News
Banks Targeted by Fileless Phantom Stealer Phishing Campaign
A new phishing campaign is targeting banks and other high-value organizations with Phantom Stealer, a commercially available infostealer that runs in memory to avoid traditional detection, according to new research from Fortra.
Fortra Intelligence and Research Experts, or FIRE, said the campaign is aimed largely at "high-capital organizations, particularly those operating within the banking sector." The attack uses phishing emails carrying malicious attachments disguised as business documents, with the observed sample arriving as a RAR archive containing a batch file labeled as a request for quote.
Once opened, the attack chain moves quickly into Windows-native tooling. The batch file launches an obfuscated PowerShell script, establishes persistence, decodes a large payload and ultimately injects Phantom Stealer into explorer.exe, allowing the malware to operate inside a legitimate Windows process.
"The core risk in this campaign is not the technical sophistication of the malware itself -- it is the combination of convincing delivery, multi-layer obfuscation, and fully in-memory operation that makes the malicious activity invisible to conventional controls," Fortra said.
Phantom Stealer is designed to harvest browser credentials, session cookies, autofill data, screenshots, clipboard contents and financial information. Fortra said the malware targets major browsers, including Chrome, Firefox and Edge, as well as Discord, Telegram and Steam. It can also steal cryptocurrency assets and exfiltrate data through several channels, including Telegram, Discord, FTP and SMTP.
That redundancy matters for financial institutions, where one compromised endpoint can quickly become a broader access problem. Fortra warned that "a single compromised employee credential can unlock access to sensitive customer data, internal financial systems, and privileged network resources."
The campaign also reflects the continued commercialization of credential theft. Fortra said Phantom Stealer is "a commercially available Malware-as-a-Service" sold under a subscription model by an actor using the alias Oldphantomoftheopera and tied to Phantom Softwares. The report said subscriptions range from $70 to $240, making the tool accessible to multiple operators at once.
For Microsoft IT, the campaign lands amid a steady run of credential and token theft warnings. Redmondmag.com recently reported on the FBI’s warning about Kali365, a phishing-as-a-service kit that targets Microsoft 365 environments by stealing access tokens rather than passwords. Redmondmag.com also covered Enclave research showing how a coding flaw in several Microsoft 365 Android apps could have let a malicious app obtain account tokens from the same device.
Fortra recommended that orgs prioritize behavior-based endpoint detection, block known infrastructure tied to the campaign, watch for anomalous outbound traffic to Telegram, Discord, FTP or SMTP endpoints, and audit browser-stored credentials. It also urged organizations to enforce multifactor authentication and conduct phishing awareness training around unsolicited batch file attachments.
"The actor is actively maintaining this campaign under the Phantom Softwares brand," Fortra said. "New lures and recompiled samples with updated hashes should be expected."