EXECUTIVE SUMMARY
The campaign is attributed to the actors behind the REF6598 intrusion set, a group that has repeatedly targeted cryptocurrency businesses and related financial services. This operation employs a remote‑access trojan that communicates through a blockchain‑based command‑and‑control channel. Victims span multiple continents, with a concentration in North America and Europe where crypto exchanges and development teams are prominent. The adversary’s primary objective is to harvest credential stores, keylog user input, and exfiltrate proprietary code for illicit profit. Persistent footholds enable future ransomware or extortion attempts.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign is attributed to the actors behind the REF6598 intrusion set, a group that has repeatedly targeted cryptocurrency businesses and related financial services. This operation employs a remote‑access trojan that communicates through a blockchain‑based command‑and‑control channel. Victims span multiple continents, with a concentration in North America and Europe where crypto exchanges and development teams are prominent. The adversary’s primary objective is to harvest credential stores, keylog user input, and exfiltrate proprietary code for illicit profit. Persistent footholds enable future ransomware or extortion attempts.[emaillocker id="1283"]
Infection begins when a compromised Obsidian plugin delivers an in‑memory PE loader that unpacks the RAT without touching disk. Once resident, the implant establishes three scheduled tasks to survive reboots and to trigger periodic beaconing. It resolves its C2 address by querying recent Ethereum, Base, or Optimism transactions, decrypting the payload URL from the transaction input. The malware bypasses AMSI, Windows Lockdown Policy and ETW by planting hardware breakpoints and spoofing return values, allowing it to load additional modules, inject code into legitimate processes, and exfiltrate data over encrypted HTTP.
The threat is significant because its blockchain‑based C2 eliminates the need for static domains, making network‑based blocking ineffective and complicating incident response. Hardware‑breakpoint evasion hides the malicious activity from many endpoint detection products, while the use of scheduled‑task persistence blends with legitimate administrative jobs. Organisations should harden remote‑plugin supply chains, enforce strict code‑signing policies, and monitor for anomalous task creation or outbound connections to blockchain explorers. Regular backups, segmentation of critical assets, and behavioural analytics that flag unusual process‑injection patterns provide the most reliable layers of defence.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Privilege Escalation | T1055.001 | Process Injection | Dynamic-link Library Injection |
| Privilege Escalation | T1055.003 | Process Injection | Thread Execution Hijacking |
| Privilege Escalation | T1055.009 | Process Injection | Proc Memory |
| Persistence | T1053.005 | Scheduled Task/Job | Scheduled Task |
| Defense Evasion | T1562.001 | Impair Defenses | Disable or Modify Tools |
| Defense Evasion | T1027.006 | Obfuscated Files or Information | HTML Smuggling |
| Discovery | T1082 | System Information Discovery | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/phantompulse-rat-uses-process-injection-and-uac-bypass/
https://www.elastic.co/security-labs/blockchain-c2-phantompulse-rat-sinkhole