EXECUTIVE SUMMARY:
Phantom 3.5 is a credential-stealer malware designed to exfiltrate sensitive information, including passwords, browser cookies, credit card data, cryptocurrency wallet credentials, and the victim’s IP address. Such data can facilitate identity theft, account takeovers, or even serve as a stepping stone for larger attacks. The malware is often distributed under the guise of legitimate software, exemplified by a fake “Adobe 11.7.7 installer” in this case, which highlights the growing challenge users face in distinguishing malicious files from legitimate downloads. This providing a detailed walkthrough of Phantom 3.5’s infection chain, from its initial delivery to execution and data exfiltration, emphasizing the importance of understanding malware behavior for detection and mitigation.
The analysis reveals that the malware uses an obfuscated XML file containing embedded JavaScript, which, when executed in a sandboxed environment, downloads a PowerShell script named floor.ps1. The script runs with hidden attributes and bypasses standard PowerShell execution warnings. It contains base64-encoded, RC4-encrypted data which, once decrypted, reveals a .NET DLL called BLACKHAWK dll. This DLL functions as an injector, loading a PE file directly into the memory space of Aspnet_compiler exe, a legitimate Windows process, to evade detection. Key techniques observed include process injection, use of PowerShell for stealth execution, and obfuscation, highlighting Phantom 3.5’s advanced approach to conceal its activities and maintain persistence within the compromised system.
The forensic breakdown of Phantom 3.5 demonstrates a multi-layered attack strategy combining social engineering, obfuscation, and memory-resident execution to achieve its objectives. The malware’s use of legitimate process injection and encrypted payloads exemplifies modern evasion techniques, making detection and mitigation challenging. This analysis underscores the necessity for cybersecurity practitioners to adopt proactive defenses, such as monitoring unusual process behavior, analyzing downloaded scripts, and implementing robust sandboxing environments for suspicious files. Understanding these technical details enables researchers and IT security teams to develop signatures, identify indicators of compromise, and enhance organizational resilience against credential-stealing malware like Phantom 3.5.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub‑Technique |
| Initial Access | T1195.002 | Supply Chain Compromise | Compromise Software Supply Chain |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| T1059.007 | Command and Scripting Interpreter | JavaScript | |
| Defense Evasion | T1027.002 | Obfuscated / Encrypted Files or Information | Software Packing |
| T1140 | Deobfuscate / Decode Files or Information | — | |
| T1055.012 | Process Injection | Process Hollowing | |
| T1036.005 | Masquerading | Match Legitimate Name or Location | |
| T1218.011 | Signed Binary Proxy Execution | Rundll32 | |
| Credential Access | T1555.003 | Credentials from Password Stores | Credentials from Web Browsers |
| T1552.001 | Unsecured Credentials | Credentials in Files | |
| Discovery | T1082 | System Information Discovery | — |
| Collection | T1115 | Clipboard Data | — |
| Exfiltration | T1041 | Exfiltration Over C2 Channel | — |
MBC MAPPING:
| Objective | Behaviour ID | Behaviour |
| Collection | E1056 | Input Capture |
| E1113 | Screen Capture | |
| Defense Evasion | E1055 | Process Injection |
| F0004 | Disable or Evade Security Tools | |
| F0005 | Hidden Files and Directories | |
| Persistence | F0012 | Registry Run Keys / Startup Folder |
| Anti-Behavioral Analysis | B0001 | Debugger Detection |
| Execution | E1059 | Command and Scripting Interpreter |
REFERENCES:
The following reports contain further technical details:
https://labs.k7computing.com/index.php/phantom-3-5-initial-vector-analysis-forensics/