Attacks involving the .NET-based Phantom Stealer, which has been bundled with a crypter and a remote access tool under the Phantom Project cybercrime kit, have been aimed at manufacturing, technology, and logistics organizations in Europe as part of a multi-wave phishing operation between November 2025 and January 2026, reports Infosecurity Magazine.
Such a campaign, which has been successfully averted, was characterized by phishing emails purporting to be from a legitimate equipment trading firm that included an archive attachment with an illicit executable or an obfuscated JavaScript dropper, but lacked DKIM signatures and had SPF authentication failures, an analysis from Group-IB researchers revealed. Attackers also recycled email templates, used impersonal greetings, and spoofed business identity in the campaign. Further examination of Phantom Stealer, which was launched by researchers into a controlled environment, showed its abilities to pilfer credentials, evade analysis, and exfiltrate data.
“Phantom Stealer is one example of a broader pattern: credential theft scaling through commercial stealer-as-a-service operations, where the outcome is identity-driven compromise that often leads to ransomware or business email fraud,” said researchers.
