PhantomVAI Loader Uses Steganography in Phishing Attacks

A new multi-stage malware loader, dubbed PhantomVAI Loader, is being distributed through widespread phishing campaigns to deliver various information-stealing malware. The attack begins with a malicious script in a phishing email, which then uses steganography to download the loader by hiding it within a seemingly harmless image file. Once active, the .NET-based loader performs virtual machine checks to evade analysis before establishing persistence on the compromised system. It then downloads and injects its final payload, such as AsyncRAT, XWorm, or Katz Stealer, into a legitimate system process to bypass security defenses. This malware-as-a-service tool targets a wide range of industries globally, demonstrating a sophisticated and evasive infection chain used by threat actors.

Latest mentioned: 10-16

Earliest mentioned: 10-15

Sources

securityonline.info paloaltonetworks.com gbhackers.com

Also Read

Gunra Ransomware Targets Windows and Linux Systems

Gunra ransomware, active since April 2025, poses a significant threat with its dual-platform capability, targeting both Windows and Linux systems. The Windows variant uses ChaCha8 encryption and secure random number generation, making decryption impractical. In contrast, the Linux variant employs ChaCha20 encryption but suffers from a cryptographic flaw due to weak random number generation, allowing potential file recovery through brute-force attacks. Organizations must develop platform-specific threat intelligence and incident response strategies to mitigate risks effectively.

10-29Read more →