highPhishing

PhantomStealer v3.5.0 — Multi-Stage WSH Dropper / .NET Infostealer (MaaS)

PublishedMarch 13, 2026

Threat Actors:built and deployed this sample.### Threat Actor / MaaS Operator

phishingc2iotspearphishing

Executive Summary

This sample is a fully-weaponized delivery of PhantomStealer v3.5.0, a commercial infostealer sold as Malware-as-a-Service (MaaS) via phantomsoftwares.site and Telegram channel @Oldphantomoftheopera. The dropper arrives as a fake Request For Quotation (RFQ) business document — a targeted spear-phishing lure against procurement/supply-chain professionals. Execution is entirely fileless through four stages, ultimately injecting the final .NET stealer payload into a legitimate Microsoft .NET Framework process (Aspnet_compiler.exe) via process hollowing.

The specific build is configured to exfiltrate stolen data via SMTP through a compromised Chilean mail server (mail.tms.cl, belonging to Tambores TMS S.A.) to a threat actor–controlled inbox at info@graceishere.tech. A crypto clipper is active and configured to silently replace clipboard cryptocurrency addresses across 7 chains (BTC, ETH, LTC, BCH, XMR, TRX, SOL). At time of analysis, Telegram and Discord exfiltration channels are disabled in this build.

VT detections (Stage 5 payload): 45/76 malicious — CrowdStrike 100%, Kaspersky, Microsoft, Symantec, Sophos, CrowdStrike, SentinelOne all detect.

Sample Metadata

Field	Value
SHA256	`0191ba81d05956c5b6d5503c42df1c244b9013e72a4a637ef6b0125f02551a8e`
MD5	`af24b03f9afd4f18488362cd959e5606`
SHA1	`610246b5c26843faf5cb32d32d07d9cbeccb954f`
File Type	JavaScript (WSH / Windows Script Host)
File Size	4,609,179 bytes (~4.4 MB)
VT Detections (Stage 1)	13/76 (lightly detected dropper)
First Seen	2026-03-12 17:15:13 UTC
Filename (phishing lure)	`RFQ108004 - EDS International.js`
Reporter	abuse_ch
Tags	js, PhantomStealer

Static Analysis — Full Infection Chain

Stage 1: WSH JavaScript Dropper (`af24b03f9afd4f18488362cd959e5606.js`)

Format: Single-line, 4.5 MB obfuscated JavaScript for Windows Script Host (WScript/CScript). Obfuscation: String array oB[] with 142 entries decoded via function t(index) using a rotation/lookup pattern typical of javascript-obfuscator.

Key string array entries (decoded):

'utf-8', 'Open', 'Dictionary', '.ps1', 'ADODB.Stream', 'VBScript.RegExp',
'powershell', '.exe -Exec', 'utionPolic' [ExecutionPolicy], '-File "',
'le Hidden ' [-WindowStyle Hidden], 'Scripting.FileSystemObject',
'WScript.Shell', 'C:\Temp\', 'taskkill /f /im wscript.exe',
'taskkill /f /im cscript.exe', 'ps_' [temp file prefix], 'base64'

Execution flow:

Creates Scripting.FileSystemObject and WScript.Shell ActiveX objects
Uses VBScript.RegExp to strip junk characters from BASE variable (the embedded payload)
Uses ADODB.Stream with type=1 (binary) and charset=utf-8 to base64-decode the payload
Writes decoded content to C:\Temp\ps_<RANDOM>_<TIMESTAMP>.ps1
Executes: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "<SCRIPT_PATH>"
Monitors execution; kills wscript/cscript after 50-second timeout; deletes the .ps1 after execution

Embedded payload size: Base64 string = 4,599,508 chars → 3,449,631 bytes decoded (the Stage 2 PS1)

Stage 2: PowerShell — Rotational XOR Decryptor

File: stage2_decoded.ps1 (3,449,631 bytes) Title in code: "Multi-Stage Rotational XOR Decryption Framework"

