Threat Intelligence Report: PhantomStealer v3.5.0
Sample: Invoice 10225.js SHA256: 600436ca333df4abf42cc05b5c6307871782412f47ad92763d17a6228c528f62 Report Date: 2026-03-12 Classification: MALICIOUS — Information Stealer / MaaS Confidence: HIGH
Executive Summary
A heavily obfuscated JScript dropper (Invoice 10225.js, 4.6MB) was identified that implements a four-stage infection chain culminating in the deployment of PhantomStealer v3.5.0, a commercially distributed Malware-as-a-Service (MaaS) information stealer. The stealer exfiltrates credentials, browser data, cryptocurrency wallets, and sensitive files via SMTP using a compromised Malaysian SMTP relay. A crypto-clipper module replaces clipboard cryptocurrency addresses with attacker-controlled addresses. The threat actor operates under the branding "Phantom stealer" and advertises on Telegram. The operator's SMTP receiver domain graceishere.tech and the MaaS panel phantomsoftwares.site share the same Namecheap hosting infrastructure.
Sample Metadata
| Field | Value |
|---|---|
| Filename | Invoice 10225.js |
| Alt Filename | fa457a24c1170f9f39f3c07b624d31dc.js |
| SHA256 | 600436ca333df4abf42cc05b5c6307871782412f47ad92763d17a6228c528f62 |
| MD5 | fa457a24c1170f9f39f3c07b624d31dc |
| SHA1 | fff3032dab0b18873f61d032b591291816610d5f |
| File Type | JavaScript (JScript/WSH) |
| File Size | 4,609,435 bytes |
| Structure | Single-line, heavily obfuscated |
| First Seen | 2026-03-12 17:17:47 UTC |
| Reporter | abuse_ch |
| VT Detections | 12/76 |
VirusTotal Engine Detections (Stage 1):
- DrWeb: JS.Muldrop.1170
- ESET-NOD32: Generik.IDXJQUU
- Kaspersky: HEUR:Trojan.Script.Generic
- Microsoft: Trojan:Script/Wacatac.B!ml
- McAfeeD: Trojan:Script/AgentTesla.AC
Infection Chain Analysis
Stage 1 — JScript Dropper (Invoice 10225.js, 4,609,435 bytes)
The dropper is a single-line JScript file executed by Windows Script Host (WScript.exe). Key characteristics:
- Obfuscation: Uses a string array pattern with function
B()returning 166 encoded strings decoded at runtime by functionZ(V, E)via index lookup. - Payload Embedding: A 4,599,764-character base64 string is embedded inline, decoding to approximately 3,449,822 bytes (the Stage 2 PowerShell script).
- Decode and Drop: Creates an
ADODB.Streamobject to base64-decode the embedded payload. Writes toC:\Temp\using a randomly generated 12-character filename plus timestamp with.ps1extension. - Execution: Launches the decoded script with:
powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "<path>" - Anti-Analysis:
- Kills
wscript.exeandcscript.exeprocesses to impede script debugging. - Uses WMI process checks as a timeout/delay mechanism.
- Self-cleanup: Deletes the
.ps1file after execution.
- Kills
- ActiveX Objects Used:
ADODB.Stream(binary/text stream manipulation)Scripting.FileSystemObject(file write)WScript.Shell(process execution)
Stage 2 — PowerShell XOR Decryptor (stage2_payload.ps1, 53,133 lines)
Titled internally as "Multi-Stage Rotational XOR Decryption Framework":
- Container Variable:
$securecontainerholds a 3.4MB base64-encoded, XOR-encrypted blob. - Encryption Key:
- Base64:
mIcZ61jiyqn98yfLCi8V42f8L6XGoO9PdIMbwPIfyZs= - Hex (32 bytes):
988719eb58e2caa9fdf327cb0a2f15e367fc2fa5c6a0ef4f74831bc0f21fc99b
- Base64:
- Rotational XOR Algorithm:
result[pos] = cipher[pos] XOR key[(pos + rotation_tracker) % key_length]rotation_tracker = (rotation_tracker + key[key_pos]) % 7
- Output: Decrypts to Stage 3 PowerShell (2,545,256 bytes, 77 lines).
- Execution: Passes decrypted content to
Invoke-Expression.
