PhantomStealer v3.5.0: Invoice-Themed JScript Dropper Deploys MaaS Infostealer with Crypto Clipper

Overview

On March 12, 2026, Breakglass Intelligence analyzed a heavily obfuscated JScript dropper masquerading as a business invoice. The sample, Invoice 10225.js, weighs in at 4.6MB and implements a four-stage infection chain that ultimately deploys PhantomStealer v3.5.0 -- a commercially distributed Malware-as-a-Service (MaaS) information stealer advertised on Telegram.

The stealer exfiltrates credentials, browser data, cryptocurrency wallets, and sensitive files via SMTP using a compromised Malaysian business email relay. A crypto-clipper module silently replaces clipboard cryptocurrency addresses across six chains. At time of analysis, the dropper had only 12/76 detections on VirusTotal, while the final payload was flagged by 45/76 engines.

Sample Metadata

Field	Value
Filename	Invoice 10225.js
SHA256	600436ca333df4abf42cc05b5c6307871782412f47ad92763d17a6228c528f62
MD5	fa457a24c1170f9f39f3c07b624d31dc
SHA1	fff3032dab0b18873f61d032b591291816610d5f
File Type	JavaScript (JScript/WSH)
File Size	4,609,435 bytes (~4.6 MB)
First Seen	2026-03-12 17:17:47 UTC
VT Detections	12/76 (dropper), 45/76 (final payload)
Classification	MALICIOUS -- Information Stealer / MaaS

The Infection Chain

PhantomStealer's delivery is engineered to maximize evasion at each layer. The four stages are purpose-built to defeat different categories of security controls.

Stage 1: JScript Dropper

The initial dropper is a single-line JScript file designed for execution by Windows Script Host (WScript.exe). It uses a string array pattern with 166 encoded strings decoded at runtime through an index lookup function -- a technique that defeats static string-based signature matching.

A 4.6 million-character base64 string is embedded inline. The dropper creates an ADODB.Stream object to decode this payload, writes the result to C:\Temp\ using a randomly generated filename with a .ps1 extension, and launches it with:

powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "<path>"

Before handing off, the dropper kills wscript.exe and cscript.exe processes to impede script debugging and deletes the dropped .ps1 file after execution -- a clean self-destruct.

Stage 2: Rotational XOR Decryptor

The decoded PowerShell script (stage2_payload.ps1, 53,133 lines) is titled internally as a "Multi-Stage Rotational XOR Decryption Framework." It contains a 3.4MB base64-encoded, XOR-encrypted blob stored in a variable named $securecontainer.

The encryption uses a 32-byte key and a rotational XOR algorithm where each byte position is XOR'd against a key byte at an offset that shifts based on previous key values. This produces a non-repeating XOR pattern that defeats simple frequency analysis.

XOR Key (hex): 988719eb58e2caa9fdf327cb0a2f15e367fc2fa5c6a0ef4f74831bc0f21fc99b

The decrypted output is the Stage 3 PowerShell loader (2.5MB), executed via Invoke-Expression.

Stage 3: .NET Process Hollowing Loader

This compact 77-line PowerShell script performs the critical injection step. It contains two embedded PE files:

1. DEV.DOWN injector DLL (47,104 bytes) -- SHA256: 195e3d859d8fa9d0c12cd38beef8898e307b71422c8a18c2c3648f5f0220b447
2. PhantomStealer payload (751,616 bytes) -- SHA256: 7df24c505edbfd1bdee879f8fc12e7b67590755513f28cadadcfd173da07d14d

The loader monitors for the absence of the Aspnet_compiler process, then loads the DEV.DOWN DLL via [System.Reflection.Assembly]::Load() and calls DEV.DOWN.SHOOT(target, payload). The target process is C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe -- a legitimate Microsoft .NET tool used as a host for process hollowing.

Stage 4: PhantomStealer v3.5.0

The final payload is a .NET PE32 executable built on .NET Framework 4.8. It uses the Costura packer with embedded Newtonsoft.Json and ICSharpCode.SharpZipLib dependencies. The stealer operates under the namespace Stub.* and enforces single-instance execution via mutex ZK5BJ6U4KNLQT3D9UGJZ.

The payload also implements the HeavensGate technique -- WOW64 Heaven's Gate for x86-to-x64 transitions -- providing additional evasion against 32-bit analysis tools.

