A threat actor is targeting banks and other high-value organizations in a phishing campaign to deliver Phantom Stealer, a credential and session-stealing malware designed to evade conventional endpoint defenses. What makes the campaign concerning, according to researchers at Fortra, is the adversary's use of heavily obfuscated, fileless techniques to complicate detection and enable the malware to execute largely in memory.[1] "The actor's primary objective is the silent theft of browser credentials, session cookies, and financial data, with exfiltration through four parallel channels (Telegram, Discord, FTP, SMTP) for redundancy," Fortra said in a report this week. "The combination of targeted phishing delivery, advanced evasion techniques, broad credential harvesting capabilities, and a resilient multi-channel exfiltration infrastructure places this threat in the high-severity category," the security vendor warned.
Phantom Stealer is a Malware-as-a-Service (MaaS) offering available to cybercriminals on a subscription basis for between $70 to $240. In addition to stealing credentials and session cookies stored in major browsers including Chrome, Firefox, and Edge, the malware also can capture financial data, cryptocurrency wallet information, keystrokes, screenshots, and clipboard contents. Phantom Stealer runs entirely in memory, making it all but invisible to signature-based malware detection tools, Fortra said.
The Phantom Stealer attacks that Fortra observed are ongoing. They typically begin with a phishing email containing what appears to be a legitimate business document, such as a request for quotation. If a victim opens the attachment, a heavily obfuscated batch file launches a multistage infection chain that ultimately injects Phantom Stealer into the legitimate Windows Explorer process. In addition to executing entirely in memory, the Phantom Stealer infection chain incorporates other anti-analysis techniques designed to frustrate detection and malware analysis, Fortra said. These include obfuscated PowerShell commands, disguised API calls, hidden Unicode characters, and Base64-encoded strings for obscuring commands, file names, and other data within the malware.
Phantom Stealer's dropper is particularly notable because of its layered composition, which significantly hinders visibility into what the code is doing, says Aranzazu Mendez Casillas, a researcher with Fortra. "What makes this specific case unique is how the dropper was composed," Casillas says in comments to Dark Reading. "It wasn’t simply Base64, it was Base64 + XOR + donut. This means the attackers aren't focusing on the malware per se, but in the dropper, which means at the moment of analysis, researchers won't have a clear view of what's actually happening."
Once Phantom Stealer is injected into the Windows Explorer process, it gains full access to saved passwords and credentials in the browser, as well as to session cookies, autofill data, password managers, Software-as-a-Service (SaaS) tools, and online banking systems. It can also take screenshots of the user's desktop and maintain persistence through system reboots. "A single Phantom Stealer session on a banking endpoint can exfiltrate credentials with access to transfer systems, customer data, or network administrator credentials," Fortra said. "Since the stealer operates as MaaS, exfiltrated logs may be sold or used directly by multiple actors." In addition, the fact that Phantom Stealer is a MaaS offering means its authors actively maintain and update the malware while also making it available to multiple threat actors, Fortra said.
Researchers at Group-IB who are also tracking the Phantom Stealer threat have previously described it as an example of malware that allows cybercriminals to scale credential theft activity. Between November 2025 and January 2026, Group-IB tracked a sustained Phantom Stealer campaign that targeted logistics, manufacturing, and technology organizations in Europe.
The Phantom Stealer campaign is another indication of how browsers have become the new endpoint for attackers looking to steal credentials, authentication tokens, and critical business data. A lot of it has to do with how browsers have become the primary gateway for enterprises to SaaS platforms, cloud apps, banking systems, and other critical applications. Modern browsers also store a wealth of information for cyber criminals, making them a high-value target for attackers.
Fortra has provided indicators of compromise and other telemetry organizations can use to protect against the Phantom Stealer threat. In addition, Casillas advises that organizations look beyond signature-based tools for detecting such threats. "Organizations need to prioritize deploying behavior-based AV/EDR," he notes. "This will allow them to scan for suspicious behaviors like abnormal command lines or env creations."
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information (CTI) via a notification/Tier I analysis service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://attendee.gotowebinar.com/register/7855487668891299929
[1] https://www.darkreading.com/cyberattacks-data-breaches/fileless-phantom-stealer-targets-browser-credentials
Comments