October 28th, 2025

PhantomVAI Loader: Steganography-Driven Infostealer Delivery Campaign Targets Critical Sectors

High

Our Cyber Threat Intelligence Unit is monitoring an active campaign involving PhantomVAI Loader, a multi-stage .NET malware distributed via phishing emails and linked to malware-as-a-service (MaaS) offerings on underground forums. This campaign impacts numerous industries, including government, healthcare, technology, education, manufacturing, and utilities. The loader is used to deliver credential and data-stealing payloads, including the Katz Stealer, AsyncRAT, XWorm, FormBook, and DCRat. Attackers use archived JavaScript or VBS attachments regarding sales, payments, and legal notices to deceive users. Once executed, these scripts decode Base64-encoded PowerShell that fetches an image file containing the embedded loader via steganography. The PhantomVAI Loader then performs sandbox detection, establishes persistence, and injects processes, allowing for stealthy execution of final payloads.

Technical Details

Attack Vector: Phishing with obfuscated script attachments.
Severity: High.
Components Affected: Windows OS / Email Security Controls.
Attack Chain:
- Phishing email containing a ZIP archive with JS/VBS scripts.
- Scripts use Unicode/mathematical substitutions to evade email filtering.
- Scripts decrypt/execute Base64-encoded PowerShell.
- PowerShell downloads image/GIF with hidden DLL payload encoded between markers such as <<sudo_png>> and <<sudo_odt>>
- Decoder extracts and loads PhantomVAI Loader (.NET, C#)
- Loader retrieves and injects the final payload into legitimate processes such as MSBuild.exe using process hollowing.
Defense Evasion:
- VM/sandbox checks; terminates execution if detected.
- Persistence via Registry Run key and Scheduled Tasks.
Payloads Observed: Katz Stealer, AsyncRAT, XWorm, FormBook, DCRat
(The loader was initially known as Katz Stealer Loader).

Impact

Unauthorized access to sensitive data and credentials.
Persistent compromise of Windows systems.
Abuse of trusted OS processes, reducing visibility in EDR/AV.
Operational disruptions in high-value sectors.
Potential regulatory consequences and reputational damage

Detection Method

Email & Initial Access:
- Block execution of JS/VBS from email sources by default.
- Alert on ZIP attachments containing script files.
- Detect Unicode homoglyph/substitution patterns in filenames and MIME types.
Host-based Indicators:
- Monitor for Base64-encoded PowerShell execution.
- Observe MSBuild.exe, Regsvr32.exe, or InstallUtil.exe spawning unexpectedly.
- Hunt for creation of Scheduled Tasks or Run key persistence.
- VM detection API calls by unknown processes.
Network Indicators:
- Anomalous downloads of image/GIF files from unfamiliar domains.
- Payload extraction markers such as:
  - <<sudo_png>> / <<sudo_odt>>
- Block communications to known C2 infrastructure associated with PhantomVAI campaigns.

Indicators of Compromise

Type	Indicator	Description
PhantomVAI Loader Hashes	4ab4a37db01eba53ee47b31cba60c7a3771b759633717e2c7b9c75310f57f429 9ae50e74303cb3392a5f5221815cd210af6f4ebf9632ed8c4007a12defdfa50d 893ee952fa11f4bdc71aee3d828332f939f93722f2ec4ae6c1edc47bed598345 b60ee1cd3a2c0ffadaad24a992c1699bcc29e2d2c73107f605264dbf5a10d9b6 0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7	Loader sample observed in PhantomVAI campaigns.
Katz Stealer Hashes	a6b736988246610da83ce17c2c15af189d3a3a4f82233e4fedfabdcbbde0cff0 74052cf53b45399b31743a6c4d3a1643e125a277e4ddcfcad4f2903b32bc7dc4 20bde6276d6355d33396d5ebfc523b4f4587f706b599573de78246811aabd33c e345d793477abbecc2c455c8c76a925c0dfe99ec4c65b7c353e8a8c8b14da2b6 96ada593d54949707437fa39628960b1c5d142a5b1cb371339acc8f86dbc7678 925e6375deaa38d978e00a73f9353a9d0df81f023ab85cf9a1dc046e403830a8 b249814a74dff9316dc29b670e1d8ed80eb941b507e206ca0dfdc4ff033b1c1f 9b6fb4c4dd2c0fa86bffb4c64387e5a1a90adb04cb7b5f7e39352f9eae4b93fa d5ead682c9bed748fd13e3f9d0b7d7bacaf4af38839f2e4a35dc899ef1e261e2	Katz Stealer payload frequently delivered by PhantomVAI Loader.

mix of red, purple, orange, blue bubble shape waves horizontal for cybersecurity and netwo

Recommendations

Enforce attachment-handling policies to disable script execution from email.
Deploy advanced threat detection with behavioral analysis of MSBuild/PowerShell usage.
Strengthen network segmentation to reduce lateral movement risk.
Maintain aggressive phishing awareness training.
Isolate and investigate any host exhibiting IOCs or unusual behavior.
Continuously update security controls and threat intelligence feeds.

Conclusion

PhantomVAI Loader functions as a flexible, monetized distribution channel for various high-risk infostealers. The use of obfuscated scripts, steganography, and process injection techniques provides adversaries with a strong, stealthy foothold, allowing them to bypass traditional controls. We urge organizations to proactively strengthen email defenses, implement script-execution policies, and enhance behavioral visibility across endpoints to reduce the risk of exploitation.

References

https://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/

https://securityonline.info/stealth-stealer-phantomvai-loader-uses-steganography-in-images-to-inject-katz-stealer-and-evade-sandboxes/