Decrypted Configuration

The stealer's configuration is encrypted with AES-256-CBC using PBKDF2-SHA1 key derivation (1000 iterations). After decryption, the operational profile is clear:

Setting	Value
SMTP Server	mail.kluangstation.com.my
SMTP Sender	christy@kluangstation.com.my
SMTP Receiver	ike@graceishere.tech
SMTP Port	587
Chromium Browser	ENABLED
Gecko Browser	ENABLED
Browser Wallets	ENABLED
Outlook Desktop	ENABLED
FoxMail	ENABLED
Crypto Clipper	ENABLED
Mutex	ZK5BJ6U4KNLQT3D9UGJZ
Telegram/Discord	DISABLED
Keylogger	DISABLED
Screenshot	DISABLED
Persistence	DISABLED

Exfiltration is conducted exclusively via SMTP (port 587) using a compromised sender account at kluangstation.com.my -- a legitimate Malaysian food and beverage company (Kluang Station F&B Sdn Bhd, registered 2012). The compromised credentials were almost certainly harvested via a prior credential theft operation. Stolen data is sent to the operator at ike@graceishere.tech.

Crypto Clipper Addresses

The clipper module monitors clipboard content and replaces detected cryptocurrency addresses with attacker-controlled wallets:

Chain	Attacker Wallet
BTC	bc1q52ne8v7nmmux94qcrp5784ffsdp4l56f2gwr58
ETH	0xc4227FB9c3520a05C25CCB418b9695D089dFa4EB
LTC	MHdD3GCdkapnqM3jmdt9h8neztaB6AdSX5
BCH	qpaznatrx7wyd8puvqy23pljjyengfkfp5m4pftq6l
TRX	TCR3uv8Diot4AdUNDcJKswBmNKFdRDWBfo
SOL	zm46pAFBTDqJYVXQNR1AmwtjHd54MGBMh4F4Cct42tY

Stealing Capabilities

Browser Data

The stealer targets all Chromium-based browsers (Chrome, Edge, Opera, Brave, Vivaldi, and dozens more) and Gecko-based browsers (Firefox and variants). It extracts saved passwords, cookies, credit card data, and autofill entries.

Cryptocurrency Wallets

Desktop applications: MetaMask, Exodus, Electrum, AtomicWallet, WalletWasabi, Sparrow, Coinomi, TrustWallet, Bitcoin Core, Armory, Jaxx, and more.

Browser extensions: 66 targeted extensions including MetaMask, Phantom (Solana), Coinbase, Trust Wallet, Binance, OKX, and Keplr.

Communication and Email

• Microsoft Outlook (desktop app)
• FoxMail
• Discord token theft (Discord, DiscordCanary, DiscordPTB, DiscordDevelopment)
• Telegram session data
• WinSCP and FileZilla credentials
• Wi-Fi saved network passwords

File Grabber

Targets documents (pdf, docx, xlsx, pptx), databases (db, kdbx, sql, wallet), source code (cs, py, js, php, cpp), and images.

Anti-Analysis Arsenal

PhantomStealer v3.5.0 implements layered anti-analysis:

• Sandbox Username Blacklist: Checks against 100+ known sandbox usernames (John Doe, Harry Johnson, HAPUBWS, AppOnFlySupport, etc.)
• VM Machine Name Patterns: Checks for ACEPC, ALENMOOS-PC, APPONFLY-VPS, WIN-, WINZDS- patterns
• GPU Inspection: WMI queries for virtualization indicators
• Process Monitoring: Checks for Sysmon64.exe, VmRemoteGuest.exe, and other analysis tools
• Self-Destruction: Stub.Melt and Stub.SelfDestruct classes remove the executable post-execution

Network Infrastructure

Host	IP	Country	ASN	Role
phantomsoftwares.site	199.188.201.183	US (Phoenix, AZ)	AS22612	MaaS panel
mail.kluangstation.com.my	211.25.114.131	Malaysia	AS9930	Compromised SMTP relay
graceishere.tech	184.94.213.213	US	AS22612	SMTP exfil receiver

Both phantomsoftwares.site and graceishere.tech resolve to Namecheap ASN 22612 and share jellyfish.systems MX servers, strongly linking the MaaS operator to the exfiltration domain. The receiver domain graceishere.tech was registered on 2026-02-01 via Namecheap -- approximately one year after the MaaS panel domain was registered on 2025-02-13.

The C2 server at 184.94.213.213 runs cPanel (port 2082), Exim SMTP 4.99.1, and LiteSpeed HTTP, consistent with shared web hosting.

Attribution

Attribute	Value
Malware Family	PhantomStealer v3.5.0
Actor Type	MaaS operator
Operator Email	ike@graceishere.tech
Telegram Channel	t.me/Oldphantomoftheopera
MaaS Panel	phantomsoftwares.site/home
Registrar	Namecheap
Confidence	HIGH

The actor operates PhantomStealer as a commercial service, advertising capabilities and selling builder licenses via Telegram under the branding "Oldphantomoftheopera." The specific operator deploying this sample receives stolen data at ike@graceishere.tech using a compromised legitimate SMTP relay to bypass email reputation filters.

