled addresses. Exfiltration in the observed case occurred over SMTP using a compromised Malaysian business email account, with infrastructure including phantomsoftwares.site and graceishere.tech hosted through Namecheap-associated services. No additional aliases or sub-groups are directly identified in the provided content.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
29 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.
1 malware family attributed to this actor across reporting.
30 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.
1 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.