PHANTOMPULSE
PHANTOMPULSE is a previously undocumented Windows remote access trojan (RAT) identified by Elastic Security Labs as the final-stage payload in the REF6598 intrusion chain. The campaign targeted individuals in the financial and cryptocurrency sectors and used social engineering via LinkedIn and Telegram, followed by abuse of Obsidian community plugins. On Windows, malicious Obsidian Shell Commands execution launched PowerShell, which retrieved an intermediate in-memory loader named PHANTOMPULL; PHANTOMPULL decrypted and launched PHANTOMPULSE in memory.
PHANTOMPULSE is described as a full-featured backdoor/RAT with telemetry collection, command retrieval, command-result reporting, file upload, screenshot capture, inline keylogging with clipboard monitoring, process injection, uninstall, privilege escalation, downgrade, and self-restart functionality. It performs host reconnaissance including machine ID, CPU, GPU, RAM, OS, username, computer name, privilege level, public IP, installed applications, and AV/EDR products. Reported targeted application checks include Ledger, Trezor, Electrum, Exodus, Telegram, Discord, Signal, Outlook, Authy, FileZilla, WinSCP, and Steam.
The malware uses multiple stealth and evasion mechanisms. It implements three process-injection techniques: PhantomInject, which stomps dbghelp.dll/module-stomps a legitimate DLL instead of allocating new executable memory; DbgNexum, which uses the Windows Debug API to drive execution; and ManualMap, which manually maps DLL payloads, handles relocations/imports, wipes PE headers, and hijacks threads. It also disables AMSI, WLDP, and ETW using hardware breakpoints and a vectored exception handler targeting WldpQueryDynamicCodeTrust, AmsiScanBuffer, and EtwEventWrite. Additional evasion includes direct-syscall wrappers built from ntdll resolution via PEB/Ldr walking and SSN extraction, four XOR-based obfuscation layers for strings/configuration, and anti-sandbox checks against hashed usernames and computer names including WDAGUtilityAccount and Joe Sandbox personas.
For privilege escalation, PHANTOMPULSE uses a schuac/UACME issue #129-style UAC bypass via IElevatedFactoryServer to obtain an elevated Task Scheduler COM object. It can register a transient DotNetSvcElevateTask and relaunch via rundll32.exe if needed. For persistence, it installs scheduled tasks including DotNetSvcUpdateTask, DotNetSvcCoreTask, and DotNetSvcUserTask, with DotNetSvcCoreTask registered under \Microsoft\Windows\NetFramework\ and configured to run with HighestAvailable privileges. It also drops an embedded DLL, svcagent.dll, to locations including %ProgramData%\AssetMon\svcagent.dll, %APPDATA%\AssetMon\svcagent.dll, or %TEMP%\svcagent.dll, and includes self-healing logic to restore persistence.
A notable feature is its blockchain-based command-and-control resolution. PHANTOMPULSE queries Blockscout services for Ethereum, Base, and Optimism to retrieve the latest transaction input associated with wallet 0xc117688c530b660e15085bF3A2B664117d8672aA, hex-decodes the input, XORs it with the wallet address bytes, and accepts the result if it begins with http. Reported provider hosts include eth.blockscout[.]com, base.blockscout[.]com, and optimism.blockscout[.]com. If blockchain resolution fails, reported fallback C2 domains include panel.feea8679.net and https://panel.fefea22134[.]net. Elastic noted the resolver does not verify the sender of the latest transaction, creating a potential sinkhole opportunity.
Elastic assessed the activity and tradecraft as aligned with DPRK-linked cryptocurrency-focused clusters including Lazarus, BlueNoroff, UNC5342/Contagious Interview, and APT38, while noting this is an alignment assessment rather than definitive attribution. The malware was also described as heavily or likely AI-generated based on unusually verbose and structured debug strings and implementation style.
Known indicators directly mentioned in the content include SHA-256 99dacf9f87ba3c1248718e3c6836c8a3b8bed38ba1d8fe3b3bde8378fb77e670 for a PHANTOMPULSE final payload, and alternate reporting of SHA-256 33dacf9f854f636216e5062ca252df8e5bed652efd78b86512f5b868b11ee70f for the final Windows payload. Elastic released YARA detections under Windows.Trojan.PhantomPulse.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
A newly analyzed remote access trojan called PHANTOMPULSE has drawn serious attention for its advanced approach to compromising Windows systems.
