{
	"id": "e5123bba-e834-408d-969a-395542a710ef",
	"created_at": "2026-04-06T00:21:29.141685Z",
	"updated_at": "2026-04-10T13:11:35.55035Z",
	"deleted_at": null,
	"sha1_hash": "4a6b98a38b4fb3577aeba9e95e6446604499d190",
	"title": "PhantomVAI Loader Delivers a Range of Infostealers",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1910817,
	"plain_text": "PhantomVAI Loader Delivers a Range of Infostealers\r\nBy Tom Fakterman\r\nPublished: 2025-10-15 · Archived: 2026-04-05 14:06:59 UTC\r\nExecutive Summary\r\nUnit 42 researchers have been tracking phishing campaigns that use PhantomVAI Loader to deliver information-stealing malware through a multi-stage, evasive infection chain. Threat actors wage these campaigns to deliver\r\nobfuscated scripts and loaders that use steganography techniques to conceal payloads.\r\nThe loader initially used in these campaigns was dubbed Katz Stealer Loader, for the Katz Stealer malware that it\r\ndelivers. Hackers are selling this new infostealer on underground forums as malware as a service (MaaS).\r\nRecently, we observed that the loader now delivers additional infostealers, such as AsyncRAT, XWorm,\r\nFormBook and DCRat. Given this unique behavior, we now track the loader under a new name: PhantomVAI\r\nLoader. We chose the name because of the loader’s stealth and the VAI method it executes.\r\nThreat actors deploy PhantomVAI Loader in attacks worldwide, targeting organizations from a wide spectrum of\r\nindustries:\r\nManufacturing\r\nEducation\r\nUtilities\r\nTechnology\r\nHealthcare\r\nInformation\r\nGovernment\r\nWe explore each stage of the multi-layered infection chain, from the initial phishing email to the final deployment\r\nof the infostealer payload. We also outline the functionality of Katz Stealer specifically.\r\nPalo Alto Networks customers are better protected from this activity through the following products and services:\r\nAdvanced WildFire\r\nCortex XDR and XSIAM\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nBackground\r\nOn April 13, 2025, a user called katzadmin posted about a new infostealer named Katz Stealer. The user uploaded\r\nthese posts to the BreachForums underground forum, and later to the exploit[.]in and xss[.]is forums as well. Katz\r\nhttps://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/\r\nPage 1 of 10\n\nStealer is a type of MaaS that collects sensitive data from a variety of applications hosted on infected machines.\r\nWe observed threat actors delivering Katz Stealer through phishing emails containing obfuscated JavaScript or\r\nVBS code, PowerShell scripts and a .NET loader. Initially called Katz Stealer Loader — and also known as\r\nVMDetectLoader — this loader now delivers infostealers such as AsyncRAT, XWorm, FormBook and DCRat. We\r\ntrack this loader under a new name: PhantomVAI Loader.\r\nInfection Chain Analysis\r\nThe PhantomVAI Loader attack chain starts with an initial phishing operation and culminates in the deployment of\r\npayloads. Figure 1 summarizes the steps of this process.\r\nFigure 1. The PhantomVAI Loader attack chain.\r\nPhishing Emails\r\nThe infection chain starts with a phishing email that contains a malicious attachment. Figure 2 shows an example\r\nof one of the phishing emails.\r\nhttps://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/\r\nPage 2 of 10\n\nFigure 2. Phishing email. Source: VirusTotal.\r\nThe emails contain themes like sales, payments and legal actions to trick the targeted users into opening the\r\nmalicious attachment. Some of these emails incorporate homograph attacks, which involve replacing Latin\r\ncharacters in the email with other Unicode or math characters. Attackers use this technique to bypass email\r\ndefenses by disguising terms that email security mechanisms usually flag as suspicious.\r\nStage 1: JavaScript and VBS Scripts\r\nThe phishing email attachments are archived JavaScript or VBS files. Threat actors obfuscate these scripts in an\r\nattempt to bypass detections. Figure 3 shows an example of obfuscated JavaScript from one of these files.\r\nFigure 3. Obfuscated JavaScript.\r\nThe script embeds a Base64-encoded PowerShell script and executes it to download and deliver the next stage of\r\nthe infection.\r\nhttps://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/\r\nPage 3 of 10\n\nStage 2: PowerShell Script\r\nThe decoded PowerShell script downloads and loads the next stage of the infection. Figure 4 shows an example of\r\na decoded PowerShell script.\r\nFigure 4. PowerShell script used to download the next stages of the attack.\r\nThe PowerShell script downloads a GIF or other image file that conceals the loader payload. This technique is\r\nknown as steganography. In the infections that we observed, threat actors used this technique to embed text within\r\nthe image. The text is a Base64-encoded DLL file.\r\nNext, the script extracts the Base64 data by searching for specific strings that represent the start and end of the\r\nencoded text. In this case, the PowerShell script searches for all text between \u003c\u003csudo_png\u003e\u003e and \u003c\u003csudo_odt\u003e\u003e.\r\nThis text is an encoded DLL. In other cases, threat actors inserted the encoded text between different headers.\r\nFigure 5 shows an example of encoded text embedded in a GIF file using steganography.\r\nFigure 5. The start of encoded Base64 text embedded in a GIF file.\r\nAfter extracting the encoded text from the image or GIF file, the PowerShell script decodes the text and loads the\r\nDLL. The loaded DLL is the .NET loader payload that we call PhantomVAI Loader.\r\nThe PowerShell script invokes a method called VAI within PhantomVAI Loader and provides it with several\r\nparameters. The first parameter is a URL for the command and control (C2) server that hosts the final payload.\r\nStage 3: Executing PhantomVAI Loader\r\nPhantomVAI Loader is written in C#, and the VAI method has three main functionalities:\r\nRunning virtual machine checks\r\nEstablishing persistence\r\nRetrieving the final payload\r\nVirtual Machine Detection\r\nhttps://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/\r\nPage 4 of 10\n\nWhen PhantomVAI Loader is executed, it performs checks to determine whether it is running on a virtual\r\nmachine, as the code below shows. The VM detection portion of the code appears to be based on a GitHub project\r\nnamed VMDetector. If any of the checks return a true response, PhantomVAI Loader exits and stops executing.\r\nDetected as a virtual machine given key computer information.\r\nDetected as a virtual machine given bios information.\r\nDetected as a virtual machine given hard disk information.\r\nDetected as a virtual machine given PnP devices information.\r\nDetected as a virtual machine given Windows services information.\r\nEstablishing Persistence\r\nPhantomVAI Loader uses one or all of the following methods to create persistence:\r\nA scheduled task executes PowerShell commands to download a file from an attacker-controlled URL. The\r\ntask saves the file with a specific name and extension and then executes it.\r\nA scheduled task executes a script using wscript.exe. The path to this script is supplied as a command-line\r\nparameter.\r\nA Run registry key to execute a specific file. The file’s path is also provided as a command-line argument.\r\nRetrieving Payload and Injection\r\nPhantomVAI Loader downloads the payload from the URL specified as a command-line parameter in the Stage 2\r\nPowerShell script. It then injects this payload into a target process that is also defined by a command-line\r\nparameter, using the process hollowing technique. The loader injects the payload into a process located in one of\r\nthese four paths, depending on the command-line argument and the payload architecture:\r\nC:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\\r\nC:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\\r\nC:\\Windows\\System32\\\r\nC:\\Windows\\SysWOW64\\\r\nIn most of the cases observed at the time of writing this article, PhantomVAI Loader injected the payload into the\r\nMicrosoft Build Engine executable, MSBuild.exe. Figure 6 shows an example of such an injection, in the context\r\nof the infection chain.\r\nhttps://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/\r\nPage 5 of 10\n\nFigure 6. Infection chain that starts with the user opening an email using msedge.exe (Microsoft\r\nEdge browser) and ends with PhantomVAI Loader injecting the payload to MSBuild.exe.\r\nKatz Stealer: A New Malware-as-a-Service Stealer\r\nPhantomVAI Loader has evolved to deliver a number of infostealers. As Katz Stealer is the least well known and\r\ndocumented, we cover it in additional detail here.\r\nThreat actors use Katz Stealer to steal data from infected machines, such as:\r\nBrowser credentials\r\nBrowser data (such as cookies, history, login data)\r\nCryptocurrency wallets\r\nTelegram data\r\nDiscord data\r\nOperating system information\r\nSteam and game data\r\nVPN data\r\nFTP clients data\r\nCommunication and messaging applications data\r\nEmail clients data\r\nScreenshots\r\nClipboard data\r\nKatz Stealer also checks the machine’s language and compares it to a hardcoded list of country codes by using the\r\nfollowing APIs:\r\nGetKeyboardLayout\r\nGetLocaleInfoA\r\nGetSystemDefaultLangID\r\nThe country codes that Katz Stealer checks are all part of the Commonwealth of Independent States (CIS), as\r\nFigure 7 shows. If it finds a match, Katz Stealer stops executing. This language check and subsequent behavior\r\ncould provide a clue to the origin of the author of the malware.\r\nhttps://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/\r\nPage 6 of 10\n\nFigure 7. Code snippet showing the country codes that Katz Stealer checks.\r\nConclusion\r\nThis article highlights phishing campaigns that deliver PhantomVAI Loader, also known as Katz Stealer Loader.\r\nCombining social engineering via phishing emails, obfuscated scripts, steganography and a .NET loader, this\r\nmulti-stage infection chain demonstrates the lengths attackers go to in attempts to evade detection and bypass\r\ndefenses.\r\nOur research highlights how this loader has evolved in the cybercrime ecosystem. While initially, threat actors\r\nused the loader solely to deliver Katz Stealer, recent observations show that the loader now distributes additional\r\nmalware strains, including AsyncRAT, XWorm, FormBook and DCRat.\r\nMaaS offerings like Katz Stealer are a pervasive threat that can significantly impact security and privacy by\r\nexposing sensitive data such as passwords, networking data, emails and files. Understanding the attack chains and\r\ntechniques that threat actors use to deliver these malicious payloads is vital to ensuring organization security.\r\nPalo Alto Networks Protection and Mitigation\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts and services:\r\nThe Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated\r\nin light of the indicators shared in this research.\r\nCortex XDR and XSIAM help prevent all the threats described above by employing the Malware\r\nPrevention Engine. This approach combines several layers of protection, including Advanced WildFire,\r\nBehavioral Threat Protection and the Local Analysis module, to prevent both known and unknown\r\nmalware from causing harm to endpoints.\r\nFigure 8 shows two examples of detection alerts that the emails in this campaign trigger in Cortex XDR.\r\nFigure 8. Detection of phishing emails that contain suspicious themes and homograph characters.\r\nhttps://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/\r\nPage 7 of 10\n\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)\r\nUK: +44.20.3743.3660\r\nEurope and Middle East: +31.20.299.3130\r\nAsia: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nAustralia: +61.2.4062.7950\r\nIndia: 00080005045107\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSHA256 Hash for Archive Example\r\n02aa167e4bb41e3e40a75954f5a0bd5915f9a16fd6c21b544a557f2a7df3c89b\r\nSHA256 Hashes for JavaScript Examples\r\ne663916cc91b4285a1ee762716ff7ce4537153c7893e2d88c13c7e57bbb646a9\r\n45fddf55acb50df5b027701073dee604b4135f750c585b29d6dcac824f26ae00\r\n9f28f82d21fe99d0efdcab403f73870d68fd94e6d0f762e658d923ccd1e7424c\r\n05d66568017f2c2e417fa6680f9b4fa4a8a9bc1b7256fe46fbf3e71956b99773\r\n4346c3c08df612b8bcd23a3b57845755bafb0efc57ff77203f8da3b46628a008\r\n0c0dae4d7da069c928f06addb1c5c824e820e4556a1244142f56227954bf9c7d\r\n3a039ce210a0b5ff65f57d304519b885bae91d1bec345c54e59e07bc39fca97e\r\nSHA256 Hashes for PhantomVAI Loader\r\n4ab4a37db01eba53ee47b31cba60c7a3771b759633717e2c7b9c75310f57f429\r\n9ae50e74303cb3392a5f5221815cd210af6f4ebf9632ed8c4007a12defdfa50d\r\n893ee952fa11f4bdc71aee3d828332f939f93722f2ec4ae6c1edc47bed598345\r\nb60ee1cd3a2c0ffadaad24a992c1699bcc29e2d2c73107f605264dbf5a10d9b6\r\n0df13fd42fb4a4374981474ea87895a3830eddcc7f3bd494e76acd604c4004f7\r\n6051384898e7c2e48a2ffb170d71dbf87e6410206614989a037dac7c11b8d346\r\n01222c6c2dbb021275688b0965e72183876b7adb5363342d7ac49df6c3e36ebe\r\n6f7c5bad09698592411560a236e87acae3195031646ff06a24f1cfada6774ba6\r\n6aa2989ebb38e77a247318b5a3410b5d4f72b283c7833a0b800ea7d1de84ccc6\r\n4c5d7e437f59b41f9f321be8c17ae1f128c04628107a36f83df21b33d12ff8db\r\nhttps://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/\r\nPage 8 of 10\n\n639eb0d2c2da5487412e7891638b334927232ff270781fad81dc5371f44f7c8e\r\n553d76d0c449377be550570e65e2bcae4371964fc3b539a1e1022d80699da5db\r\na7993775f4518c6c68db08e226c11e51f9bc53314e4ff9385269baac582e2528\r\n7ddce5be3642b66c7559821e26877c9f0242c748da64b2e68a81844bb1a6b148\r\n84e0a543df302b18f1188139160fc5a8bd669da071e492453d5d6756064ee568\r\n97b76d61941b790deff9f025dec55484e32ebff32b1b6e173d6fbf42cd8996ef\r\nbf6a5e37097330d7d68b6ac3deb6a10a1d3269be575fd51315774d1e7e1eca34\r\na62a81785714844a099a918c66df9367b5eb14df06e589d59bc81f392358c5cc\r\n920309f3822f993afeaa8ec70b4ef6b43dd2562be85cc2985efedc6cda2e7578\r\n421c4b4b53d291da2b53c068a491b3913d92fe0eb6f330861e7b60f3d9f8eee7\r\n87fae395c0e9ce3631dece94971befa578623ff0540d06539f583df921568814\r\n4b8bde867c06b617d731ea9e965bf64800330701942324e475b8119352122e7c\r\n3c6a8132df3351e2b7d186d0b3f41847e6920ebcb940548e3c9ed274901104c2\r\n76cbb0abd9511aab2cc9dda993e3b9ab77afb09d2959f143647065ca47e725cc\r\ned1b4a03595c59e5a90dd4f02f1993a2c5a43ca46a33aab0