F6 Experts Discover New Phantom Stealer
In June 2025, researchers identified a new wave of malicious activity they dubbed Phantom Papa. Threat actors were distributing emails in both Russian and English, with attachments that delivered a new stealer malware called Phantom.
Technical Capabilities
Phantom is built on the codebase of Stealerium, a known stealer, and is designed to harvest a wide range of sensitive data. Its capabilities include:
- Stealing passwords, banking credentials, and cryptocurrency wallet information
- Extracting data from browsers and messengers
- Recording keystrokes through a built-in keylogger
- Evading detection with anti-analysis features and obfuscation support
- Establishing persistence through auto-start mechanisms
For exfiltration, the malware supports multiple channels, including Telegram, Discord, and SMTP.
Distribution and Infrastructure
According to researchers, Phantom is distributed through a website registered in February 2025. The site advertises several related products, including Phantom Crypter, Phantom Stealer Advanced, and Phantom Stealer Basic.
Victims were targeted across multiple industries—retail, construction, IT, and manufacturing. Logs revealed IP addresses of infected devices in 19 countries, among them the United States, Russia, the UK, Romania, Spain, Hungary, Kazakhstan, Azerbaijan, Estonia, Serbia, Switzerland, Singapore, and Belarus. Researchers cautioned that some of the identified IPs belonged to virtual machines used for analysis.
Email Lures
Attackers used a mix of crude and conventional phishing lures. Some messages carried sensational subjects such as “See My Nude Pictures and Videos” (or the Russian equivalent, clearly machine-translated), while others mimicked financial correspondence like “Attached copy of payment No. 06162025.”
The malicious attachments were RAR archives containing .img or .iso files. When opened, the mounted images exposed executable files, which deployed Phantom on the victim’s machine.
Data Collection and Exfiltration
Once executed, Phantom collects extensive system information, including:
- Windows version, PC name, and system language
- CPU, GPU, RAM, battery, and screen details
- Webcam presence and antivirus detection
It also harvests cookies, passwords, bank card data, documents, and images. All collected information is funneled to a Telegram bot named papaobilogs, which has been active since at least April 2025. This link gave rise to the campaign’s nickname, Phantom Papa.
Persistence and Modules
To maintain access, Phantom copies itself to:
%APPDATA%\iWlfdcmimm.exe%TEMP%\tmpB043.tmp
It also creates a delayed task in Windows Task Scheduler.
Beyond its standard modules, researchers highlighted one particularly unusual feature: PornDetector. This module monitors active windows for keywords such as “porn,” “sex,” “hentai,” or “chaturbate.” If detected, it:
- Takes a screenshot of the desktop, saving it under
%LOCALAPPDATA%\[0-9a-f]{32}\logs\nsfw\... - Waits 12 seconds and, if the same window remains active, captures an image from the webcam, storing it in the same directory.
