{ "id": "315afee7-0429-47be-a847-470ef778f9b1", "created_at": "2026-04-06T00:07:13.770888Z", "updated_at": "2026-04-10T13:12:11.51751Z", "deleted_at": null, "sha1_hash": "668a50acf47d3737dcdc541041160ae3b4d2a720", "title": "PhantomControl returns with Ande Loader and SwaetRAT", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 13481965, "plain_text": "PhantomControl returns with Ande Loader and SwaetRAT\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 14:12:06 UTC\r\nAdversaries don’t work 9-5 and neither do we. At eSentire, our 24/7 SOCs are staffed with Elite Threat Hunters\r\nand Cyber Analysts who hunt, investigate, contain and respond to threats within minutes.\r\nWe have discovered some of the most dangerous threats and nation state attacks in our space – including the\r\nKaseya MSP breach and the more_eggs malware.\r\nOur Security Operations Centers are supported with Threat Intelligence, Tactical Threat Response and Advanced\r\nThreat Analytics driven by our Threat Response Unit – the TRU team.\r\nIn TRU Positives, eSentire’s Threat Response Unit (TRU) provides a summary of a recent threat investigation. We\r\noutline how we responded to the confirmed threat and what recommendations we have going forward.\r\nHere’s the latest from our TRU Team…\r\nIn November 2023, eSentire’s Threat Response Unit observed an incident involving the PhantomControl threat\r\nactor(s). Based on the logs, we assess with high confidence that the initial infection vector was a phishing email.\r\nThe user was redirected to a malicious website serving ScreenConnect client from receipt-view.blogspot[.]com.\r\nTracing the download source, we stumbled on a compromised website hosting a malicious ScreenConnect\r\nclient (MD5: 412e11d3ff7659c7d05194cc5e0e1f32) as shown in Figures 1-2.\r\nFigure 1: Compromised website serving malicious ScreenConnect client (1)\r\nhttps://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat\r\nPage 1 of 14\n\nFigure 2: Opendir: compromised website serving malicious ScreenConnect client (2)\r\nUpon running the ScreenConnect client, the infected machine established the connection to legal-advocate.screenconnect[.]com, which is the threat actor’s controlled ScreenConnect instance.\r\nThe instance domain resolves to 147.75.81[.]214, which was observed to be used previously by PhantomControl\r\nthreat actor(s).\r\nApproximately 9 minutes after launching ScreenConnect, the threat actor(s) dropped File_Vbs.vbs (MD5:\r\n91570b30470e0375c62972a268fcaee7) file under Documents\\ConnectWiseControl\\Temp\\.\r\nAnde Loader Analysis\r\nThe VBS script contains garbage strings that conceal the malicious code. Upon cleaning up the script, we see a\r\nreference to paste[.]ee domain as shown in Figure 3.\r\nThe VBS script sends an HTTP GET request to the URL, then it checks if the response status is 200. If the\r\nresponse is 200, it stores the response text in a variable named “response”.\r\nThe script then executes the content of the variable using the Execute statement.\r\nFigure 3: Reference to paste[.]ee domain\r\nThe VBS script retrieved from paste[.]ee contained garbled data and reversed strings. After some cleanup, it\r\ntransformed into the reversed base64-encoded obfuscated PowerShell snippet (Figure 4).\r\nhttps://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat\r\nPage 2 of 14\n\nFigure 4: Snippet of the script retrieved from paste[.]ee and the clean-up PowerShell script\r\nFurther deobfuscating the PowerShell script (Figure 5), we can try to break down what the script does:\r\n1. The script sets the URL of an image, creates a WebClient object, and downloads the data from the URL as\r\na byte array.\r\n2. The byte array of the image is converted into a UTF-8 encoded string.\r\n3. The script looks for specific start and end flags in the converted text, indicating the presence of Base64\r\nencoded content.\r\n4. The decoded bytes are loaded as a .NET assembly.\r\n5. The script retrieves a type named Fiber.Home from the loaded assembly. It then invokes a method named\r\nVAI on this type, passing several parameters to it.\r\nFigure 5: Deobfuscated PowerShell script\r\nUpon retrieving the base64-encoded data from the downloaded image Figure 6), we obtain the .NET binary\r\npayload, which we dubbed as Ande Loader (MD5: 92fc4d4a1f6cad69ab11484e74815b50) based on the previous\r\nmethod name used in the previous loaders (MD5: 48b6064beec687fc110145cf7a19640d). The Yara rule on Ande\r\nLoader can be access here.\r\nWe have observed Ande Loader used previously by the Blind Eagle threat actors specifically focused on\r\ndelivering RATs to Latin American countries.\r\nhttps://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat\r\nPage 3 of 14\n\nFigure 6: Content of the retrieved image\r\nFrom Ande Loader, we can see 7 parameters are being passed to the method VAI (Figure 7).