d15a1bbb1f8b3d30\r\nc44bac8b66ad11756b4c5ff3b1cd7e1187c634088f9e7aa2250067033df24e8d\r\n63dfdb4927c0bca64f8952904f463330360eb052f2a2a749bf91a851a2be89b4\r\n373c820cc395ea5b9c6f38b9470913e6684e8afea59e9dfeb3da490014074bf1\r\nb263df6b58c9259000e45a238327de8c07e79f2e7462c2b687c1c5771bac1dd5\r\nf05bc36211301087e403df09daa014ea8f04f5bdae5cef75eb866b56b82af2d6\r\nc45d3b6d2237fc500688a73d3ba18335d0002917f1a1f09df6934c87deaa097f\r\nfcad234dc2ad5e2d8215bcf6caac29aef62666c34564e723fa6d2eee8b6468ed\r\ne05b7f44ef8d0b58cfc2f407b84dcff1cb24e0ec392f792a49ad71e7eab39143\r\n87c9bede1feac2e3810f3d269b4492fe0902e6303020171e561face400e9bdb4\r\nc3de728850dc1e777ad50a211a4be212ca6c4ac9d94bf7bb6d5f7fe5f4574021\r\ne5daa86418ac444d590a2c693cd7749d87134c47d8e0dbac30c69f23a8e8131f\r\nSHA256 Hashes for Katz Stealer\r\na6b736988246610da83ce17c2c15af189d3a3a4f82233e4fedfabdcbbde0cff0\r\n74052cf53b45399b31743a6c4d3a1643e125a277e4ddcfcad4f2903b32bc7dc4\r\n20bde6276d6355d33396d5ebfc523b4f4587f706b599573de78246811aabd33c\r\ne345d793477abbecc2c455c8c76a925c0dfe99ec4c65b7c353e8a8c8b14da2b6\r\n96ada593d54949707437fa39628960b1c5d142a5b1cb371339acc8f86dbc7678\r\n925e6375deaa38d978e00a73f9353a9d0df81f023ab85cf9a1dc046e403830a8\r\nb249814a74dff9316dc29b670e1d8ed80eb941b507e206ca0dfdc4ff033b1c1f\r\n9b6fb4c4dd2c0fa86bffb4c64387e5a1a90adb04cb7b5f7e39352f9eae4b93fa\r\nd5ead682c9bed748fd13e3f9d0b7d7bacaf4af38839f2e4a35dc899ef1e261e2\r\nece74382ec6f319890e24abbf8e0a022d0a4bd7e0aeaf13c20bab3a37035dcd1\r\n2dba8e38ac557374ae8cbf28f5be0541338afba8977fbff9b732dee7cee7b43e\r\n11e90765640cbb12b13afa1bcec31f96f50578a5e65e2aa7be24465001b92e41\r\nb2245ca7672310681caa52dc72e448983d921463c94cdab0ba9c40ad6b2a58fe\r\nhttps://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/\r\nPage 9 of 10\n\nc929ee54bdd45df0fa26d0e357ba554ef01159533501ec40f003a374e1e36974\r\nc0e3c93c59b45e47dda93438311f50ddb95808fd615a467285c9c359bce02cf0\r\n309da3c8422422089b7f9af3b1b3f89e2d5c36e48e4d9d9faa07affb7d9a7b17\r\nfdc86a5b3d7df37a72c3272836f743747c47bfbc538f05af9ecf78547fa2e789\r\n25b1ec4d62c67bd51b43de181e0f7d1bda389345b8c290e35f93ccb444a2cf7a\r\n964ec70fc2fdf23f928f78c8af63ce50aff058b05787e43c034e04ea6cbe30ef\r\nd92bb6e47cb0a0bdbb51403528ccfe643a9329476af53b5a729f04a4d2139647\r\n5dd629b610aee4ed7777e81fc5135d20f59e43b5d9cc55cdad291fcf4b9d20eb\r\nb912f06cf65233b9767953ccf4e60a1a7c262ae54506b311c65f411db6f70128\r\n2852770f459c0c6a0ecfc450b29201bd348a55fb3a7a5ecdcc9986127fdb786b\r\nAdditional Resources\r\nDCRat Presence Growing in Latin America – IBM\r\nAsyncRAT Remote Access Tool – Malpedia\r\nXWorm Malware – Malpedia\r\nFormBook Malware – Malpedia\r\nDCRat Remote Access Tool – Malpedia\r\nMicrosoft Build Engine – Microsoft Learn\r\nObfuscated Files or Information: Steganography – MITRE\r\nProcess Injection: Process Hollowing – MITRE\r\nTrusted Developer Utilities Proxy Execution: MSBuild – MITRE\r\nVMDetector – robsonfelix on GitHub\r\nThe Ηоmоgraph Illusion: Not Everything Is As It Seems – Unit 42, Palo Alto Networks\r\nSource: https://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/\r\nhttps://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/phantomvai-loader-delivers-infostealers/"
	],
	"report_names": [
		"phantomvai-loader-delivers-infostealers"
	],
	"threat_actors": [],
	"ts_created_at": 1775434889,
	"ts_updated_at": 1775826695,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/4a6b98a38b4fb3577aeba9e95e6446604499d190.pdf",
		"text": "https://archive.orkl.eu/4a6b98a38b4fb3577aeba9e95e6446604499d190.txt",
		"img": "https://archive.orkl.eu/4a6b98a38b4fb3577aeba9e95e6446604499d190.jpg"
	}
}