A newly analyzed remote access trojan called PHANTOMPULSE has drawn serious attention for its advanced approach to compromising Windows systems.
A newly analyzed remote access trojan called PHANTOMPULSE has drawn serious attention for its advanced approach to compromising Windows systems.
On Windows, the commands are used to invoke a PowerShell script to drop an intermediate loader codenamed PHANTOMPULL that decrypts and launches PHANTOMPULSE in memory. PHANTOMPULSE is an artificial intelligence (AI)-generated backdoor that uses the Ethereum blockchain for resolving its command-and-control (C2) server by fetching the latest transaction associated with a hard-coded wallet address.
Techniques & procedures
37 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
6 techniques...the implant uses to register a high-privilege scheduled task that relaunches it with full administrator rights... Organizations in the crypto sector are strongly advised to monitor for suspicious scheduled tasks... Scheduled Task DotNetSvcUpdateTask Primary persistence... DotNetSvcCoreTask SYSTEM persistence... DotNetSvcUserTask User persistence...
PHANTOMPULSE installs three scheduled tasks via the COM ITaskService interface, each executing rundll32.exe "<stub_dll>",DllRegisterServer
On Windows, the commands are used to invoke a PowerShell script to drop an intermediate loader codenamed PHANTOMPULL that decrypts and launches PHANTOMPULSE in memory.
PHANTOMPULSE resolves ntdll functions by walking PEB→Ldr with DJB2 hashes, extracts System Service Numbers (SSNs) from each NT function's prologue, and builds private syscall stubs.
As soon as the vault is opened in the note-taking application, the target is asked to enable "Installed community plugins" sync, effectively causing malicious code to be executed.
Persistence
4 techniques...the implant uses to register a high-privilege scheduled task that relaunches it with full administrator rights... Organizations in the crypto sector are strongly advised to monitor for suspicious scheduled tasks... Scheduled Task DotNetSvcUpdateTask Primary persistence... DotNetSvcCoreTask SYSTEM persistence... DotNetSvcUserTask User persistence...
PHANTOMPULSE installs three scheduled tasks via the COM ITaskService interface, each executing rundll32.exe "<stub_dll>",DllRegisterServer
Step 1/6 Write kill flag to HKCU + HKLM... Step 3/6 Remove legacy registry: NTLoad value, COM hijack keys, print monitor keys
Privilege Escalation
8 techniques...the implant uses to register a high-privilege scheduled task that relaunches it with full administrator rights... Organizations in the crypto sector are strongly advised to monitor for suspicious scheduled tasks... Scheduled Task DotNetSvcUpdateTask Primary persistence... DotNetSvcCoreTask SYSTEM persistence... DotNetSvcUserTask User persistence...
PHANTOMPULSE installs three scheduled tasks via the COM ITaskService interface, each executing rundll32.exe "<stub_dll>",DllRegisterServer
According to the Elastic Security Labs report, the implant carries three separate process injection techniques... PHANTOMPULSE ships with three distinct injection methods, each designed for a different payload type.
ManualMap handles DLL payloads with a complete PE manual mapping implementation.
Acquires SeDebugPrivilege (via OpenProcessToken / LookupPrivilegeValueW / AdjustTokenPrivileges )
PHANTOMPULSE installs three scheduled tasks via the COM ITaskService interface... DotNetSvcUpdateTask User Logon + Time 3 min ... DotNetSvcCoreTask Boot + Time 15 min ... DotNetSvcUserTask User Logon
The UAC bypass relies on a documented technique catalogued as UACME issue #129. It exploits a Windows COM interface that hands non-admin callers an elevated instance, which the implant uses to register a high-privilege scheduled task that relaunches it with full administrator rights.
The elevate command is a UAC bypass via the schuac technique (IElevatedFactoryServer::ServerCreateElevatedObject(CLSID_TaskScheduler))
Stealth
12 techniquesPHANTOMPULSE uses four XOR layers for different artifacts.
According to the Elastic Security Labs report, the implant carries three separate process injection techniques... PHANTOMPULSE ships with three distinct injection methods, each designed for a different payload type.
ManualMap handles DLL payloads with a complete PE manual mapping implementation.
