DEV.DOWN is a .NET injector DLL used as Stage 3 in a multi-stage Phantom Stealer infection chain. It is loaded reflectively from PowerShell via [System.Reflection.Assembly]::Load() and invoked through the DEV.DOWN::SHOOT method. The loader embeds DEV.DOWN alongside the final Phantom Stealer payload, then uses DEV.DOWN to inject that payload into aspnet_compiler.exe, including via process hollowing techniques. Reported injection-related APIs include VirtualAllocEx and NtCreateThreadEx. The DLL is approximately 47 KB and has SHA256 hash 195e3d859d8fa9d0c12cd38beef8898e307b71422c8a18c2c3648f5f0220b447. The surrounding delivery chain begins with an obfuscated Windows Script Host JavaScript dropper that launches PowerShell with ExecutionPolicy Bypass and a hidden window, followed by a PowerShell XOR decryption stage that recovers the Stage 3 loader. DEV.DOWN is directly associated in the provided content with delivery of Phantom Stealer, a commercially sold .NET infostealer linked to phantomsoftwares.site and the Telegram handle @Oldphantomoftheopera. An embedded AES key reported in DEV.DOWN is jodTFE2vRldtBtx91i.PYSXl3H4CfuFjxYYPp.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Obfuscator JavaScriptObfuscator (string-array rotation, control-flow flattening) ... encrypted blob in Stage 2
Target Process : C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe (legitimate .NET tool used as cover).
Injects into aspnet_compiler.exe via NtCreateThreadEx + VirtualAllocEx
The target process is C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe -- a legitimate Microsoft .NET tool used as a host for process hollowing.
Cleanup DeleteFile on SCRIPT_PATH after execution; taskkill /f /im wscript.exe on timeout
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A .NET injector DLL used in Stage 3 to perform process hollowing, loading the PhantomStealer payload into Aspnet_compiler.exe as part of the infection chain.
A .NET injector DLL used in the third stage of the infection chain to hollow out Aspnet_compiler.exe and inject the PhantomStealer payload.
A .NET injector component in the Phantom Stealer infection chain that decrypts and injects the final payload into aspnet_compiler.exe using VirtualAllocEx and NtCreateThreadEx, with AES-encrypted payload handling.
A .NET injector component in the Phantom Stealer infection chain that decrypts and injects the final Phantom Stealer payload into aspnet_compiler.exe using process injection techniques including VirtualAllocEx and NtCreateThreadEx.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.