{"id":229871,"date":"2026-03-31T10:00:00","date_gmt":"2026-03-31T14:00:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/03\/31\/phantom-project-bundles-infostealer-crypter-and-rat-for-sale\/"},"modified":"2026-04-01T01:20:13","modified_gmt":"2026-04-01T05:20:13","slug":"phantom-project-bundles-infostealer-crypter-and-rat-for-sale","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/03\/31\/phantom-project-bundles-infostealer-crypter-and-rat-for-sale\/","title":{"rendered":"Phantom Project Bundles Infostealer, Crypter and RAT For Sale"},"content":{"rendered":"<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/phantom-project-infostealer-nov-25\/\">Phantom Project Bundles Infostealer, Crypter and RAT For Sale<\/a><\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/phantom-project-infostealer-nov-25\/\">https:\/\/www.infosecurity-magazine.com\/news\/phantom-project-infostealer-nov-25\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-03-31 10:00:00<\/a><\/p>\n<p>Source Domain: <a href=\"www.infosecurity-magazine.com\">www.infosecurity-magazine.com<\/a><\/p>\n<p>A .NET-based infostealer sold as part of a commercial cybercrime toolkit that bundles a stealer, crypter and remote access tool (RAT) under subscription tiers has been detailed further by cybersecurity researchers.<\/p>\n<p>The malware, known as Phantom Stealer, collects browser credentials, cookies, saved passwords, autofill data and payment card information from infected systems.<\/p>\n<p>It also extracts session data from messaging and email platforms, Wi-Fi credentials and other sensitive information, then sends the stolen data through various channels, including messaging platforms, SMTP and FTP.<\/p>\n<h2><strong>Campaign Targeted European Industries<\/strong><\/h2>\n<p>Between November 2025 and January 2026, Group-IB observed a sustained phishing campaign delivering Phantom Stealer to organizations in the logistics, manufacturing and technology sectors across Europe.<\/p>\n<p>The activity occurred in five waves, with phishing emails blocked before reaching end users. Attackers targeted multiple unrelated companies on the same day, a pattern commonly associated with stealer-as-a-service campaigns.<\/p>\n<p>The phishing emails impersonated a legitimate equipment trading company and used procurement-related subject lines designed to resemble business correspondence. Messages were short, often only two to three sentences, and included professional-looking signature blocks to appear legitimate.<\/p>\n<p>Read more on phishing campaigns: Cybercriminals Exploit Tax Season With New Phishing Tactics<\/p>\n<h2><strong>Email Tactics and Technical Indicators<\/strong><\/h2>\n<p>Each phishing email included an archive attachment containing either an obfuscated JavaScript dropper or a malicious executable. Despite changes in subject lines and attachments, several consistent indicators exposed the campaign:<\/p>\n<ul>\n<li>\n<p>SPF authentication failures<\/p>\n<\/li>\n<li>\n<p>Missing DKIM signatures<\/p>\n<\/li>\n<li>\n<p>Reused email templates and impersonal greetings<\/p>\n<\/li>\n<li>\n<p>Consistent spelling mistakes across messages<\/p>\n<\/li>\n<li>\n<p>Spoofed business identity and rotating infrastructure<\/p>\n<\/li>\n<\/ul>\n<p>These indicators pointed to a coordinated stealer&#8230;<\/p>\n<p><a href=\"https:\/\/www.infosecurity-magazine.com\/news\/phantom-project-infostealer-nov-25\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Phantom Project Bundles Infostealer, Crypter and RAT For Sale https:\/\/www.infosecurity-magazine.com\/news\/phantom-project-infostealer-nov-25\/ Publish Date: 2026-03-31 10:00:00 Source&#8230;<\/p>\n","protected":false},"author":1,"featured_media":229872,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/assets.infosecurity-magazine.com\/webpage\/og\/edc2fa5a-b756-4e81-91b3-386bffc4141c.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,31,36,32,25],"class_list":["post-229871","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-exploit","tag-infostealer","tag-malware","tag-phishing"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229871"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=229871"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229871\/revisions"}],"predecessor-version":[{"id":229873,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/229871\/revisions\/229873"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/229872"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=229871"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=229871"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=229871"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}