\r\nFigure 7: Parameters passed to \"VAI\" method\r\nThe first parameter contains the link to another paste[.]ee which contains a reversed base64-encoded blob (Figure\r\n8).\r\nFigure 8: Reversed base64-encoded blob\r\nThe decoded base64-encoded blob is a core payload which we dubbed as SwaetRAT based on the group name/ID\r\n(Figure 18). The core payload gets injected into RegAsm.exe via process hollowing (T1055.012), as shown in\r\nFigure 9 via Fiber.Class1 class.\r\nhttps://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat\r\nPage 4 of 14\n\nFigure 9: Injection of the core payload via process hollowing\r\nThe second parameter is null, which means no AntiVM option was enabled. The AntiVM feature would check for\r\nprocesses that contain “vmtoolsd” or “VBoxService” (Figure 10).\r\nFigure 10: AntiVM feature\r\nThe third parameter is “2” which makes the binary check for the presence of the initial VBS payload named\r\n“VbsName” under C:\\ProgramData folder on the infected machine via switch-case structures.\r\nIf the file doesn’t exist, it proceeds with creating a persistence via Startup (T1547.001) with the shortcut file\r\nnamed “LnkName” as shown in Figure 11.\r\nhttps://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat\r\nPage 5 of 14\n\nFigure 11: Creating persistence via Startup\r\nSwaetRAT Analysis\r\nSwaetRAT (MD5: d6d29037517bb1d8202efbf39534df7a) is a 32-bit RAT written in .NET. Like other RATs,\r\nSwaetRAT has keylogging capabilities. The logged keystrokes are recorded and saved under %TEMP%/Log.tmp\r\nfile (Figure 12).\r\nFigure 12: Keylogging feature\r\nThe RAT enters an infinite loop with the pause of 2 seconds for each iteration and looks for mentions of Paypal\r\nand Binance in the Log.tmp file and if found, it appends “Banking Found: ” and sends it over to C2 (Figure 13).\r\nFigure 13: Looking for specific strings in the Log.tmp file\r\nWithin Info method, the RAT collects system information (Figure 14).\r\nhttps://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat\r\nPage 6 of 14\n\nIt constructs this string by concatenating several pieces of data, separated by a delimiter defined in\r\nSettings.Splitter, which is “\u003cRemote\u003e”.\r\nThe information includes:\r\nA fixed string “info”.\r\nThe unique ID of the system. We will talk about the ID generation algorithm later in the article.\r\nThe current user’s username (Environment.UserName).\r\nInformation about the operating system.\r\nWhether the operating system is 32-bit or 64-bit, determined by Environment.Is64BitOperatingSystem.\r\nAntivirus information obtained from a method call to Helper.Antivirus().\r\nA group identifier or categorization from Settings.Group (“SWAET_NOVEMBER”).\r\nThe result of a User Account Control (UAC) status check from Helper.UAC(), indicating whether the\r\ncurrent user has administrative privileges.\r\nThe UAC Method checks if the current user has administrative privileges. It attempts to create a\r\nWindowsPrincipal object for the current user WindowsIdentity.GetCurrent() and then checks if this user is in the\r\nrole of WindowsBuiltInRole.Administrator.\r\nIf the user has administrative privileges, it returns true; otherwise, false.\r\nFigure 14: Info method\r\nAn example of the traffic for the SwaetRAT is shown in Figure 15.\r\nhttps://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat\r\nPage 7 of 14\n\nFigure 15: Traffic capture\r\nThe ID generation algorithm is as follows:\r\nThe Hash method collects various pieces of system information, including the number of processors, the\r\ncurrent user's name, the machine name, the operating system version, and the total size of the system's\r\nprimary drive.\r\nThe collected information is concatenated into a single string.\r\nThe concatenated string is passed to the GetHashT method, which uses the MD5 hashing algorithm to\r\ngenerate a hash value from this string.\r\nThe hash is converted into a hexadecimal string. This string is then truncated to the first 20 characters and\r\nconverted to uppercase, forming the final ID.\r\nFigure 16: ID generation algorithm\r\nReadPacket class (Figure 17) is responsible for command parsing from C2. It receives the data, which is\r\nconverted to a string and split into parts using a delimiter.\r\nBased on the first element of the array (text), it determines what action to perform. Several commands are\r\nhandled:\r\n\"pong\": gets a \"pong\" response back from the server from “ping” messages. Possibly used for connection\r\nstatus checking.\r\n\"Sendfile\": Executes RunDisk method, which writes and executes a PowerShell file from received data.