Uninstall... Step 4/6 Delete stub DLLs, sleeper logs, registry PE blob, ProgramData directories Step 5/6 Delete install path and self path from disk
Acquires SeDebugPrivilege (via OpenProcessToken / LookupPrivilegeValueW / AdjustTokenPrivileges )
For each provider, the implant issues an HTTPS GET... pulls the input field of the latest transaction, hex-decodes it, XOR-decrypts with the wallet address bytes as the key, and validates that the result begins with http.
The drop command supports DLL, EXE, shellcode (APC injection), and MSI payloads.
PHANTOMPULSE installs three scheduled tasks via the COM ITaskService interface, each executing rundll32.exe "<stub_dll>",DllRegisterServer
The malware never writes its final stage to disk, making it far harder to detect through conventional file-based scanning.
Shellcode is injected using a technique called PhantomInject, which stomps a legitimate Windows DLL named dbghelp.dll rather than allocating new executable memory.
DLL payloads are handled through a full manual mapping routine that strips PE headers from memory, removing common forensic artifacts.
Defense Impairment
1 techniqueCredential Access
1 techniqueDiscovery
5 techniquesAt startup, the implant DJB2-hashes the user name and computer name and looks each up in a precomputed table.
Acquires SeDebugPrivilege... then walks the process snapshot for one of seven host-process candidates
AV DetectInstalledAV matches running processes against a hardcoded list of ~25–30 AV vendor process names
Collection
3 techniquesScreenshots use GDI APIs resolved by hash. If desktop width exceeds 960 px, the image is downscaled before upload.
GetClipboardSequenceNumber Clipboard change detection OpenClipboard / GetClipboardData Clipboard reading (CF_UNICODETEXT)
Command and Control
6 techniquesOne of the most unusual aspects of PHANTOMPULSE is how it locates its command-and-control server. Rather than using hardcoded domains or fast-flux DNS, it reads the input field of the latest transaction from a specific cryptocurrency wallet across three blockchain networks: Ethereum, Base, and Optimism.
For each provider, the implant issues an HTTPS GET (port 443, SSL cert errors ignored)...
PHANTOMPULSE decentralizes C2 lookup through three Blockscout providers: eth.blockscout[.]com (Ethereum L1) base.blockscout[.]com (Base L2) optimism.blockscout[.]com (Optimism L2)
Once a foothold is established, an in-memory loader called PHANTOMPULL drops the PHANTOMPULSE implant onto the compromised system.
PHANTOMPULSE... uses the Ethereum blockchain for resolving its command-and-control (C2) server by fetching the latest transaction associated with a hard-coded wallet address. On macOS... employing Telegram as a dead drop resolver for fallback C2 resolution.
For each provider, the implant issues an HTTPS GET (port 443, SSL cert errors ignored)
Exfiltration
1 techniqueFive API paths are constructed at runtime... /v1/telemetry/upload/ POST image/bmp Screenshot / file upload ... /v1/telemetry/keylog/ POST text/plain Keylog data upload
Other
2 techniquesPHANTOMPULSE disables AMSI, the Windows Lockdown Policy code-trust check, and ETW telemetry through a single shared primitive: a hardware breakpoint planted on each API entry, intercepted by a vectored exception handler that fakes the return value without inline patching.
A "novel" social engineering campaign has been observed abusing Obsidian... leveraging elaborate social engineering tactics through LinkedIn and Telegram... approaching prospective individuals under the guise of a venture capital firm and then moving the conversation to a Telegram group...
IOCs tracked for this family
23 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan used as the final-stage payload in the REF6598 attack chain. It establishes persistence, evades detection, performs process injection, uses a UAC bypass for privilege escalation, and communicates with operators via a blockchain-based C2 with fallback infrastructure.
A Windows remote access implant/final-stage payload that provides command-and-control, process injection, persistence via scheduled tasks, UAC bypass, AMSI/WLDP/ETW evasion via hardware breakpoints, keylogging, screenshot capture, system reconnaissance, and blockchain-based C2 resolution with a hardcoded fallback URL.
A previously undocumented Windows remote access trojan/backdoor used in a social engineering campaign abusing Obsidian. It resolves C2 via the Ethereum blockchain and uses WinHTTP to communicate, enabling telemetry collection, command execution, file and screenshot upload, keylogging, code injection, persistence removal, and privilege escalation.
A previously undocumented remote access trojan/backdoor deployed on Windows that supports keylogging, screenshot capture, process injection, privilege escalation, and uses public Ethereum blockchain transaction data via Blockscout APIs to resolve C2 infrastructure.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.