{ "id": "e935e451-f204-44c8-859b-b95ff88ac4fc", "created_at": "2026-04-06T00:19:49.619285Z", "updated_at": "2026-04-10T03:35:20.385548Z", "deleted_at": null, "sha1_hash": "938aabb52699f20cfad73a9d7069a23e428e3084", "title": "eSentire vs. Phantom: Unveiling the Cyber Spook's Dance of Darkness", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1036292, "plain_text": "eSentire vs. Phantom: Unveiling the Cyber Spook's Dance of\r\nDarkness\r\nBy Ddos\r\nPublished: 2023-12-26 · Archived: 2026-04-05 17:57:43 UTC\r\nAn example of the traffic for the SwaetRAT | Image: Esentire\r\nIn the shadowy realms of cyber threats, a formidable entity known as PhantomControl has emerged, marking its\r\npresence with intricate and sophisticated cyberattacks. First observed by eSentire’s Threat Response Unit in\r\nNovember 2023, PhantomControl’s modus operandi is as stealthy as it is effective, utilizing phishing emails as its\r\ninitial infection vector. The sinister dance begins with a malicious redirection to a compromised website, cleverly\r\nconcealing a ScreenConnect client. This client, when run, establishes a connection to a controlled instance, laying\r\nthe groundwork for the actor’s nefarious activities.\r\nThe ingenuity of PhantomControl doesn’t end there. Their arsenal includes a VBS script that fetches and executes\r\ncontent from an external domain, cleverly hiding its true intentions with garbled strings and reversed sequences.\r\nThis script, once deobfuscated, reveals a complex mechanism involving PowerShell scripts, image-based data\r\nretrieval, and .NET binary payloads, aptly named Ande Loader.\r\nAn example of the traffic for the SwaetRAT | Image: Esentire\r\nPhantomControl, a chameleon in the digital world, has previously been associated with the Blind Eagle threat\r\nactors, known for their focus on delivering RATs (Remote Access Trojans) to Latin American countries. This\r\nassociation underscores the threat actor’s versatility and reach.\r\nA deep dive into their toolkit unveils SwaetRAT, a potent 32-bit RAT developed in .NET, boasting capabilities like\r\nkeylogging and system information harvesting. This RAT, constantly on the prowl for sensitive data, diligently\r\nrecords keystrokes and searches for specific strings, sending valuable information back to the command-and-control center.\r\nhttps://securityonline.info/esentire-vs-phantom-unveiling-the-cyber-spooks-dance-of-darkness/\r\nPage 1 of 2\n\nThe sophistication of PhantomControl lies not just in its attack vectors but in its ability to seamlessly blend into\r\nthe digital environment. By creating mutexes for self-checks and employing intricate command parsing\r\ntechniques, PhantomControl ensures its persistence and evasion from detection.\r\nAs cyber threats evolve, PhantomControl stands as a testament to the ever-increasing complexity and stealthiness\r\nof modern cyber adversaries, posing significant challenges to cybersecurity defenses worldwide.\r\nSupport Our Threat Intelligence\r\nIf you find our CVE report and cybersecurity news helpful, consider supporting our work.\r\nPost navigation\r\nSource: https://securityonline.info/esentire-vs-phantom-unveiling-the-cyber-spooks-dance-of-darkness/\r\nhttps://securityonline.info/esentire-vs-phantom-unveiling-the-cyber-spooks-dance-of-darkness/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://securityonline.info/esentire-vs-phantom-unveiling-the-cyber-spooks-dance-of-darkness/" ], "report_names": [ "esentire-vs-phantom-unveiling-the-cyber-spooks-dance-of-darkness" ], "threat_actors": [ { "id": "98b22fd7-bf1b-41a6-b51c-0e33a0ffd813", "created_at": "2022-10-25T15:50:23.688973Z", "updated_at": "2026-04-10T02:00:05.390055Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "APT-C-36", "Blind Eagle" ], "source_name": "MITRE:APT-C-36", "tools": [ "Imminent Monitor" ], "source_id": "MITRE", "reports": null }, { "id": "be597b07-0cde-47bc-80c3-790a8df34af4", "created_at": "2022-10-25T16:07:23.407484Z", "updated_at": "2026-04-10T02:00:04.58656Z", "deleted_at": null, "main_name": "Blind Eagle", "aliases": [ "APT-C-36", "APT-Q-98", "AguilaCiega", "G0099" ], "source_name": "ETDA:Blind Eagle", "tools": [ "AsyncRAT", "BitRAT", "Bladabindi", "BlotchyQuasar", "Imminent Monitor", "Imminent Monitor RAT", "Jorik", "LimeRAT", "Remcos", "RemcosRAT", "Remvio", "Socmer", "Warzone", "Warzone RAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "45bb30d6-8cb3-4ac1-b85f-26e9abae6058", "created_at": "2024-01-09T02:00:04.185637Z", "updated_at": "2026-04-10T02:00:03.50568Z", "deleted_at": null, "main_name": "PhantomControl", "aliases": [], "source_name": "MISPGALAXY:PhantomControl", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bd43391b-b835-4cb3-839a-d830aa1a3410", "created_at": "2023-01-06T13:46:38.925525Z", "updated_at": "2026-04-10T02:00:03.147197Z", "deleted_at": null, "main_name": "APT-C-36", "aliases": [ "Blind Eagle" ], "source_name": "MISPGALAXY:APT-C-36", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434789, "ts_updated_at": 1775792120, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/938aabb52699f20cfad73a9d7069a23e428e3084.pdf", "text": "https://archive.orkl.eu/938aabb52699f20cfad73a9d7069a23e428e3084.txt", "img": "https://archive.orkl.eu/938aabb52699f20cfad73a9d7069a23e428e3084.jpg" } }