>_|
BreakglassIntelligence
< Back to blog
highπŸ”‘Stealer
publishedMarch 12, 2026

PhantomStealer Hijacks a Lisbon Theater to Steal Your Credentials

A live JS dropper campaign compromises a Portuguese cultural website and delivers SnakeKeylogger through four stages of rotational XOR encryption

Threat Actors:Y-MEDUYW342685...Specification.bat | BAT | PhantomStealer |
#stealer#snakekeylogger#phantomstealer#vipkeylogger#rat#loader#phishing#process-hollowing#c2#ppi

The payload URL was live when we found it. At hxxps://teatroluisdecamoes[.]pt/33HERE/ENCRYPT.Ps1, a 1.14 MB encrypted PowerShell script sat on the web server of Teatro Luis de Camoes, a real cultural venue in Lisbon, Portugal, waiting to be pulled down by the next victim who opened a fake invoice.

That is the thing about PhantomStealer -- the attackers do not pay for infrastructure. They steal it.

Ten Samples in 24 Hours

On March 11, 2026, at least 10 PhantomStealer samples hit MalwareBazaar within a single day. The filenames tell the story of an active business phishing operation:

  • "Moflash-Proforma Invoice-FOB-2026" -- Moflash is a real UK industrial signaling manufacturer. FOB is a legitimate shipping term.
  • "RFQ-SABIC FACTORY" -- SABIC is a $40B Saudi petrochemical company. RFQ means Request For Quotation.
  • "Sales Contract" -- generic but effective.

These lures target procurement officers and accounts receivable departments at companies involved in international trade. The attackers know the terminology, they know the workflow, and they know that someone in a shipping department will double-click a .js file if they think it is a proforma invoice from a known supplier.

The Four-Stage Kill Chain

Stage 1: JavaScript Dropper (27,742 bytes, 13/76 detection)

The JS file is heavily obfuscated with a 200+ string lookup table, control flow flattening via switch-case state machines, and an anti-debug trick using catastrophic backtracking regex (((.+)+)+)+$ in a toString().search() call. Under the obfuscation, it creates three ActiveXObjects -- WScript.Shell, FileSystemObject, and MSXML2.XMLHTTP -- downloads the payload, saves it to C:\Temp\ with a random eight-character uppercase filename, and executes PowerShell with -nop -ep bypass.

Stage 2: Encrypted PowerShell (1,144,122 bytes, 8/76 detection)

The downloaded ENCRYPT.Ps1 contains over 17,000 lines. The first 17,564 lines are a massive base64-encoded blob. Lines 17,565-17,568 hold the decryption key. The encryption scheme is rotational XOR with a 32-byte key and a position tracker that advances modulo 7 with each byte, incremented by the key byte value. This is custom crypto -- not AES, not RC4, not anything a signature would catch.

The XOR key (hex): b923889cf718316314dae87de425061e07474e3e03ab4f0790916886710b939d

Stage 3: Decrypted Loader (842,662 bytes)

The decrypted PowerShell defines Invoke-AssemblyExecution, which base64-decodes an embedded .NET PE and loads it reflectively via [Assembly]::Load(). A monitoring loop with Test-ProcessAbsence checks every 5 seconds for the target process.

Stage 4: DEV.dll (46,592 bytes, 17/76 detection)

The final payload is a .NET Framework 4.5.1 DLL. Entry point: DEV.DOWN.SHOOT(). It performs process hollowing into Aspnet_compiler.exe -- a legitimate .NET Framework tool that lives in C:\Windows\Microsoft.NET\Framework\v4.0.30319\. The injected code is a credential stealer classified as SnakeKeylogger/VIPKeylogger with RSA+AES encryption for configuration and communications.

Note the detection rates across stages: 17% for the dropper, 10.5% for the encrypted payload, 22% for the final PE. The encrypted PowerShell stage -- the one sitting on the compromised server -- has the lowest detection of all.

