BreakglassIntelligence
Back to reports

PhantomStealer v3.5.0 Resurfaces: RFQ-Themed Spear Phishing Targets Procurement Staff via Compromised Chilean SMTP Relay

Same MaaS builder, new lure, new relay -- infrastructure overlap links operator and buyer through shared mail hosting

PublishedMarch 12, 2026
PhantomStealerMaaSSpear PhishingProcess HollowingSMTP ExfiltrationCrypto Clipper

Overview

A second PhantomStealer v3.5.0 deployment was captured on March 12, 2026, arriving as a fake Request For Quotation (RFQ) business document -- RFQ108004 - EDS International.js. While the underlying MaaS builder is identical to the invoice-themed variant analyzed earlier the same day, this build uses a different compromised SMTP relay (a Chilean company's mail server), a different receiver email, and a different mutex. Critically, the exfiltration domain graceishere.tech shares mail infrastructure with the MaaS operator's panel domain phantomsoftwares.site, raising the question of whether the builder and deployer are the same entity.

The fileless, five-stage infection chain -- WSH JavaScript dropper through PowerShell XOR decryptor to .NET reflective loader to process hollowing injector to the final stealer -- is executed entirely in memory. The final payload hollows into a legitimate Microsoft .NET Framework process and begins harvesting credentials, browser data, cryptocurrency wallets, and Discord tokens.

Sample Metadata

FieldValue
FilenameRFQ108004 - EDS International.js
SHA2560191ba81d05956c5b6d5503c42df1c244b9013e72a4a637ef6b0125f02551a8e
MD5af24b03f9afd4f18488362cd959e5606
SHA1610246b5c26843faf5cb32d32d07d9cbeccb954f
File TypeJavaScript (WSH / Windows Script Host)
File Size4,609,179 bytes (~4.4 MB)
First Seen2026-03-12 17:15:13 UTC
VT Detections13/76 (dropper), 45/76 (final payload)
ClassificationMALICIOUS -- Information Stealer / MaaS

Stage Hashes

StageSHA256VT
Stage 1 (JS dropper)0191ba81d05956c5b6d5503c42df1c244b9013e72a4a637ef6b0125f02551a8e13/76
Stage 4 (DEV.dll injector)195e3d859d8fa9d0c12cd38beef8898e307b71422c8a18c2c3648f5f0220b44722/76
Stage 5 (PhantomStealer)6eb33e137719e0261e910379786355f85da25b73c119616d34b3119da81f7ff045/76

Infection Chain: Five Stages, Fully Fileless

Stage 1: WSH JavaScript Dropper

The 4.4MB dropper is a single-line obfuscated JavaScript file for Windows Script Host. It uses a string array (oB[]) with 142 entries decoded via a rotation/lookup function typical of javascript-obfuscator tooling.

The execution flow:

  1. Creates Scripting.FileSystemObject and WScript.Shell ActiveX objects
  2. Uses VBScript.RegExp to strip junk characters from an embedded base64 payload
  3. Decodes via ADODB.Stream (binary mode, UTF-8 charset)
  4. Writes decoded PowerShell to C:\Temp\ps_<RANDOM>_<TIMESTAMP>.ps1
  5. Executes: powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "<path>"
  6. Kills wscript/cscript after a 50-second timeout; deletes the .ps1 after execution

The embedded base64 string decodes to 3,449,631 bytes -- the Stage 2 PowerShell decryptor.

Stage 2: Rotational XOR Decryptor

The PowerShell script (3.4MB) uses the same "Multi-Stage Rotational XOR Decryption Framework" seen in the invoice variant, but with a different XOR key:

XOR Key (hex): dfa04bd1ae97de3b426a59b911895411ee3639ad411bc620ad4c055cda30207f

The rotational algorithm applies position-dependent key offsets, producing a non-repeating keystream. Output is Stage 3 PowerShell, executed via Invoke-Expression.

Stage 3: Process Hollowing Launcher

The decrypted PowerShell script contains two embedded PE files and the injection logic:

  • Test-ProcessAbsence("Aspnet_compiler") checks if the injection target is already running
  • Invoke-AssemblyExecution loads DEV.dll from a base64-encoded byte array via Assembly::Load() -- entirely fileless
  • Calls DEV.DOWN.SHOOT(Aspnet_compiler.exe path, stealer_bytes)

Stage 4: DEV.dll -- Process Hollowing Injector

The 47KB .NET DLL (namespace DEV, class DOWN, method SHOOT) performs classic process hollowing:

  1. Spawns Aspnet_compiler.exe as a suspended process (CREATE_SUSPENDED = 0x4)
  2. Unmaps the original image base via NtUnmapViewOfSection
  3. Allocates new memory via VirtualAllocEx
  4. Writes Stage 5 PE via WriteProcessMemory
  5. Patches thread context to point to the new entry point
  6. Resumes the hollowed process via ResumeThread

All Win32 APIs are resolved at runtime via LoadLibraryA + GetProcAddress from kernel32.dll.

