Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Phantom Bot

Phantom Bot is a Go-based DDoS botnet payload delivered via the malicious npm package axois-utils in a broader npm supply-chain/typosquatting campaign attributed to the same publisher that distributed multiple malicious packages. The malware is explicitly referred to in the package as a “phantom bot.” Its documented capabilities include flooding targets using HTTP, TCP, UDP, and reset requests, turning infected systems into DDoS nodes. Reported persistence mechanisms allow it to remain on infected machines even after the npm package is deleted; supporting reporting states this persistence is achieved on Windows by adding the payload to the Windows Startup folder and on Linux by creating a scheduled task. The campaign was identified by OX Security and involved packages published by the npm user deadcode09284814 alongside other stealer payloads. High-confidence context indicates the overall campaign targeted npm users and was assessed as financially motivated, while the DDoS capability also raised the possibility of disruptive or DDoS-for-hire use. No Phantom Bot-specific C2 or unique IOC beyond delivery through axois-utils is directly provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
MITRE ATT&CK

Techniques & procedures

8 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique
T1583.001DomainsEvidence2

The campaign appears to be the work of a single threat actor deploying multiple infostealer variants simultaneously through a coordinated typosquatting operation targeting Axios users.

Initial Access

1 technique
T1195Supply Chain CompromiseEvidence2

The campaign appears to be the work of a single threat actor deploying multiple infostealer variants simultaneously through a coordinated typosquatting operation targeting Axios users.

Execution

1 technique
T1053Scheduled Task/JobEvidence1

It also establishes persistence on both Windows and Linux machines by adding the payload to the Windows Startup folder and creating a scheduled task.

Persistence

2 techniques
T1053Scheduled Task/JobEvidence1

It also establishes persistence on both Windows and Linux machines by adding the payload to the Windows Startup folder and creating a scheduled task.

T1547Boot or Logon Autostart ExecutionEvidence1

It also establishes persistence on both Windows and Linux machines by adding the payload to the Windows Startup folder and creating a scheduled task.

Privilege Escalation

2 techniques
T1053Scheduled Task/JobEvidence1

It also establishes persistence on both Windows and Linux machines by adding the payload to the Windows Startup folder and creating a scheduled task.

T1547Boot or Logon Autostart ExecutionEvidence1

It also establishes persistence on both Windows and Linux machines by adding the payload to the Windows Startup folder and creating a scheduled task.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence1

The fourth malicious npm package (axois-utils) calls its payload a “phantom bot.” The code is written in Go, and contains a DDoS botnet

Exfiltration

1 technique
T1041Exfiltration Over C2 ChannelEvidence1

chalk-tempalte — Shai-Hulud clone exfiltrating credentials, crypto wallets, secrets, and accounts to a remote C2 server

Impact

2 techniques
T1498Network Denial of ServiceEvidence2

The code is written in Go, and contains a DDoS botnet that floods websites with HTTP, TCP, UDP and Reset requests.

T1499Endpoint Denial of ServiceEvidence1

plus a DDoS botnet capable of flooding targets with HTTP, TCP, UDP, and reset requests

INDICATORS OF COMPROMISE

IOCs tracked for this family

2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
2 tracked

IPs, domains, and DNS infrastructure linked to this family.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app1 month ago
ip.v4●●●●●●●●●●●●View more in app1 month ago
ACTIVITY FEED

Recent activity

3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

3 SOURCESView more in app
cyber security newsNews
May 18, 2026
Four Malicious npm Packages Steal SSH Keys, Cloud Credentials, and Crypto Wallets

A Go-based bot payload delivered via a malicious npm package that establishes persistence and turns infected systems into a DDoS botnet capable of HTTP, TCP, UDP, and reset-request flooding.

Read more
the hacker newsNews
May 18, 2026
Four Malicious npm Packages Deliver Infostealers and Phantom Bot DDoS Malware

Golang-based DDoS botnet capable of flooding targets over HTTP, TCP, and UDP. It also establishes persistence on Windows and Linux systems.

Read more
register securityNews
May 18, 2026
Shai-Hulud copycat hits another npm package

Go-based DDoS botnet payload delivered via a malicious npm package. It floods targets with HTTP, TCP, UDP, and Reset requests and uses persistence to remain on infected machines after package deletion.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching2

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping8

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.