Structure:

$securecontainer = @'
<3,393,592-char base64 blob>
'@

$encryptionrotational = @'
36BL0a6X3jtCalm5EYlUEe42Oa1BG8YgrUwFXNowIH8=
'@

XOR Key (decoded): dfa04bd1ae97de3b426a59b911895411ee3639ad411bc620ad4c055cda30207f (32 bytes)

Decryption algorithm (rotational XOR):

rotation_tracker = 0
for pos in range(len(cipher)):
    key_pos = (pos + rotation_tracker) % len(key)
    plaintext[pos] = cipher[pos] ^ key[key_pos]
    rotation_tracker = (rotation_tracker + key[key_pos]) % 7

Execution: Decrypts to Stage 3 PowerShell, executes via Invoke-Expression.

Stage 3: PowerShell — Process Hollowing Launcher

File: stage3_decoded.ps1 (2,545,192 bytes)

Key functions:

Test-ProcessAbsence("Aspnet_compiler") — checks if the injection target is running
Invoke-AssemblyExecution — loads DEV.dll from base64, calls DEV.DOWN.SHOOT(targetPath, shellcode)
Monitoring loop: while Aspnet_compiler is absent → inject

Injection target: C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe

Contains two embedded PE files:

Stage 4: Base64-encoded DEV.dll (47,104 bytes) — the process hollowing injector
Stage 5: Byte array $ExecutionPayload (751,616 bytes) — the PhantomStealer payload

Stage 4: DEV.dll — Process Hollowing Injector (x86 .NET)

Field	Value
SHA256	`195e3d859d8fa9d0c12cd38beef8898e307b71422c8a18c2c3648f5f0220b447`
MD5	`061c1eed62c8326f2c8052851090f33d`
Size	47,104 bytes
Type	PE32 .NET DLL (.NET Framework 4.5.1)
Namespace	`DEV` / Class `DOWN` / Method `SHOOT`
VT Detections	22/76

Process hollowing technique (SHOOT method):

Spawns Aspnet_compiler.exe as a suspended process (CREATE_SUSPENDED = 0x4)
Reads/unmaps the original image base using NtUnmapViewOfSection-equivalent calls
Allocates new memory in target process via VirtualAllocEx
Writes Stage 5 shellcode/PE using WriteProcessMemory
Patches the thread context to point to the new entry point
Resumes the hollowed process via ResumeThread

Win32 APIs resolved at runtime via LoadLibraryA + GetProcAddress (kernel32.dll): VirtualAllocEx, WriteProcessMemory, ReadProcessMemory, NtUnmapViewOfSection, GetThreadContext, SetThreadContext, Wow64GetThreadContext, ResumeThread, CreateProcess

Stage 5: PhantomStealer v3.5.0 — Main Infostealer Payload

Field	Value
SHA256	`6eb33e137719e0261e910379786355f85da25b73c119616d34b3119da81f7ff0`
MD5	`32cd9c01651c9e8e3bc4dcf07a3df980`
Size	751,616 bytes
Type	PE32 .NET EXE (.NET Framework 4.8)
Assembly Title	`Stub`
VT Detections	45/76
VT Names	`payload_1.exe`, `stub.exe`
Version	v3.5.0
Mutex	`EMSMNP0JM2FCVRK21CDD`

Behavioral Analysis

Anti-Analysis / Evasion

PhantomStealer implements a multi-layered AntiAnalysis class:

SuspiciousGPU() — WMI check against known VM/sandbox GPU names
SuspiciousProcess() — Checks for analysis tools (Wireshark, ProcMon, x64dbg, etc.)
SuspiciousService() — Checks for sandbox/AV services
SuspiciousIP() — Checks public IP against VPN/hosting ranges (via HTTP check URL)
SuspiciousPCUsername() — 141-entry blacklist of known sandbox usernames including: test, John Doe, WDAGUtilityAccount, Frank, George, malware, sandbox, analysis
SuspiciousPCName() — 112-entry blacklist of sandbox hostnames including: DESKTOP-*, WIN-*, WILEYPC, azure, vmware, CRYPTODEV222222
SuspiciousMachineGuid() — Checks Machine GUID against known sandbox values
SandBox() — DLL detection: SbieDll.dll, SxIn.dll, snxhk.dll, cmdvrt32.dll
Emulator() — Timing/behavior checks
HostingAsync() — HTTP check to encrypted URL; returns "true" if in hosting/sandbox network → self-destruct

If any check fires: self-destruct via SelfDestruct.Melt() (deletes itself and related artifacts).

Configuration (This Build — Decrypted)

Setting	Value
Version	v3.5.0
Telegram Exfil	DISABLED
Discord Exfil	DISABLED
SMTP Exfil	ENABLED
SMTP Server	`mail.tms.cl` (compromised relay)
SMTP Sender	`contacto@tms.cl`
SMTP Password	`MS753apik%`
SMTP Receiver	`info@graceishere.tech`
SMTP Port	587 (STARTTLS)
FTP Exfil	DISABLED
Crypto Clipper	ENABLED
Keylogger	DISABLED
Screenshot	DISABLED
Startup Persistence	DISABLED
Anti-Analysis	DISABLED (in this build)
File Grabber	DISABLED
Melt (self-delete)	DISABLED

Decryption: Config values encrypted with AES-256-CBC:

Key: 59 26 4B 46 21 4D 21 68 38 5E 69 54 3A 3C 29 61 3F 7E 6D 58 65 4E 2A 7E 6F 3F 67 4E 5B 76 40 72 51 3D 42
Salt: 66 33 6F 33 4B 2D 31 31 3D 47 2D 4E 37 56 4A 74 6F 7A 4F 57 52 72 3D 28 74 4E 5A 42 66 4B 2B 62 53 37 46 79
Derived via PBKDF2-HMACSHA1, 1000 iterations

Data Collection Capabilities

Chromium Browsers (passwords, cookies, credit cards): Chrome, Chrome Beta/SxS/Dev/Canary, Edge, Brave, Opera (Stable/Neon/Crypto/GX), Vivaldi, 360ChromeX, ChromePlus, CocCoc, Comodo Dragon, Torch, Amigo, Epic, Cent Browser, Iridium, Slimjet, Kinza, Sputnik, Orbitum, and 30+ more

Gecko Browsers (Firefox, etc.): Firefox, Waterfox, Pale Moon, SeaMonkey, IceDragon, Cyberfox, BlackHaw, Basilisk

Desktop Crypto Wallets: Exodus, Electrum, ElectrumLTC, AtomicWallet, Coinbase, MetaMask, TrustWallet, Litecoin Core, Dash Core, Bitcoin Core, Monero GUI, Dogecoin Core, Qtum, WalletWasabi, Sparrow, AtomicDEX, Binance

Email Clients: Outlook (desktop), FoxMail, Thunderbird

Messaging/Remote: Discord (token harvesting via discord.com/api/v9/users/@me), Telegram session files, WinSCP, FileZilla

WiFi: Saved network credentials via netsh wlan

Crypto Clipper Replacement Addresses:

Chain	Threat Actor Wallet
BTC	`bc1q52ne8v7nmmux94qcrp5784ffsdp4l56f2gwr58`
ETH	`0xc4227FB9c3520a05C25CCB418b9695D089dFa4EB`
LTC	`MHdD3GCdkapnqM3jmdt9h8neztaB6AdSX5`
BCH	`qpaznatrx7wyd8puvqy23pljjyengfkfp5m4pftq6l`
TRX	`TCR3uv8Diot4AdUNDcJKswBmNKFdRDWBfo`
SOL	`zm46pAFBTDqJYVXQNR1AmwtjHd54MGBMh4F4Cct42tY`