Stage 5: PhantomStealer v3.5.0

The 751KB .NET executable runs inside the hollowed Aspnet_compiler.exe process. This build uses mutex EMSMNP0JM2FCVRK21CDD -- different from the invoice variant's mutex, confirming these are separate deployments from the same builder.

Configuration Comparison

This build's configuration differs from the invoice-themed variant in important ways:

SettingThis Build (RFQ)Invoice Build
SMTP Servermail.tms.clmail.kluangstation.com.my
SMTP Sendercontacto@tms.clchristy@kluangstation.com.my
SMTP Receiverinfo@graceishere.techike@graceishere.tech
MutexEMSMNP0JM2FCVRK21CDDZK5BJ6U4KNLQT3D9UGJZ
Anti-AnalysisDISABLEDDISABLED
Startup PersistenceDISABLEDDISABLED
File GrabberDISABLEDENABLED
KeyloggerDISABLEDDISABLED

Both builds use the same exfiltration domain (graceishere.tech) but with different mailbox prefixes (info@ vs ike@), suggesting the same operator running parallel campaigns with different SMTP relays and lures.

The Compromised Chilean Relay

The SMTP relay for this build is mail.tms.cl (IP: 201.148.105.95), belonging to Tambores TMS S.A., a legitimate Chilean company registered in 2000 with NIC Chile. The server is hosted by HOSTING.CL in Santiago and runs a full mail/web stack: SMTP (ports 25/587/465), IMAP, POP3, HTTP, FTP, and MySQL.

The compromised credentials (contacto@tms.cl) were extracted from the stealer's AES-encrypted configuration -- a reminder that these SMTP relays are themselves likely victims of prior credential theft campaigns.

Anti-Analysis: Nine Detection Methods

PhantomStealer v3.5.0 implements a comprehensive AntiAnalysis class, though it is disabled in this particular build:

  1. SuspiciousGPU() -- WMI check against known VM/sandbox GPU names
  2. SuspiciousProcess() -- Checks for Wireshark, ProcMon, x64dbg, etc.
  3. SuspiciousService() -- Checks for sandbox/AV services
  4. SuspiciousIP() -- Checks public IP against VPN/hosting ranges
  5. SuspiciousPCUsername() -- 141-entry blacklist of sandbox usernames
  6. SuspiciousPCName() -- 112-entry blacklist of sandbox hostnames
  7. SuspiciousMachineGuid() -- Checks against known sandbox GUIDs
  8. SandBox() -- DLL detection: SbieDll.dll, SxIn.dll, snxhk.dll, cmdvrt32.dll
  9. Emulator() -- Timing/behavior checks

If any check fires, the malware self-destructs via SelfDestruct.Melt().

Crypto Clipper

The clipper module is active and monitors the clipboard for cryptocurrency addresses. Replacement wallets are identical to the invoice variant, confirming the same operator:

ChainAttacker Wallet
BTCbc1q52ne8v7nmmux94qcrp5784ffsdp4l56f2gwr58
ETH0xc4227FB9c3520a05C25CCB418b9695D089dFa4EB
LTCMHdD3GCdkapnqM3jmdt9h8neztaB6AdSX5
BCHqpaznatrx7wyd8puvqy23pljjyengfkfp5m4pftq6l
TRXTCR3uv8Diot4AdUNDcJKswBmNKFdRDWBfo
SOLzm46pAFBTDqJYVXQNR1AmwtjHd54MGBMh4F4Cct42tY

Note: In this build, the XMR and ETH clipper addresses are set to the same wallet -- likely a lazy configuration error by the operator.

Infrastructure Analysis

MaaS Panel

IndicatorDetail
Domainphantomsoftwares.site
IP199.188.201.183
ASNAS22612 (Namecheap)
LocationPhoenix, AZ
Registered2025-02-13
VT Score18/94 malicious

Exfiltration Domain

IndicatorDetail
Domaingraceishere.tech
IP184.94.213.213
ASNAS22612 (Namecheap)
LocationLos Angeles, CA
Registered2026-02-01 (6 weeks before deployment)
VT Score0/94 (newly registered, clean)

Both phantomsoftwares.site and graceishere.tech share identical MX records (mx1/2/3-hosting.jellyfish.systems), placing them on the same mail infrastructure. This strongly links the MaaS operator to the deployer, or indicates the same actor both built and deployed this sample.

A co-hosted domain eijaar.com shares the same IP as graceishere.tech, registered 2025-12-23 via Namecheap -- possibly another project by the same operator.

Compromised SMTP Relay

IndicatorDetail
Domaintms.cl / mail.tms.cl
IP201.148.105.95
ASNHOSTING.CL (Chile)
Legitimate OwnerTambores TMS S.A.