Stage 3 — PowerShell .NET Loader (stage3_payload.ps1, 77 lines)
A compact loader that performs process hollowing:
- Embedded Payloads (base64-encoded PE files within the script):
- DEV.DOWN injector DLL (47,104 bytes)
SHA256:
195e3d859d8fa9d0c12cd38beef8898e307b71422c8a18c2c3648f5f0220b447 - PhantomStealer payload (751,616 bytes)
SHA256:
7df24c505edbfd1bdee879f8fc12e7b67590755513f28cadadcfd173da07d14d
- DEV.DOWN injector DLL (47,104 bytes)
SHA256:
- Process Monitoring: Monitors for absence of
Aspnet_compilerprocess before injecting. - Loader Call: Loads DEV.DOWN via
[System.Reflection.Assembly]::Load(), then callsDEV.DOWN.SHOOT(target, payload). - Target Process:
C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe(legitimate .NET tool used as cover). - Technique: Process hollowing — unmaps the legitimate executable memory and replaces it with the PhantomStealer PE.
Stage 4 — PhantomStealer v3.5.0 (stub.exe, 751,616 bytes)
The final payload is a .NET PE32 executable:
- Platform: .NET Framework 4.8
- Packer: Costura (embedded DLLs: Newtonsoft.Json 13.0.0.0, ICSharpCode.SharpZipLib 1.3.3.11)
- Namespace:
Stub.* - Version:
v3.5.0 - Mutex:
ZK5BJ6U4KNLQT3D9UGJZ - VT Detections: 45/76
- Skyhigh: Stealerium!4D9E42F581E9
- BitDefender: Dump:Generic.Trojan.TangoStealer.Marte.A.3931E82C
Config Encryption:
- Algorithm: AES-256-CBC
- Key derivation: PBKDF2-SHA1, 1000 iterations
- Password:
;&KF!M!h8^iT:<)a?~mXeN*~o?gN[v@rQ=B(35 bytes) - Salt:
f3o3K-11=G-N7VJtozOWRr=(tNZBfK+bS7Fy(36 bytes) - Derived AES Key:
475f6e68e30d296766cc730b6c882653a5eb9a04031812ff0426d081f1fc86bd - Derived AES IV:
54f5712a1b6304a9bce604684434bc81
Decrypted Configuration
| Config Field | Value |
|---|---|
| Version | v3.5.0 |
| TelegramCheckBox | 0 (disabled) |
| TelegramAPI | (disabled) |
| TelegramID | (disabled) |
| DiscordCheckBox | 0 (disabled) |
| DiscordWebhook | (disabled) |
| SmtpCheckBox | 1 (ENABLED) |
| SmtpServer | mail.kluangstation.com.my |
| SmtpSender | christy@kluangstation.com.my |
| SmtpPassword | [REDACTED] |
| SmtpPort | 587 |
| SmtpReceiver | ike@graceishere.tech |
| CbEnableSsl | 0 |
| FtpCheckBox | 0 (disabled) |
| Debug | 0 |
| AntiAnalysis | 0 |
| Startup | 0 |
| Keylogger | 0 |
| Melt | 0 |
| Screenshot | 0 |
| ChromiumBrowser | 1 (ENABLED) |
| GeckoBrowser | 1 (ENABLED) |
| BrowserWallets | 1 (ENABLED) |
| OutlookDesktopApp | 1 (ENABLED) |
| FoxMailApp | 1 (ENABLED) |
| ClipperCheckBox | 1 (ENABLED) |
| Mutex | ZK5BJ6U4KNLQT3D9UGJZ |
Exfiltration is conducted exclusively via SMTP (port 587) using a compromised sender account at kluangstation.com.my (a legitimate Malaysian F&B company). Stolen data is sent to the operator at ike@graceishere.tech.
Crypto Clipper Addresses
The clipper module monitors clipboard content and replaces any detected cryptocurrency address with the following attacker-controlled addresses:
| Coin | Attacker Address |
|---|---|
| BTC | bc1q52ne8v7nmmux94qcrp5784ffsdp4l56f2gwr58 |
| ETH | 0xc4227FB9c3520a05C25CCB418b9695D089dFa4EB |
| LTC | MHdD3GCdkapnqM3jmdt9h8neztaB6AdSX5 |
| BCH | qpaznatrx7wyd8puvqy23pljjyengfkfp5m4pftq6l |
| TRX | TCR3uv8Diot4AdUNDcJKswBmNKFdRDWBfo |
| SOL | zm46pAFBTDqJYVXQNR1AmwtjHd54MGBMh4F4Cct42tY |
Stealer Targets and Capabilities
Browser Data
- Chromium-based: Chrome, Edge, Opera, Brave, Nichrome, and all Chromium variants
- Gecko-based: Firefox and all Gecko variants
- Data stolen: Saved passwords, cookies, credit card data, autofill entries
Cryptocurrency Wallets (Desktop Applications)
MetaMask, Exodus (exodus.wallet), Electrum, Ethereum keystore, AtomicWallet, WalletWasabi, ElectronCash, Sparrow, Coinomi, TrustWallet, Bitcoin Core, Armory, Jaxx
Cryptocurrency Wallets (Browser Extensions — 66 extensions)
Notable targets include:
- MetaMask:
nkbihfbeogaeaoehlefnkodbefgpgknn - Phantom/Solana:
aodkkagnadcbobfpggfnjeongemjbjca - Coinbase:
fhbohimaelbohpjbbldcngcnapndodjp - Trust Wallet:
fihkakfobkmkjojpchpfgcmhfjnmnfpi - Binance:
bhghoamapcdpbohphigoooaddinpkbai - OKX:
aholpfdialjgjfhomihkjbmgjidlcdno - Keplr:
agoakfejjabomempkjlepdflaleeobhb
Email Clients
- Microsoft Outlook (desktop app)
- FoxMail
- WinSCP sessions (credentials)
Messaging / Communication
- Discord: Token theft from Discord, DiscordCanary, DiscordPTB, DiscordDevelopment
- Telegram: App data theft from Telegram installation
FTP
- FileZilla: FTP credentials
Network
- Wi-Fi saved network passwords
File Grabber
- Documents: pdf, rtf, doc, docx, xls, xlsx, ppt, pptx, txt
- Databases: db, kdbx, sql, wallet
- Source Code: cs, py, js, php, cpp
- Images: jpg, png, bmp
Additional Modules
- Clipboard Monitoring: Captures clipboard text in real-time
- Keylogger: Hook-based (WH_KEYBOARD_LL low-level keyboard hook), logs to file
- Screenshot: Module present but disabled in this build's configuration
Anti-Analysis and Evasion Techniques
Sandbox / VM Detection
- Checks against 100+ known sandbox usernames: John Doe, Harry Johnson, HAPUBWS, AppOnFlySupport, and others
- Known VM machine name patterns: ACEPC, ALENMOOS-PC, APPONFLY-VPS, WIN-, WINZDS- series
- GPU inspection for virtualization indicators (
Stub.AntiAnalysis)
Process-Based Evasion
- Kills wscript.exe/cscript.exe at Stage 1 to prevent script debugging
- Checks for analysis tools: Sysmon64.exe, VmRemoteGuest.exe, and others (
Stub.SuspiciousProcess)
Injection Technique
- HeavensGate: WOW64 Heaven's Gate technique for x86→x64 transitions (
Stub.HeavensGateclass) - Process Hollowing: Injects into
Aspnet_compiler.exe, a legitimate Microsoft .NET tool (DEV.DOWN.SHOOT)
Persistence / Self-Preservation
- Mutex:
ZK5BJ6U4KNLQT3D9UGJZprevents multiple simultaneous executions - Self-Deletion:
Stub.MeltandStub.SelfDestructclasses remove the executable post-execution - Startup Persistence: Module present but disabled in this configuration (
Stub.Startup) - Execution Delay:
Stub.StartDelayintroduces timing delays to evade behavioral sandboxes
Encryption / Obfuscation
- Stage 1: String array obfuscation with runtime index decoder
- Stage 1→2: Base64 encoding
- Stage 2→3: Rotational XOR decryption
- Stage 4 Config: AES-256-CBC with PBKDF2-derived key
Network Infrastructure
| Host | IP | Country | ASN | Provider | Role |
|---|---|---|---|---|---|
| phantomsoftwares.site | 199.188.201.183 | US (Phoenix, AZ) | AS22612 | Namecheap | MaaS panel / branding site |
| mail.kluangstation.com.my | 211.25.114.131 | Malaysia | AS9930 | TTNET-MY | SMTP relay (COMPROMISED) |
| graceishere.tech | 184.94.213.213 | US | AS22612 | Namecheap | SMTP exfil receiver |
Infrastructure Relationships
phantomsoftwares.siteandgraceishere.techboth resolve to Namecheap ASN 22612, indicating shared or co-located hosting.- Both domains use
jellyfish.systemsMX servers, further confirming shared hosting provider. graceishere.techwas registered 2026-02-01 via Namecheap.phantomsoftwares.sitewas registered 2025-02-13 — the newer receiver domain was registered approximately one year after the MaaS panel domain.184.94.213.213(graceishere.tech) runs cPanel (port 2082), Exim SMTP 4.99.1, and LiteSpeed HTTP — consistent with shared web hosting.kluangstation.com.myis a legitimate Malaysian F&B company (Kluang Station F&B Sdn Bhd, registered 2012). Its SMTP credentials were compromised — likely via a prior credential theft — and are being abused as a relay to evade email reputation filtering.- Registrant privacy for
phantomsoftwares.siteis provided by WithheldForPrivacy (Reykjavik, Iceland). Abuse contact: abuse@namecheap.com.
Attribution
| Attribute | Value |
|---|---|
| Malware Family | PhantomStealer v3.5.0 |
| Threat Actor Type | MaaS operator |
| Operator Email | ike@graceishere.tech |
| Telegram Channel | t.me/Oldphantomoftheopera |
| MaaS Panel | phantomsoftwares.site/home |
| Registrar | Namecheap (namecheap.com) |
| Registrant Privacy | WithheldForPrivacy, Reykjavik, Iceland |
| Confidence Level | HIGH |
The actor operates PhantomStealer as a commercial service, advertising capabilities and selling builder licenses via Telegram. The branding Oldphantomoftheopera on Telegram and the domain phantomsoftwares.site are consistent marketing identifiers. The specific operator deploying this sample receives stolen data at ike@graceishere.tech using a compromised legitimate SMTP relay to bypass email security controls.
Related Samples
These samples share network infrastructure with phantomsoftwares.site:
| SHA256 (prefix) | Filename | VT Detections |
|---|---|---|
| 897b9a8f... | chrome_logs.exe | 47/76 |
| 2c47c0a6... | vVHu.exe | 56/76 |
| 2cb41cfd... | stub.exe | 55/76 |
| 38489d54... | stub.exe | 55/76 |
| 4874e89c... | YjdsOS.exe | 57/76 |
| 2869bd18... | stub.exe | 54/76 |
MITRE ATT&CK Mapping
| Technique Name | ID | Stage | Description |
|---|---|---|---|
| Command and Scripting Interpreter: JavaScript | T1059.007 | Stage 1 | JScript dropper executed via WSH/WScript |
| Command and Scripting Interpreter: PowerShell | T1059.001 | Stage 1-3 | Multi-stage PowerShell execution chain |
| Process Injection: Process Hollowing | T1055.012 | Stage 3 | Hollow Aspnet_compiler.exe with stealer payload |
| Deobfuscate/Decode Files or Information | T1140 | Stage 1-3 | Base64 and rotational XOR decryption chain |
| Obfuscated Files or Information | T1027 | Stage 1 | String array obfuscation in JScript |
| Encrypted/Encoded File | T1027.013 | Stage 4 | AES-256-CBC config encryption |
| Virtualization/Sandbox Evasion | T1497 | Stage 4 | Username, hostname, and GPU environment checks |
| Credentials from Web Browsers | T1555.003 | Stage 4 | Chromium and Gecko credential recovery |
| Steal Web Session Cookie | T1539 | Stage 4 | Browser cookie theft |
| Clipboard Data | T1115 | Stage 4 | Clipboard content monitoring |
| Clipboard Hijack (Clipper) | T1510 | Stage 4 | Cryptocurrency address replacement in clipboard |
| Email Collection: Local | T1114.001 | Stage 4 | Outlook desktop data extraction |
| Exfiltration Over Alternative Protocol | T1048.002 | Stage 4 | SMTP-based data exfiltration |
| Data from Local System | T1005 | Stage 4 | File grabbing across document/image/code types |
| System Information Discovery | T1082 | Stage 4 | SystemInfo collection |
| File and Directory Discovery | T1083 | Stage 4 | Wallet and credential file search |
| Query Registry | T1012 | Stage 4 | Wallet and credential registry queries |
| System Network Configuration Discovery | T1016 | Stage 4 | Wi-Fi saved password extraction |
| Boot or Logon Autostart | T1547.001 | Stage 4 | Startup persistence (module present, disabled) |
| Masquerading | T1036 | Stage 3 | Disguise stealer as Aspnet_compiler process |
Complete IOC Tables
File Hashes
| Type | Hash | Description |
|---|---|---|
| SHA256 | 600436ca333df4abf42cc05b5c6307871782412f47ad92763d17a6228c528f62 | Invoice 10225.js (Stage 1 dropper) |
| MD5 | fa457a24c1170f9f39f3c07b624d31dc | Invoice 10225.js (Stage 1 dropper) |
| SHA1 | fff3032dab0b18873f61d032b591291816610d5f | Invoice 10225.js (Stage 1 dropper) |
| SHA256 | 195e3d859d8fa9d0c12cd38beef8898e307b71422c8a18c2c3648f5f0220b447 | DEV.DOWN injector DLL (Stage 3) |
| SHA256 | 7df24c505edbfd1bdee879f8fc12e7b67590755513f28cadadcfd173da07d14d | PhantomStealer stub.exe (Stage 4) |
Domains
| Domain | Role | Status |
|---|---|---|
| phantomsoftwares.site | MaaS panel / branding | MALICIOUS |
| graceishere.tech | SMTP exfil receiver | MALICIOUS |
| mail.kluangstation.com.my | SMTP relay | COMPROMISED (legitimate) |
| kluangstation.com.my | Victim organization | COMPROMISED (legitimate) |
IP Addresses
| IP | Domain | Country | ASN | Role |
|---|---|---|---|---|
| 199.188.201.183 | phantomsoftwares.site | US | AS22612 | MaaS panel |
| 211.25.114.131 | mail.kluangstation.com.my | Malaysia | AS9930 | Compromised SMTP relay |
| 184.94.213.213 | graceishere.tech | US | AS22612 | SMTP exfil receiver |
Email Addresses
| Role | |
|---|---|
| christy@kluangstation.com.my | Compromised SMTP sender |
| ike@graceishere.tech | Operator exfil receiver |
| abuse@namecheap.com | Registrar abuse contact |
Mutex
| Value | Purpose |
|---|---|
| ZK5BJ6U4KNLQT3D9UGJZ | PhantomStealer single-instance enforcement |
Cryptocurrency Attacker Addresses
| Coin | Address |
|---|---|
| BTC | bc1q52ne8v7nmmux94qcrp5784ffsdp4l56f2gwr58 |
| ETH | 0xc4227FB9c3520a05C25CCB418b9695D089dFa4EB |
| LTC | MHdD3GCdkapnqM3jmdt9h8neztaB6AdSX5 |
| BCH | qpaznatrx7wyd8puvqy23pljjyengfkfp5m4pftq6l |
| TRX | TCR3uv8Diot4AdUNDcJKswBmNKFdRDWBfo |
| SOL | zm46pAFBTDqJYVXQNR1AmwtjHd54MGBMh4F4Cct42tY |
Encryption Artifacts
| Artifact | Value |
|---|---|
| XOR Key (base64) | mIcZ61jiyqn98yfLCi8V42f8L6XGoO9PdIMbwPIfyZs= |
| XOR Key (hex) | 988719eb58e2caa9fdf327cb0a2f15e367fc2fa5c6a0ef4f74831bc0f21fc99b |
| AES-256 Derived Key | 475f6e68e30d296766cc730b6c882653a5eb9a04031812ff0426d081f1fc86bd |
| AES-256 Derived IV | 54f5712a1b6304a9bce604684434bc81 |
Campaign Context
This sample represents a typical MaaS deployment pattern: an operator purchases or subscribes to the PhantomStealer builder, configures their exfiltration endpoint and stealer targets, and distributes via invoice-themed lures (common in phishing campaigns targeting business users). The use of a compromised legitimate Malaysian SMTP server (kluangstation.com.my) is a deliberate choice to abuse the reputation of a real business domain to bypass spam and phishing filters.
The four-stage infection chain — JScript → PowerShell decryptor → .NET process hollowing loader → stealer — is designed to maximize evasion at each layer: JScript bypasses email attachment filters, PowerShell evades script-based signatures, process hollowing defeats process-based detections, and the final stealer uses anti-analysis checks to avoid sandbox detonation.
The enabled features (Chromium, Gecko, browser wallets, Outlook, FoxMail, clipboard hijacking) suggest the operator is primarily targeting credential and cryptocurrency theft. The relatively low base price of MaaS subscriptions means this infrastructure may be serving multiple operators simultaneously; other deployed samples (chrome_logs.exe, vVHu.exe, multiple stub.exe variants) sharing the phantomsoftwares.site infrastructure suggest active multi-operator deployment.
Recommended Actions:
- Block all IOCs at network perimeter (domains, IPs, SMTP sender).
- Alert on process hollowing into
Aspnet_compiler.exe. - Notify
kluangstation.com.myof credential compromise. - Submit abuse report to Namecheap for
phantomsoftwares.siteandgraceishere.tech. - Hunt for mutex
ZK5BJ6U4KNLQT3D9UGJZacross endpoint telemetry. - Hunt for
DEV.DOWNassembly loads in .NET telemetry.