Analytics Story: Phantom Stealer

Description

Phantom Stealer is an information-stealing malware designed to covertly harvest sensitive data from compromised Windows endpoints.

It primarily targets browser credential stores, saved passwords, cookies, autofill data, and session tokens from popular browsers such as Chrome, Edge, and Firefox.

Beyond browsers, Phantom Stealer extends its reach to FTP and SSH clients, including WinSCP, FileZilla, and PuTTY, as well as email clients, cryptocurrency wallets, and VPN configurations.

The malware commonly arrives via phishing emails, trojanized software, or malicious downloads.

Once executed, it enumerates the victim system, collects targeted data, archives the harvested output, and exfiltrates it to attacker-controlled infrastructure over encrypted channels. Phantom Stealer leverages access to sensitive application configuration folders — including WinSCP security directories — to extract stored credentials outside of normal application access patterns.

Detection focuses on unauthorized process access to credential storage paths, abnormal file reads from browser and FTP client profile directories, and suspicious data archiving or outbound connection behavior.

Why it matters

In observed Phantom Stealer campaigns, the malware is typically delivered through phishing lures or cracked software bundles targeting Windows users.

Upon initial execution from a user profile or temporary directory, the malware rapidly enumerates installed applications and begins accessing sensitive credential stores.

Telemetry captured unauthorized reads of WinSCP security configuration folders by non-WinSCP processes, a strong behavioral indicator of credential harvesting targeting SSH and FTP sessions.

The malware similarly accessed browser profile directories for Chrome and Edge, extracting Login Data, Cookies, and Web Data SQLite databases containing saved credentials and session tokens.

Following collection, Phantom Stealer compressed the harvested data into an archive and transmitted it via HTTPS POST to its command-and-control server.

In some cases, persistence was observed through registry run key modifications, ensuring the stealer re-executes after reboot.

The breadth of targeted applications — spanning browsers, file transfer clients, and crypto wallets — makes Phantom Stealer a high-impact credential theft tool capable of enabling account takeover, financial fraud, and further intrusion into enterprise environments.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Windows DNS Query Request by Telegram Bot API DNS, Bidirectional Communication Anomaly
PowerShell 4104 Hunting PowerShell Hunting
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
Windows Disable or Stop Browser Process Disable or Modify Tools TTP
Windows Boot or Logon Autostart Execution In Startup Folder Registry Run Keys / Startup Folder Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Chromium Browser No Security Sandbox Process Virtualization/Sandbox Evasion TTP
Windows Credential Access From Browser Password Store Query Registry Anomaly
Powershell Fileless Script Contains Base64 Encoded Content Obfuscated Files or Information, PowerShell TTP
Executables Or Script Creation In Temp Path Masquerading Anomaly
Windows Powershell Cryptography Namespace PowerShell Anomaly
Windows System Network Connections Discovery Netsh System Network Connections Discovery Anomaly
Windows Browser Process Launched with Unusual Flags Browser Session Hijacking Anomaly
Windows Disable or Modify Tools Via Taskkill Disable or Modify Tools Anomaly
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Non Chrome Process Accessing Chrome Default Dir Credentials from Web Browsers Anomaly
Windows WinSCP Configuration Security Access Credentials In Files Anomaly
Windows Credentials from Password Stores Chrome Extension Access Query Registry Anomaly
Windows File Transfer Protocol In Non-Common Process Path Mail Protocols Anomaly
Windows Non Discord App Access Discord LevelDB Query Registry Anomaly
Windows Unusual FileZilla XML Config Access Credentials In Files Anomaly
Windows Chromium Browser with Custom User Data Directory Virtualization/Sandbox Evasion Anomaly
Windows Unusual Process Load Mozilla NSS-Mozglue Module CMSTP Anomaly
Headless Browser Usage Virtualization/Sandbox Evasion, Hidden Window Anomaly
Windows Process Injection Remote Thread Portable Executable Injection TTP
Registry Keys Used For Persistence Registry Run Keys / Startup Folder TTP
PowerShell PInvoke Process Injection API Chain Dynamic-link Library Injection, Thread Execution Hijacking, Asynchronous Procedure Call, Process Hollowing, Process Doppelgänging, PowerShell, Reflective Code Loading TTP
Executables Or Script Creation In Suspicious Path Masquerading Anomaly
Suspicious Process With Discord DNS Query Visual Basic Anomaly
Windows Unsecured Outlook Credentials Access In Registry Unsecured Credentials Anomaly
Windows Process Injection With Public Source Path Portable Executable Injection Hunting
Windows Credentials from Password Stores Chrome Copied in TEMP Dir Credentials from Web Browsers TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Windows Event Log Security 4663 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 3 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 8 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

References


Source: GitHub | Version: 1