PhantomStealer is a Malware-as-a-Service information stealer operated under the PhantomStealer brand and advertised via Telegram. The content links the operator to the Telegram identity and channel "Oldphantomoftheopera" and to the panel/branding domain phantomsoftwares.site. The service appears to support multiple operators or customers, with shared infrastructure and repeated campaign activity indicating active MaaS deployment. Based on the provided reporting, PhantomStealer has been delivered through phishing campaigns using trade- and invoice-themed JavaScript attachments and through staged multi-step infection chains. Observed delivery and execution techniques include heavily obfuscated JScript droppers, PowerShell downloaders and decryptors, rotational XOR decryption, reflective .NET loading, and process hollowing into Aspnet_compiler.exe. Reported anti-analysis and evasion techniques include script obfuscation, AES-encrypted configuration, sandbox checks, process checks, Heaven's Gate, and self-deletion. The malware is described as stealing saved passwords, cookies, credit card data, autofill entries, Outlook data, FoxMail data, WinSCP sessions, Discord tokens, Telegram data, FileZilla credentials, Wi-Fi passwords, and selected local files. It also targets desktop cryptocurrency wallets including MetaMask, Exodus, Electrum, AtomicWallet, WalletWasabi, Coinomi, TrustWallet, Bitcoin Core, Armory, and Jaxx, as well as 66 browser wallet extensions. A crypto-clipper module replaces clipboard wallet addresses for BTC, ETH, LTC, BCH, TRX, and SOL with attacker-controlled addresses. In the analyzed PhantomStealer v3.5.0 sample, exfiltration was configured over SMTP using a compromised legitimate Malaysian server at mail.kluangstation.com.my, sending stolen data from christy@kluangstation.com.my to ike@graceishere.tech. The domain graceishere.tech is assessed in the content as malicious and associated with the operator, while phantomsoftwares.site is identified as the MaaS panel and branding site. The actor is also described as advertising builder licenses via Telegram and using the branding identifier "Oldphantomoftheopera." Known aliases and identifiers directly mentioned in the content include PhantomStealer, "Phantom stealer," and "Oldphantomoftheopera." No nation-state attribution is stated in the provided content.
Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.
Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.
Sectors the actor has been observed targeting.
Geographies tied to known operations.
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Commercial Malware-as-a-Service operator behind PhantomStealer v3.5.0, providing builder access and infrastructure for information-stealing campaigns. The observed deployment used a four-stage JScript-to-PowerShell-to-.NET loader chain, process hollowing into Aspnet_compiler.exe, SMTP-based exfiltration, and a crypto-clipper module to steal credentials, browser data, wallet data, and sensitive files.
Running a high-tempo phishing and credential-stealing campaign using fake invoice and trade-themed lures, compromised legitimate infrastructure, obfuscated JavaScript droppers, encrypted PowerShell loaders, and process hollowing to deliver SnakeKeylogger/VIPKeylogger.
Match sector + geo + tech-stack targeting against your real footprint.
Every observed MITRE ATT&CK technique, grouped by tactic.
Families this actor is known to deploy, with IOCs and behavior.
CVEs this actor has used in known campaigns.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Domains, IPs, and hashes tied to this actor, refreshed continuously.