Analytics Story: Phantom Stealer
Description
Phantom Stealer is an information-stealing malware designed to covertly harvest sensitive data from compromised Windows endpoints.
It primarily targets browser credential stores, saved passwords, cookies, autofill data, and session tokens from popular browsers such as Chrome, Edge, and Firefox.
Beyond browsers, Phantom Stealer extends its reach to FTP and SSH clients, including WinSCP, FileZilla, and PuTTY, as well as email clients, cryptocurrency wallets, and VPN configurations.
The malware commonly arrives via phishing emails, trojanized software, or malicious downloads.
Once executed, it enumerates the victim system, collects targeted data, archives the harvested output, and exfiltrates it to attacker-controlled infrastructure over encrypted channels. Phantom Stealer leverages access to sensitive application configuration folders — including WinSCP security directories — to extract stored credentials outside of normal application access patterns.
Detection focuses on unauthorized process access to credential storage paths, abnormal file reads from browser and FTP client profile directories, and suspicious data archiving or outbound connection behavior.
Why it matters
In observed Phantom Stealer campaigns, the malware is typically delivered through phishing lures or cracked software bundles targeting Windows users.
Upon initial execution from a user profile or temporary directory, the malware rapidly enumerates installed applications and begins accessing sensitive credential stores.
Telemetry captured unauthorized reads of WinSCP security configuration folders by non-WinSCP processes, a strong behavioral indicator of credential harvesting targeting SSH and FTP sessions.
The malware similarly accessed browser profile directories for Chrome and Edge, extracting Login Data, Cookies, and Web Data SQLite databases containing saved credentials and session tokens.
Following collection, Phantom Stealer compressed the harvested data into an archive and transmitted it via HTTPS POST to its command-and-control server.
In some cases, persistence was observed through registry run key modifications, ensuring the stealer re-executes after reboot.
The breadth of targeted applications — spanning browsers, file transfer clients, and crypto wallets — makes Phantom Stealer a high-impact credential theft tool capable of enabling account takeover, financial fraud, and further intrusion into enterprise environments.
Detections
Data Sources
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Windows Event Log Security 4663 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| Sysmon EventID 1 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Powershell Script Block Logging 4104 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-PowerShell/Operational |
|
| Sysmon EventID 22 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 11 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 8 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 7 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Sysmon EventID 3 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
|
| Windows Event Log Security 4688 | XmlWinEventLog |
XmlWinEventLog:Security |
|
| CrowdStrike ProcessRollup2 | Other | crowdstrike:events:sensor |
crowdstrike |
| Sysmon EventID 13 | XmlWinEventLog |
XmlWinEventLog:Microsoft-Windows-Sysmon/Operational |
References
- https://www.proofpoint.com/us/blog/threat-insight/not-safe-work-tracking-and-investigating-stealerium-and-phantom-infostealers
- https://malpedia.caad.fkie.fraunhofer.de/details/win.phantom_stealer
- https://github.com/renniepak/PhantomStealer
Source: GitHub | Version: 1