The Compromised Theater

Teatro Luis de Camoes is a real cultural venue operated by EGEAC (Empresa de Gestao de Equipamentos e Animacao Cultural), a Lisbon cultural organization. The website runs on cPanel shared hosting provided by Dominios S.A. (ASN 33876) at IP 176[.]61[.]151[.]122, managed by dot2web.com.

The server exposes FTP (PureFTPd on port 21), cPanel management ports (2082-2087), and mail services (Exim 4.99.1). The compromise vector was likely weak cPanel credentials, FTP credential theft, or an unpatched cPanel vulnerability. The /33HERE/ directory is the attacker's staging path.

Co-hosted on the same IP: castelodesaojorge[.]pt (Castle of Saint George, another Lisbon landmark) and the parent domain egeac.pt. Multiple Portuguese cultural institutions are at risk from this single server compromise.

The TLS certificate is a recent Let's Encrypt wildcard issued February 27, 2026, consistent with the server's regular 60-day auto-renewal cycle. There is nothing unusual about the certificate -- this is a perfectly legitimate server being abused.

Process Hollowing: Why Aspnet_compiler.exe

The choice of Aspnet_compiler.exe as the hollowing target is deliberate. It is:

  1. A legitimate Microsoft-signed binary
  2. Present on any system with .NET Framework installed
  3. Not typically monitored by EDR as suspicious
  4. Commonly whitelisted in application control policies

When the injected code runs, process monitoring shows Aspnet_compiler.exe performing network connections and file access -- behavior that might look unusual for that binary but would not trigger most default detection rules.

Key IOCs

Network:

hxxps://teatroluisdecamoes[.]pt/33HERE/ENCRYPT.Ps1
teatroluisdecamoes[.]pt
176[.]61[.]151[.]122

Stage 1 -- JS Dropper:

SHA256: 86a5cfde032fe3e6d655391183e703f72b4e9a03101b1311b547bdb8bdd85f16
MD5:    d4e5ff18acf7ce1f56cfc43c94e92fa9

Stage 2 -- Encrypted PS1:

SHA256: 90b32ad1bd7c4af6319714c147d9a4004791c5006ca13552d52d5efae1eb8f19

Stage 4 -- DEV.dll:

SHA256: ff24355a2670aa64b6633a6a154682f42e3a0ec9137c575327967f4baa9bd2df
GUID:   e5a95d8d-da76-4b97-94f2-ab0c686c2186

Behavioral:

Process chain: wscript.exe -> powershell.exe -nop -ep bypass -file C:\Temp\[A-Z0-9]{8}.ps1
Hollowing target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe
.NET assembly: DEV.dll / DEV.DOWN.SHOOT()
XOR key (b64): uSOInPcYMWMU2uh95CUGHgdHTj4Dq08HkJFohnELk50=

Detection Guidance

  1. Email gateway: Block .js attachments and archives containing .js files with trade/invoice-themed filenames (Proforma, RFQ, FOB, Sales Contract).
  2. Endpoint: Alert on wscript.exe spawning powershell.exe with -ep bypass. This is the canonical dropper execution chain and should be a high-fidelity detection.
  3. File system: Hunt for files matching C:\Temp\[A-Z0-9]{8}.ps1. The random uppercase naming pattern is distinctive.
  4. Process monitoring: Flag any Aspnet_compiler.exe process not spawned by MSBuild or Visual Studio. On most endpoints, this binary should never run.
  5. Network: Block the compromised URL and IP. Monitor for PowerShell processes making HTTPS connections to .pt domains, which is unusual for most enterprise environments.
  6. Proactive: Notify CERT-PT (cert@cert.pt) and hosting provider Dominios S.A. (abuse@dominios.pt) about the active compromise. The payload was live at time of analysis.

The PhantomStealer operators are running a high-tempo campaign with fresh samples daily, rotating lure themes, and leveraging compromised legitimate infrastructure that bypasses domain reputation checks. As long as that Portuguese theater's web server stays compromised, the campaign has a clean delivery channel.

Share: