PhantomVAI Loader Delivers Infostealers via Phishing Campaigns
Category:Threat Intelligence / Malware
Unit 42 researchers uncovered a global phishing campaign deploying PhantomVAI Loader to deliver multiple infostealers, including AsyncRAT, XWorm, and FormBook. The malware leverages steganography, obfuscated scripts, and PowerShell loaders to evade detection. This evolution from Katz Stealer marks an escalation in malware-as-a-service sophistication targeting education, manufacturing, and government sectors.
CORTEX Protocol Intelligence Assessment
Business Impact: PhantomVAI Loader poses high risk to enterprise networks, enabling data exfiltration and credential theft across multiple sectors. Technical Context: The attack chain uses staged PowerShell execution, embedded payloads, and process hollowing for persistence, showing advanced evasion methods.
Strategic Intelligence Guidance
- Block PowerShell execution from email attachments.
- Monitor outbound network traffic for C2 connections linked to PhantomVAI.
- Apply behavioral detection for steganographic payloads in GIF files.
- Educate users against phishing campaigns mimicking legal or finance communications.
Vendors
Threats
Targets
Impact
Data Volume:Variable
Financial:N/A
Intelligence Source: PhantomVAI Loader Delivers a Range of Infostealers | Oct 16, 2025