A .NET-based infostealer sold as part of a commercial cybercrime toolkit that bundles a stealer, crypter and remote access tool (RAT) under subscription tiers has been detailed further by cybersecurity researchers.
The malware, known as Phantom Stealer, collects browser credentials, cookies, saved passwords, autofill data and payment card information from infected systems.
It also extracts session data from messaging and email platforms, Wi-Fi credentials and other sensitive information, then sends the stolen data through various channels, including messaging platforms, SMTP and FTP.
Campaign Targeted European Industries
Between November 2025 and January 2026, Group-IB observed a sustained phishing campaign delivering Phantom Stealer to organizations in the logistics, manufacturing and technology sectors across Europe.
The activity occurred in five waves, with phishing emails blocked before reaching end users. Attackers targeted multiple unrelated companies on the same day, a pattern commonly associated with stealer-as-a-service campaigns.
The phishing emails impersonated a legitimate equipment trading company and used procurement-related subject lines designed to resemble business correspondence. Messages were short, often only two to three sentences, and included professional-looking signature blocks to appear legitimate.
Read more on phishing campaigns: Cybercriminals Exploit Tax Season With New Phishing Tactics
Email Tactics and Technical Indicators
Each phishing email included an archive attachment containing either an obfuscated JavaScript dropper or a malicious executable. Despite changes in subject lines and attachments, several consistent indicators exposed the campaign:
-
SPF authentication failures
-
Missing DKIM signatures
-
Reused email templates and impersonal greetings
-
Consistent spelling mistakes across messages
-
Spoofed business identity and rotating infrastructure
These indicators pointed to a coordinated stealer delivery operation using automated tooling and template reuse.
Detection and Analysis
Group-IB said the campaign was detected through layered analysis combining sender authentication checks, content analysis and malware detonation in a controlled environment.
The detonation process traced the full execution chain, from the initial script to the final stealer payload, confirming credential harvesting, anti-analysis techniques and data exfiltration behavior.
“Phantom Stealer is one example of a broader pattern,” the researchers explained, “credential theft scaling through commercial stealer-as-a-service operations, where the outcome is identity-driven compromise that often leads to ransomware or business email fraud.”
In fact, stolen credentials are frequently used for ransomware attacks, data breaches and business email compromise schemes, making infostealers a persistent threat to organizations.
