PhantomStealer is a C#/.NET information stealer and commercially distributed Malware-as-a-Service (MaaS) family active since at least February 2026, though malspam reporting references campaigns using the name in 2025. It is repeatedly described as a password stealer/infostealer and has been observed in phishing and malspam campaigns using business-themed lures such as payments, receipts, requests, quotations, invoices, documents, orders, offers, and RFQs, including campaigns targeting Italy as well as procurement, shipping, and supply-chain personnel.
Observed delivery chains commonly begin with heavily obfuscated JavaScript/JScript attachments executed by Windows Script Host, which drop or decode PowerShell stages, use custom rotational XOR decryption, load .NET assemblies reflectively, and inject the final payload into C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe via process hollowing. Shared loader/injector components include DEV.DOWN/DEV.dll and, in another observed chain, ALTERNATE.EXECUTE. Samples have used temporary PowerShell files under C:\Temp\ and anti-analysis measures such as obfuscation, sandbox/process checks, anti-debugging logic, and in some builds self-deletion or disabled anti-analysis features.
Capabilities directly described in the content include theft of saved passwords, cookies, autofill data, and credit card data from Chromium- and Gecko-based browsers; theft of Outlook, Thunderbird, FoxMail, Telegram, Discord token, WinSCP, FileZilla, and Wi-Fi credential data; theft of cryptocurrency wallet data from desktop wallets and numerous browser wallet extensions; collection of selected local files; and system reconnaissance such as processor information and external IP address. One report on PhantomCore states PhantomStealer exports, decrypts, and archives authentication data stored in Chrome and Yandex browsers. Some PhantomStealer v3.5.0 builds also include a crypto-clipper that replaces clipboard wallet addresses for cryptocurrencies including BTC, ETH, LTC, BCH, TRX, SOL, and in one report XMR.
Exfiltration mechanisms vary by build. Observed samples exfiltrated via the Telegram Bot API, SMTP, or FTP. Reported SMTP infrastructure included compromised legitimate mail servers mail.kluangstation.com.my and mail.tms.cl, with receiver addresses ike@graceishere.tech and info@graceishere.tech. A recovered FTP-configured v3.5.0 sample used ftp.corella.ro with account backup@corella.ro. Some analyzed v3.5.0 builds had Telegram, Discord, FTP, startup persistence, keylogging, screenshots, anti-analysis, or file-grabber modules disabled in configuration. Reported mutexes include ZK5BJ6U4KNLQT3D9UGJZ, EMSMNP0JM2FCVRK21CDD, and 6WWCTAOSPN0K7LMSCS01.
PhantomStealer is linked in the content to the PhantomStealer MaaS ecosystem branded through phantomsoftwares.site and the Telegram identity/channel @Oldphantomoftheopera / Oldphantomoftheopera. Infrastructure overlap between phantomsoftwares.site and graceishere.tech is explicitly noted. Separately, PhantomStealer is also described as an in-house infostealer used by the PhantomCore threat actor, which uses it to collect and archive browser authentication data and as part of broader intrusion activity involving phishing, persistence, lateral movement, and exfiltration.
High-confidence indicators mentioned in the content include phantomsoftwares.site, graceishere.tech, mail.kluangstation.com.my, mail.tms.cl, ftp.corella.ro, the DEV.DOWN injector DLL SHA256 195e3d859d8fa9d0c12cd38beef8898e307b71422c8a18c2c3648f5f0220b447, PhantomStealer payload SHA256 values including 7df24c505edbfd1bdee879f8fc12e7b67590755513f28cadadcfd173da07d14d and 6eb33e137719e0261e910379786355f85da25b73c119616d34b3119da81f7ff0, and lure filenames such as Invoice 10225.js and RFQ108004 - EDS International.js.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
PhantomCore uses its in-house infostealer, PhantomStealer, to export, decrypt, and save as an archive the authentication data stored on the infected host in Chrome and Yandex browsers.
This sample is a fully-weaponized delivery of PhantomStealer v3.5.0, a commercial infostealer sold as Malware-as-a-Service (MaaS) via phantomsoftwares.site and Telegram channel @Oldphantomoftheopera.
This sample is a fully-weaponized delivery of PhantomStealer v3.5.0, a commercial infostealer sold as Malware-as-a-Service (MaaS) via phantomsoftwares.site and Telegram channel @Oldphantomoftheopera.
26 distinct techniques documented for this family, organized by ATT&CK tactic.
MITRE ATT&CK TTPs ID Technique Implementation T1078 Valid Accounts Abuses compromised mail credentials
It ships as the final stage of a four-stage Windows dropper chain that smica83 uploaded as update.ps1 on April 21: an AES-256-CBC-wrapped PowerShell decrypts to an XOR-obfuscated PowerShell
Stage 1: WSH JavaScript Dropper The 4.4MB dropper is a single-line obfuscated JavaScript file for Windows Script Host.
The technique works: only 10 out of 36 AV engines detect it... It is a PE binary encoded as Unicode characters from 103 different scripts, mapped through IBM Code Page 437 back to x86 machine code.
paired with the classic double-extension trick: .xlsx.js . On any Windows machine with default settings, the .js extension is hidden, and the file looks like an Excel spreadsheet.
Defense Evasion Process Injection T1055 SetThreadContext into Aspnet_compiler.exe
MITRE ATT&CK TTPs ID Technique Implementation T1078 Valid Accounts Abuses compromised mail credentials
a WMI anti-sandbox query hitting winmgmts:\\.\root\cimv2 to look for Win32_Process artifacts.
the final PhantomStealer payload running inside Aspnet_compiler.exe targets: ... Cryptocurrency wallet extensions ... Wireless network passwords ... System reconnaissance
Crypto Clipper The clipper module is active and monitors the clipboard for cryptocurrency addresses.
59 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
21 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Password stealer distributed via malspam campaigns targeting Italy during the week of 2026-06-15 to 2026-06-21.
A password-stealing malware family distributed via malspam campaigns targeting Italy, observed in email themes such as requests.
A password stealer family observed in malspam campaigns targeting Italy during the week of 2026-06-01 to 2026-06-07.
Information stealer, described as a Stealerium-family fork, delivered as the final stage of a four-stage Windows dropper chain. It decrypts configuration at runtime, steals data from sources such as Chromium browsers and Outlook, and exfiltrates via FTP in this campaign. The sample was injected into aspnet_compiler.exe via a reflective launcher and process hollowing.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.