\r\n\"Memory\": Executes the Memory method, which loads and executes an assembly from the given byte\r\narray in-memory.\r\n\"Web\": Downloads a file from a URL and executes it.\r\n\"Close\": Disconnects the TCP socket and exits the application.\r\n\"Restart\": Restarts the application.\r\n\"Uninstall\": uninstall the RAT via the batch script.\r\nhttps://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat\r\nPage 8 of 14\n\n\"$Cap\": Captures a screenshot and sends it back to the server in a base64-encoeded and GZIP-compressed\r\nformat.\r\n\"RemoteDesktop\": Sends back the screen size information.\r\n\"RD+\": Captures live screen data.\r\n\"DeskDrop\": Writes a file to the desktop from received data that is base64-encoded and GZIP-compressed.\r\n\"UAC\": Attempts to elevate privileges if not running as administrator.\r\n\"OfflineGet\": Sends the content of a log file to the server.\r\nFigure 17: ReadPacket class\r\nSwaetRAT creates the mutex “qVnqcuDNS5fGFGb”, which is defined under the Settings class in the\r\nconfiguration (Figure 18). If the mutex already exists, the process exits.\r\nhttps://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat\r\nPage 9 of 14\n\nFigure 18: SwaetRAT configuration\r\nA Yara rule on SwaetRAT can be accessed here.\r\nWhat did we do?\r\nOur team of 24/7 SOC Cyber Analysts isolated the affected host and notified the client of suspicious activities.\r\nWhat can you learn from this TRU Positive?\r\nThe use of ScreenConnect, a legitimate remote access tool, by the PhantomControl threat actors\r\nunderscores the trend of threat actors leveraging legitimate software for malicious activities.\r\nThe final payload loader from Ande Loader is dubbed as SwaetRAT. The creation of persistence via startup\r\nfolders and the use of process hollowing techniques shows how the RAT tries to maintain its presence on\r\ninfected systems.\r\nThe RAT's capabilities include monitoring for specific keywords (like PayPal and Binance), exfiltrating the\r\ndata, and retrieving additional payloads via various commands.\r\nRecommendations from our Threat Response Unit (TRU):\r\nProtecting against malware requires a multi-layered defense approach to defend endpoints from malware and\r\ndetect or block unauthorized login activity against applications and remote access services. Therefore, we\r\nrecommend:\r\nProtect endpoints against malware:\r\nhttps://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat\r\nPage 10 of 14\n\nEnsure antivirus signatures are up-to-date.\r\nUse a Next-Gen AV (NGAV) or Endpoint Detection and Response (EDR) product to detect and\r\ncontain threats.\r\nEncouraging good cybersecurity hygiene among your users by using Phishing and Security Awareness\r\nTraining (PSAT) when downloading software from the Internet.\r\nIndicators Of Compromise\r\nName Indicator\r\nInitial website serving as a\r\nredirector\r\nreceipt-view.blogspot[.]com\r\nCompromised URL jewelrycleaningmachine[.]com\r\nScreenConnect 412e11d3ff7659c7d05194cc5e0e1f32\r\nScreenConnect URL legal-advocate.screenconnect[.]com\r\nScreenConnect IP 147.75.81[.]214\r\nFile_Vbs.vbs 91570b30470e0375c62972a268fcaee7\r\nAnde Loader 92fc4d4a1f6cad69ab11484e74815b50\r\nSwaetRAT d6d29037517bb1d8202efbf39534df7a\r\nSwaetRAT C2 dns-govv[.]ink\r\nURL hosting SwaetRAT binary paste[.]ee/d/k7m1f/0\r\nhttps://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat\r\nPage 11 of 14\n\nURL hosting Ande Loader\r\nuploaddeimagens.com[.]br/images/004/666/676/original/vbs.jpg?\r\n1700182879\r\nReferences\r\nhttps://www.esentire.com/blog/operation-phantomcontrol\r\nhttps://github.com/RussianPanda95/Yara-Rules/blob/main/AndeLoader/ande_loader.yar\r\nhttps://github.com/RussianPanda95/Yara-Rules/blob/main/SwaetRAT/swaetrat.yar\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat\r\nPage 12 of 14\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat\r\nPage 13 of 14\n\nSource: https://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat\r\nhttps://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.esentire.com/blog/phantomcontrol-returns-with-ande-loader-and-swaetrat" ], "report_names": [ "phantomcontrol-returns-with-ande-loader-and-swaetrat" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "45bb30d6-8cb3-4ac1-b85f-26e9abae6058", "created_at": "2024-01-09T02:00:04.185637Z", "updated_at": "2026-04-10T02:00:03.50568Z", "deleted_at": null, "main_name": "PhantomControl", "aliases": [], "source_name": "MISPGALAXY:PhantomControl", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434033, "ts_updated_at": 1775826731, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/668a50acf47d3737dcdc541041160ae3b4d2a720.pdf", "text": "https://archive.orkl.eu/668a50acf47d3737dcdc541041160ae3b4d2a720.txt", "img": "https://archive.orkl.eu/668a50acf47d3737dcdc541041160ae3b4d2a720.jpg" } }