(Note: XMR and ETH use the same address in this build — likely the operator set them to the same wallet)

Kill Chain / Attack Flow

[Spear-Phishing Email]
  └── Attachment: "RFQ108004 - EDS International.js"
        │
        ▼
[Stage 1: WSH JavaScript Dropper]
  • Obfuscated with string-array encoding
  • ActiveX: ADODB.Stream (base64 decode), WScript.Shell (execute), FileSystemObject
  • Decodes 3.4 MB PowerShell to %TEMP%\ps_<rand>_<ts>.ps1
  • Executes: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File <ps1>
  • Self-cleans (deletes ps1 after execution)
        │
        ▼
[Stage 2: PowerShell — Rotational XOR Decryptor]
  • AES-derived XOR key (32 bytes from base64)
  • Rotational XOR decryption of 2.5 MB blob
  • Executes via Invoke-Expression
        │
        ▼
[Stage 3: PowerShell — Process Hollow Launcher]
  • Loads DEV.dll (.NET injector) via Assembly::Load (fileless)
  • Monitors for Aspnet_compiler.exe process absence
  • Calls DEV.DOWN.SHOOT(Aspnet_compiler.exe path, stealer_bytes)
        │
        ▼
[Stage 4: DEV.dll — Process Hollowing Injector]
  • Spawns Aspnet_compiler.exe (SUSPENDED)
  • Unmaps original image
  • Writes PhantomStealer PE via WriteProcessMemory
  • Patches thread context → ResumeThread
        │
        ▼
[Stage 5: PhantomStealer v3.5.0 — Running in Aspnet_compiler.exe]
  • Anti-analysis checks (141 usernames, 112 machine names, GPU, process, service, IP)
  • Steals: browser passwords/cookies/cards, Discord tokens, Telegram, email, FTP, WiFi, wallets
  • Crypto clipper active (BTC/ETH/LTC/BCH/TRX/SOL)
  • Archives stolen data as ZIP
  • Exfiltrates via SMTP: mail.tms.cl:587 → info@graceishere.tech

Network Indicators — Complete C2 Infrastructure

Primary Domain: PhantomStealer MaaS Panel

Indicator	Detail
Domain	`phantomsoftwares.site`
IP	`199.188.201.183`
ASN	AS22612 (Namecheap, Inc.)
Location	Phoenix, AZ, USA
Hosting	Namecheap shared hosting (`premium309-4.web-hosting.com`)
Services	HTTP (80), HTTPS (443), FTP (21, blocked)
Registered	2025-02-13 (Namecheap)
Expires	2027-02-13
DNS	Cloudflare (`jobs.ns.cloudflare.com`, `serenity.ns.cloudflare.com`)
VT Score	18/94 malicious
Purpose	MaaS operator website, builder distribution, panel

Exfiltration Domain

Indicator	Detail
Domain	`graceishere.tech`
IP	`184.94.213.213`
ASN	AS22612 (Namecheap, Inc.)
Location	Los Angeles, CA, USA
Hosting	Namecheap shared hosting (`premium336-5.web-hosting.com`)
Services	HTTP (80), HTTPS (443), SMTP (993,995,587,26)
Registered	2026-02-01 (Namecheap) — ~6 weeks before sample submission
DNS	Namecheap (`DNS1/2.NAMECHEAPHOSTING.COM`)
MX Records	Shared with `phantomsoftwares.site` (jellyfish.systems)
VT Score	0/94 (clean — newly registered)
Purpose	Exfiltration inbox (`info@graceishere.tech`)

INFRASTRUCTURE LINK: phantomsoftwares.site and graceishere.tech share identical MX records (mx1/2/3-hosting.jellyfish.systems), placing them on the same mail infrastructure. This strongly links the MaaS operator to the buyer/deployer, or indicates the same actor built and deployed this sample.

