PhantomRAT
PhantomRAT is a remote access trojan associated with the threat actor PhantomCore and used in cyber-espionage campaigns, including operations targeting unnamed Russian companies. It has been delivered via spearphishing attachments and in at least one reported campaign through phishing emails containing a PDF contract lure and a password-protected RAR archive exploiting WinRAR vulnerability CVE-2023-38831 on versions earlier than 6.23. When the lure was opened, an executable launched and ultimately installed PhantomRAT; the observed sample was reported as tailored for 64-bit systems. PhantomRAT is capable of basic host reconnaissance and file transfer, including downloading files from command-and-control servers and uploading files from compromised hosts to attacker-controlled infrastructure. Reported victim data collection includes host name, user name, local IP address, and operating system version. In broader PhantomCore operations, PhantomRAT is one of several custom malware families alongside PhantomRShell, PhantomTaskShell, PhantomProxyLite, PhantomStealer, and a Phantom Control Panel. PhantomCore has used it against Windows hosts, executing commands through PowerShell and cmd.exe, disguising malware filenames as legitimate Windows components, and packing samples with UPX for obfuscation. PhantomRAT also performs anti-analysis checks by inspecting Windows registry keys, searching for the string "vmware," and calling IsDebuggerPresent(). Related reporting states PhantomCore has targeted Russian organizations and used multistage C2 infrastructure over HTTP, HTTPS, and SSH, including nonstandard ports and SSH tunneling. Attribution of PhantomCore to operators possibly located in Ukraine was assessed by F.A.C.C.T. with moderate confidence based on test sample uploads, but this attribution was not independently verified.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
During the attacks on unnamed Russian companies, the hackers exploited a known vulnerability in the Windows file archiver tool WinRAR... Identified as CVE-2023-38831... An executable file in the archive only launched when the PDF file was opened by a user with a WinRAR version earlier than 6.23. | They named the group PhantomCore and labeled the attackers’ previously undescribed remote access malware as PhantomRAT... vulnerable systems were infected with PhantomRAT, which is capable of downloading files from a command and control (C2) server and uploading files from a compromised host to the hackers' controlled server.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
PhantomCore develops its own malware: PhantomRAT, PhantomRShell, PhantomTaskShell, PhantomProxyLite, PhantomStealer, and the Phantom Control Panel.
Techniques & procedures
10 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
2 techniquesPhantomCore gains access to corporate email accounts at legitimate companies and uses them to distribute PhantomRAT and PhantomRShell
PhantomCore develops its own malware: PhantomRAT, PhantomRShell, PhantomTaskShell, PhantomProxyLite, PhantomStealer, and the Phantom Control Panel
Initial Access
1 techniquePhantomCore sends phishing emails with PhantomRAT and PhantomRShell attached
Execution
3 techniquesUsing PhantomRAT, PhantomRShell, PhantomTaskShell, and the Phantom control panel, PhantomCore runs commands in PowerShell on infected hosts
Using PhantomRAT, PhantomRShell, PhantomTaskShell, and the Phantom control panel, PhantomCore runs commands in the Windows cmd.exe interpreter on infected hosts
PhantomCore emails PhantomRAT and PhantomRShell as attachments that recipients open and execute on target systems
Stealth
3 techniquesPhantomCore uses UPX (the Ultimate Packer for Executables) to pack PhantomRAT, PhantomRShell, and lure documents disguised as archives
Discovery
2 techniquesCommand and Control
1 techniquePhantomCore uses MeshAgent along with its in-house RAT utilities PhantomRAT and PhantomRShell
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
PhantomRAT is a custom remote access trojan used by PhantomCore for phishing-based initial access, command execution, anti-debugging, sandbox evasion, and ongoing remote control.
PhantomRAT is a remote access trojan used to harvest sensitive information and deliver additional payloads.
A newly described remote access trojan used in an espionage campaign. It is delivered via phishing with a password-protected RAR archive exploiting WinRAR CVE-2023-38831 (on WinRAR < 6.23). Once executed, it can download files from a C2 server and upload files from the victim host, and it collects basic host reconnaissance (hostname, username, local IP, OS version).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.