Multiple related samples sharing the phantomsoftwares.site infrastructure (chrome_logs.exe, vVHu.exe, multiple stub.exe variants with 54-57/76 VT detections) suggest active multi-operator deployment -- consistent with the MaaS business model.

Campaign Context

This sample represents a typical MaaS deployment: an operator purchases a PhantomStealer builder subscription, configures exfiltration endpoints and stealer targets, then distributes via invoice-themed lures targeting business users. The use of a compromised legitimate Malaysian SMTP server is a deliberate choice to abuse established domain reputation and bypass phishing filters.

The enabled features (Chromium, Gecko, browser wallets, Outlook, FoxMail, clipboard hijacking) indicate the operator is primarily targeting credential and cryptocurrency theft.

MITRE ATT&CK TTPs

ID	Technique	Stage
T1059.007	Command and Scripting Interpreter: JavaScript	Stage 1
T1059.001	Command and Scripting Interpreter: PowerShell	Stages 1-3
T1055.012	Process Injection: Process Hollowing	Stage 3
T1140	Deobfuscate/Decode Files or Information	Stages 1-3
T1027	Obfuscated Files or Information	Stage 1
T1027.013	Encrypted/Encoded File	Stage 4
T1497	Virtualization/Sandbox Evasion	Stage 4
T1555.003	Credentials from Web Browsers	Stage 4
T1539	Steal Web Session Cookie	Stage 4
T1115	Clipboard Data	Stage 4
T1510	Clipboard Hijack (Clipper)	Stage 4
T1114.001	Email Collection: Local	Stage 4
T1048.002	Exfiltration Over Alternative Protocol	Stage 4
T1005	Data from Local System	Stage 4
T1036	Masquerading	Stage 3

IOC Tables

File Hashes

Type	Hash	Description
SHA256	600436ca333df4abf42cc05b5c6307871782412f47ad92763d17a6228c528f62	Stage 1 dropper (Invoice 10225.js)
MD5	fa457a24c1170f9f39f3c07b624d31dc	Stage 1 dropper
SHA1	fff3032dab0b18873f61d032b591291816610d5f	Stage 1 dropper
SHA256	195e3d859d8fa9d0c12cd38beef8898e307b71422c8a18c2c3648f5f0220b447	DEV.DOWN injector DLL (Stage 3)
SHA256	7df24c505edbfd1bdee879f8fc12e7b67590755513f28cadadcfd173da07d14d	PhantomStealer stub.exe (Stage 4)

Network Indicators

Indicator	Type	Role
phantomsoftwares.site	Domain	MaaS panel
graceishere.tech	Domain	SMTP exfil receiver
mail.kluangstation.com.my	Domain	Compromised SMTP relay
199.188.201.183	IPv4	MaaS panel server
211.25.114.131	IPv4	Compromised SMTP relay
184.94.213.213	IPv4	Exfiltration receiver
ike@graceishere.tech	Email	Operator exfil inbox
christy@kluangstation.com.my	Email	Compromised SMTP sender

Host Indicators

Indicator	Type
ZK5BJ6U4KNLQT3D9UGJZ	Mutex
C:\Temp\*.ps1	Dropped file pattern
Aspnet_compiler.exe (hollowed)	Injection target

Cryptocurrency Wallets (Clipper)

Chain	Address
BTC	bc1q52ne8v7nmmux94qcrp5784ffsdp4l56f2gwr58
ETH	0xc4227FB9c3520a05C25CCB418b9695D089dFa4EB
LTC	MHdD3GCdkapnqM3jmdt9h8neztaB6AdSX5
BCH	qpaznatrx7wyd8puvqy23pljjyengfkfp5m4pftq6l
TRX	TCR3uv8Diot4AdUNDcJKswBmNKFdRDWBfo
SOL	zm46pAFBTDqJYVXQNR1AmwtjHd54MGBMh4F4Cct42tY

Defensive Recommendations

1. Block all listed domains and IPs at network perimeter
2. Alert on process hollowing into Aspnet_compiler.exe
3. Notify kluangstation.com.my of credential compromise
4. Submit abuse reports to Namecheap for phantomsoftwares.site and graceishere.tech
5. Hunt for mutex ZK5BJ6U4KNLQT3D9UGJZ across endpoint telemetry
6. Hunt for DEV.DOWN assembly loads in .NET ETW telemetry
7. Block .js file extensions in email gateway attachments

---

Analysis by GHOST -- Breakglass Intelligence