Compromised SMTP Relay

Indicator	Detail
Domain	`tms.cl` / `mail.tms.cl`
IP	`201.148.105.95`
ASN	HOSTING.CL (Chile)
Location	Santiago, Chile
Hostnames	`electrohidraulica.cl`, `nuevohosting10595.dedicados.cl`
Services	SMTP(25/587/465/26), IMAP(143/993), POP3(110/995), HTTP(80/443), FTP(21), MySQL(3306)
Legitimate Owner	Tambores TMS S.A. (registered 2000-07-05, NIC Chile)
Credentials	`contacto@tms.cl` / `MS753apik%` (COMPROMISED)
Purpose	SMTP relay for stolen data exfiltration

Domain	IP	Registered	Notes
`eijaar.com`	`184.94.213.213`	2025-12-23 (Namecheap)	Same server as `graceishere.tech`, clean, possibly same operator

MITRE ATT&CK TTPs

ID	Technique	Implementation
T1566.001	Phishing: Spearphishing Attachment	"RFQ108004 - EDS International.js"
T1059.007	Command and Scripting: JavaScript	Stage 1 WSH dropper
T1059.001	Command and Scripting: PowerShell	Stages 2–3
T1027	Obfuscated Files or Information	String-array JS obfuscation, XOR encryption
T1027.010	Obfuscated Files or Information: Command Obfuscation	Base64 + rotational XOR layering
T1140	Deobfuscate/Decode Files or Information	Multi-stage decrypt chain
T1620	Reflective Code Loading	Assembly::Load() for DEV.dll
T1055.012	Process Injection: Process Hollowing	Aspnet_compiler.exe hollowing
T1218.009	System Binary Proxy Execution: Regsvcs/Regasm	Abuse of Aspnet_compiler.exe
T1082	System Information Discovery	Antivirus, GPU, OS, username, machine GUID
T1057	Process Discovery	SuspiciousProcess() checks
T1497.001	Virtualization/Sandbox Evasion: System Checks	9 distinct anti-analysis methods
T1012	Query Registry	Machine GUID, system info
T1552.001	Unsecured Credentials: Credentials in Files	Browser credential files
T1539	Steal Web Session Cookie	Chromium/Gecko cookie theft
T1555.003	Credentials from Web Browsers	Passwords, credit cards
T1415	Adversary-in-the-Browser (via clipper)	Clipboard crypto replacement
T1115	Clipboard Data	Crypto clipper monitoring
T1560.002	Archive Collected Data: Archive via Library	SharpZipLib ZIP archival
T1020	Automated Exfiltration	SMTP automated exfil
T1071.003	Application Layer Protocol: Mail Protocols	SMTP exfiltration via port 587
T1041	Exfiltration Over C2 Channel	Data sent via SMTP
T1078	Valid Accounts	Abuses compromised mail credentials
T1547.001	Boot/Logon Autostart: Registry Run Keys	Startup option (disabled in this build)

IOCs — Complete Indicator Table

Hashes

Stage	SHA256	MD5	Type
Stage 1 (JS dropper)	`0191ba81d05956c5b6d5503c42df1c244b9013e72a4a637ef6b0125f02551a8e`	`af24b03f9afd4f18488362cd959e5606`	WSH JS
Stage 4 (Injector DLL)	`195e3d859d8fa9d0c12cd38beef8898e307b71422c8a18c2c3648f5f0220b447`	`061c1eed62c8326f2c8052851090f33d`	.NET DLL
Stage 5 (Stealer PE)	`6eb33e137719e0261e910379786355f85da25b73c119616d34b3119da81f7ff0`	`32cd9c01651c9e8e3bc4dcf07a3df980`	.NET EXE
Builder DLL (related)	`e479e52241e5246b73cce4dbaa1a885003cdc75bb629b9cae0e9be134b117922`	-	.NET DLL

