PhantomStealer v3.5.0 was deployed in multiple phishing campaigns using invoice, RFQ, maritime, and industrial lures delivered as heavily obfuscated JavaScript droppers. Across the observed samples, the malware followed a consistent multi-stage chain: Windows Script Host launched PowerShell, decrypted additional payloads, reflectively loaded .NET components, and hollowed the signed Microsoft binary Aspnet_compiler.exe to run the final infostealer. Researchers tied the activity to the PhantomStealer malware-as-a-service ecosystem advertised via phantomsoftwares.site and the Telegram identity Oldphantomoftheopera, with builder-generated samples showing per-build customization but a stable framework, anti-analysis logic, and optional persistence. The payloads stole browser credentials, cookies, credit cards, email and messaging data, Wi-Fi passwords, screenshots, keystrokes, and cryptocurrency wallet information, while some builds also enabled a crypto clipper that replaced wallet addresses across multiple chains.
The campaigns abused legitimate but compromised infrastructure for both delivery and exfiltration, including a Portuguese theater website hosting encrypted PowerShell stages, a Chilean mail server and a Malaysian business email account used as SMTP relays, and Romanian FTP hosting used by another PhantomStealer build. Exfiltration varied by sample—SMTP to attacker mailboxes at graceishere.tech, Telegram Bot API, Discord, or FTP—but infrastructure overlap repeatedly linked the deployments back to the same MaaS operation, and one report also connected a PhantomStealer FTP campaign to related AgentTesla activity through shared submissions and tooling. The targeting and lure themes indicate a focus on procurement, shipping, maritime, industrial, and accounts receivable personnel, while the repeated use of compromised SMB hosting and mail systems suggests operators favored hijacked third-party services over dedicated attacker-owned infrastructure.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
11 events from the most recent confirmed update back to the earliest known activity.
Breakglass documented that two compromised shared cPanel hosting accounts were abused as exfiltration points for AgentTesla and PhantomStealer, on Italian and Romanian infrastructure respectively. The report assessed both malware operations as likely linked to the same operator based on shared MalwareBazaar tags, a shared campaign ZIP, a shared GuLoader sample, and tightly clustered submissions.
In a later campaign analysis, researchers extracted the full PhantomStealer configuration by invoking the malware's own decryption routine. The recovered config showed this build used FTP exfiltration via ftp.corella.ro only, with SMTP, Telegram, Discord, and clipper modules disabled.
Analysis of the March 12 RFQ-themed build found that graceishere.tech shared MX infrastructure with the PhantomStealer panel domain phantomsoftwares.site. Combined with shared clipper wallets and exfiltration patterns, this suggested a close link between the MaaS operator and the actor deploying the sample.
Researchers captured a second PhantomStealer v3.5.0 deployment on March 12, 2026, using the attachment "RFQ108004 - EDS International.js". This fileless five-stage chain targeted procurement staff and exfiltrated via the compromised Chilean mail server mail.tms.cl to info@graceishere.tech.
On March 12, 2026, researchers analyzed the heavily obfuscated file "Invoice 10225.js" and found it delivered PhantomStealer v3.5.0 through a four-stage chain. The build used SMTP exfiltration via a compromised Malaysian account on kluangstation.com.my to send stolen data to ike@graceishere.tech and included an active crypto clipper.
An active campaign used fake trade and invoice-themed JavaScript attachments that fetched encrypted PowerShell from the legitimate Portuguese site teatroluisdecamoes.pt. The compromised site belonged to Teatro Luis de Camoes in Lisbon and was likely abused through weak credentials or a cPanel-related compromise.
On March 11, 2026, at least 10 PhantomStealer samples were uploaded to MalwareBazaar, indicating a high-tempo phishing operation. The samples used trade and invoice-themed JavaScript lures aimed at procurement, shipping, and accounts receivable personnel.
Breakglass found that the Telegram bot token and chat ID recovered from PhantomStealer telemetry were no longer active as of March 10, 2026. This indicated the attackers had burned or abandoned that exfiltration channel.
Researchers assessed a 25-sample PhantomStealer campaign as active since at least February 26, 2026, using themed JavaScript droppers and a five-layer infection chain ending in process hollowing into aspnet_compiler.exe. The campaign exfiltrated stolen data through the Telegram Bot API.
A February 22, 2026 analysis documented a Phantom Stealer delivery chain using a malicious DLL that established persistence via Run/RunOnce registry keys, dropped a VBS file in AppData, downloaded a payload from attacker-controlled infrastructure including a Firebase-hosted URL, and injected it into RegAsm.exe. The sample also killed RegAsm.exe, Vbc.exe, and MsBuild.exe before execution and monitored the injected process every 60 seconds to relaunch the VBS script on failure.
Breakglass reported that PhantomStealer's commercial MaaS infrastructure, including phantomsoftwares.site and the Telegram identity @Oldphantomoftheopera, had been active since at least February 2025. This marks the earliest referenced operational presence of the service.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
10 references tracked. Mallory keeps watching after this page renders.
intel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourceintel.breakglass.tech
Open sourcemedium.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.