Attribution and OPSEC Failures

ClaimConfidence
PhantomStealer v3.5.0 MaaSHIGH
Russian-speaking operatorMEDIUM (Russian-language artifact: Не для хуесоса.zip on operator infra)
Same actor as invoice variantHIGH (identical clipper wallets, same exfil domain)
Compromised SMTP relayHIGH (credentials decrypted, confirmed in sandbox DNS)

Key OPSEC mistakes:

  1. Shared MX infrastructure between operator and exfil domains creates a strong linkage
  2. Hardcoded AES key is static across builds, enabling bulk config decryption
  3. Compromised relay exposes TTPs -- tms.cl is a traceable SMTP server with logs
  4. Identical clipper wallets across builds ties campaigns together
  5. Wallet reuse -- ETH and XMR addresses are identical, suggesting lazy configuration
SHA256 (prefix)VTFilenameNotes
090b78e9...46/76Phantom_Stealer_64Bits_Build.zipFull builder package
942511469e...42/76Не для хуесоса.zipRussian-language operator artifact
677dfd5d...46/76FantomSteallerCrack.zipCracked/pirated version
e479e522...44/76Phantom_Stealer_64Bits_Build_Builder.dllBuilder DLL

Timeline

DateEvent
2025-02-13phantomsoftwares.site registered
2025-12-23eijaar.com registered (same hosting)
2026-02-01graceishere.tech registered (6 weeks before deployment)
2026-03-12Both RFQ and invoice variants submitted to abuse.ch

MITRE ATT&CK TTPs

IDTechniqueImplementation
T1566.001Phishing: Spearphishing AttachmentRFQ108004 - EDS International.js
T1059.007Command and Scripting: JavaScriptStage 1 WSH dropper
T1059.001Command and Scripting: PowerShellStages 2-3
T1027Obfuscated Files or InformationString-array JS obfuscation, XOR encryption
T1027.010Command ObfuscationBase64 + rotational XOR layering
T1140Deobfuscate/Decode Files or InformationMulti-stage decrypt chain
T1620Reflective Code LoadingAssembly::Load() for DEV.dll
T1055.012Process Injection: Process HollowingAspnet_compiler.exe hollowing
T1497.001Virtualization/Sandbox Evasion9 anti-analysis methods (disabled)
T1555.003Credentials from Web Browsers40+ browser credential harvesting
T1539Steal Web Session CookieChromium/Gecko cookie theft
T1115Clipboard DataCrypto clipper monitoring
T1560.002Archive Collected DataSharpZipLib ZIP archival
T1071.003Application Layer Protocol: MailSMTP exfiltration via port 587
T1078Valid AccountsAbuses compromised mail credentials

IOC Tables

File Hashes

SHA256MD5Type
0191ba81d05956c5b6d5503c42df1c244b9013e72a4a637ef6b0125f02551a8eaf24b03f9afd4f18488362cd959e5606WSH JS dropper
195e3d859d8fa9d0c12cd38beef8898e307b71422c8a18c2c3648f5f0220b447061c1eed62c8326f2c8052851090f33dDEV.dll injector
6eb33e137719e0261e910379786355f85da25b73c119616d34b3119da81f7ff032cd9c01651c9e8e3bc4dcf07a3df980PhantomStealer payload

Network Indicators

IndicatorTypePurpose
phantomsoftwares.siteDomainMaaS operator panel
graceishere.techDomainExfiltration inbox domain
tms.cl / mail.tms.clDomainCompromised SMTP relay
eijaar.comDomainCo-hosted with exfil domain
199.188.201.183IPv4MaaS panel server
184.94.213.213IPv4Exfil receiver server
201.148.105.95IPv4Compromised Chilean mail relay
info@graceishere.techEmailStolen data receiver
contacto@tms.clEmailCompromised SMTP sender
t.me/OldphantomoftheoperaURLOperator Telegram channel

Host Indicators

IndicatorType
EMSMNP0JM2FCVRK21CDDMutex
C:\Temp\ps_*_*.ps1Temp file pattern
Aspnet_compiler.exe (hollowed)Injection target

Defensive Recommendations

  1. Block phantomsoftwares.site, graceishere.tech, and tms.cl at DNS/proxy/firewall
  2. Alert on mail.tms.cl:587 SMTP connections from non-mail infrastructure
  3. Monitor for Aspnet_compiler.exe spawned by PowerShell or WScript/CScript
  4. Disable Windows Script Host for standard users via registry
  5. Block .js file extensions in email gateway attachments
  6. Detect on mutex EMSMNP0JM2FCVRK21CDD
  7. Hunt C:\Temp\ps_*.ps1 creation events
  8. Monitor assembly loads into Aspnet_compiler.exe via ETW/Sysmon Event ID 7

Analysis by GHOST -- Breakglass Intelligence

Share