Network

Type	Indicator	Purpose
Domain	`phantomsoftwares.site`	MaaS operator panel
Domain	`graceishere.tech`	Exfiltration inbox domain
Domain	`tms.cl` / `mail.tms.cl`	Compromised SMTP relay
Domain	`eijaar.com`	Co-hosted with exfil domain
IP	`199.188.201.183`	phantomsoftwares.site server
IP	`184.94.213.213`	graceishere.tech server
IP	`201.148.105.95`	Compromised Chilean mail relay
URL	`https://www.phantomsoftwares.site/home`	Operator homepage
URL	`https://www.phantomsoftwares.site/logo/phantom_discord.png`	Discord avatar
URL	`https://t.me/Oldphantomoftheopera`	Operator Telegram channel
Email	`info@graceishere.tech`	Stolen data receiver
Email	`contacto@tms.cl`	Compromised SMTP sender
SMTP	`mail.tms.cl:587`	Exfil relay (compromised)

Crypto Wallets (Clipper Addresses)

Chain	Address
BTC	`bc1q52ne8v7nmmux94qcrp5784ffsdp4l56f2gwr58`
ETH	`0xc4227FB9c3520a05C25CCB418b9695D089dFa4EB`
LTC	`MHdD3GCdkapnqM3jmdt9h8neztaB6AdSX5`
BCH	`qpaznatrx7wyd8puvqy23pljjyengfkfp5m4pftq6l`
TRX	`TCR3uv8Diot4AdUNDcJKswBmNKFdRDWBfo`
SOL	`zm46pAFBTDqJYVXQNR1AmwtjHd54MGBMh4F4Cct42tY`

Host-Based IOCs

Type	Indicator
Mutex	`EMSMNP0JM2FCVRK21CDD`
Temp file pattern	`C:\Temp\ps__.ps1`
Injection target	`C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe`
Work directory	`%TEMP%\<MD5(mutex+sysinfo)>\`
Archive	`%TEMP%\<MD5(mutex+sysinfo)>\<compname>_<timestamp>.zip`
File pattern	`Chromium_passwords_<compname>_*.txt`
File pattern	`Chromium_cookies_<compname>_*.json`

Related Samples (all referencing `phantomsoftwares.site`)

SHA256	VT Score	Filename	Notes
`090b78e9d935867ad357f5a6a028b88ff16847271d88aeb63ba22c65a947b0ac`	46/76	`Phantom_Stealer_64Bits_Build.zip`	Full builder package
`318d83f72c048eea5be0386bec4b605ae8fd48465bd63efce4f3dd41fc420430`	3/76	`z10g9ymr.exe`	Possible compiled stub
`942511469e9e665ed27d49c2852d98639bc5fdccba45bb4a5c3ef985d9c8ebc6`	42/76	`Не для хуесоса.zip`	Russian-language: "Not for [derogatory]" — operator artifact, suggests Russian-speaking actor
`677dfd5de13114a4cee66d28f95a1d0ba7a3a147ec8cab937a76096e526a87e5`	46/76	`FantomSteallerCrack.zip`	Cracked/pirated version
`e479e52241e5246b73cce4dbaa1a885003cdc75bb629b9cae0e9be134b117922`	44/76	`Phantom_Stealer_64Bits_Build_Builder.dll`	Builder DLL

Timeline

Date	Event
2025-02-13	`phantomsoftwares.site` registered (Namecheap)
2025-12-23	`eijaar.com` registered (Namecheap, same hosting)
2026-02-01	`graceishere.tech` registered (Namecheap, 6 weeks before deployment)
2026-03-09	Shodan last scan of `phantomsoftwares.site` IP
2026-03-12	Sample first submitted to abuse.ch (17:15 UTC)

Attribution

Threat Actor / MaaS Operator

Alias: "Phantom" / "Oldphantomoftheopera"
Telegram: @Oldphantomoftheopera (https://t.me/Oldphantomoftheopera)
Website: https://www.phantomsoftwares.site/home
Language indicator: Russian-language artifact (Не для хуесоса.zip) hosted on operator infrastructure suggests Russian-speaking operator
Business model: Commercial MaaS — sells PhantomStealer builds to buyers who configure their own exfil endpoints
Infrastructure: Namecheap shared hosting (low-cost, easy signup); Cloudflare DNS for main domain

Buyer / Deployer (This Specific Build)

Exfil inbox: info@graceishere.tech
Domain registered: 2026-02-01 — purpose-built 6 weeks before deployment
Infrastructure overlap: graceishere.tech shares mail infrastructure (jellyfish.systems MX) with operator's phantomsoftwares.site — unusual, suggests either the same actor built and deployed this sample, OR the buyer simply used the same hosting provider
SMTP relay: Compromised credentials on a legitimate Chilean company's mail server (Tambores TMS S.A., mail.tms.cl)
Phishing lure: "RFQ108004 - EDS International.js" — professional procurement targeting

OPSEC Mistakes

Shared MX infrastructure: Both the operator domain and exfil domain use mx*.jellyfish.systems — strong infrastructure link
Hardcoded AES key in binary: Config decryption key is static across builds, enabling bulk decryption of all configs
Debug logging enabled: Code logs decrypted config values including credentials to console/file during debug mode
Compromised relay exposes real TTPs: Using tms.cl rather than disposable infrastructure ties activity to a traceable SMTP server with full logs
Wallet reuse: ETH and XMR clipper addresses are identical — likely lazy configuration

Confidence Level

Claim	Confidence
PhantomStealer v3.5.0 MaaS	HIGH (version string, operator domain, builder artifacts)
Russian-speaking operator	MEDIUM (single Russian filename artifact)
Separate buyer deployed this build	MEDIUM-LOW (shared MX could indicate same actor)
Compromised SMTP relay	HIGH (credentials decrypted, VT sandbox DNS confirmed)

Infrastructure Map

[Operator: @Oldphantomoftheopera]
    │
    ├── phantomsoftwares.site (199.188.201.183)
    │     Namecheap AS22612, Phoenix AZ
    │     Cloudflare DNS, LiteSpeed web
    │     ├── /home  (MaaS panel, builder download)
    │     └── /logo/phantom_discord.png  (Discord webhook avatar)
    │
    └── MX: mx1/2/3-hosting.jellyfish.systems
          │
          └── [SHARED WITH] ────────────────────────────────────┐
                                                                  │
[Exfil Recipient: info@graceishere.tech]                         │
    │                                                             │
    ├── graceishere.tech (184.94.213.213)                        │
    │     Namecheap AS22612, Los Angeles CA                       │
    │     Namecheap hosting DNS                                   │
    │     Co-hosted: eijaar.com (same IP, same DNS)              │
    │                                                             │
    └── MX: mx1/2/3-hosting.jellyfish.systems ──────────────────┘

[Compromised SMTP Relay]
    └── mail.tms.cl (201.148.105.95)
          HOSTING.CL, Santiago, Chile
          Owner: Tambores TMS S.A.
          Port 587/STARTTLS exfiltration

[Process Injection Target (legitimate)]
    └── C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe

Defensive Recommendations

Block phantomsoftwares.site, graceishere.tech at DNS/proxy/firewall
Alert on mail.tms.cl:587 SMTP connections from non-mail infrastructure
Monitor for Aspnet_compiler.exe spawned by PowerShell or WScript/CScript
Disable Windows Script Host for standard users: REG ADD HKCU\Software\Microsoft\Windows Script Host\Settings /v Enabled /t REG_DWORD /d 0
Block .js file extensions in email gateway attachments
Detect on Mutex EMSMNP0JM2FCVRK21CDD
Hunt C:\Temp\ps_*.ps1 creation events
Monitor assembly loads into Aspnet_compiler.exe via ETW/Sysmon Event ID 7