Phantom Stealer Malware Spread via ISO Phishing Emails Targeting Russian Finance Sector

Rhadamanthys Stealer, a popular information stealer, has been updated to include device and web browser fingerprinting capabilities. The malware now uses PNG steganography to conceal its payloads. The threat actor behind Rhadamanthys has also advertised two additional tools, Elysium Proxy Bot and Crypt Service, on their website. The stealer's current version is 0.9.2, and it is available under a malware-as-a-service (MaaS) model with tiered pricing packages. The threat actor has rebranded themselves as "RHAD security" and "Mythical Origin Labs," indicating a long-term business venture. The stealer's capabilities have evolved significantly, posing a comprehensive threat to personal and corporate security. The latest updates include enhanced obfuscation techniques, environment checks, and a Lua runner for additional plugins. The Rhadamanthys infostealer operation has been disrupted, with numerous customers reporting that they no longer have access to their servers. Cybercriminals claim that law enforcement gained access to their web panels, requiring certificate-based logins instead of root passwords. The disruption is suspected to be related to Operation Endgame, an ongoing law enforcement action targeting malware-as-a-service operations.

A sophisticated malware campaign, codenamed GPUGate, targets IT and software development companies in Western Europe, with recent expansions to macOS users. The campaign leverages Google Ads, SEO poisoning, and fake GitHub commits to deliver malware, including the Atomic macOS Stealer (AMOS) and Odyssey. The attack began in December 2024 and uses a 128 MB Microsoft Software Installer (MSI) to evade detection. The malware employs GPU-gated decryption and various techniques to avoid analysis and detection. The end goal is information theft and delivery of secondary payloads. The threat actors have native Russian language proficiency and use a cross-platform approach. The campaign has expanded to target macOS users through fake Homebrew, LogMeIn, and TradingView platforms. These platforms impersonate popular tools and use SEO poisoning to distribute the Atomic Stealer malware and Odyssey. The threat actors use multiple GitHub usernames to evade takedowns and deploy malware via Terminal commands. Similar tactics have been observed in previous campaigns using malicious Google Ads and public GitHub repositories. The AMOS malware now includes a backdoor component for persistent, stealthy access to compromised systems. The campaign impersonates over 100 software solutions, including 1Password, Dropbox, Confluence, Robinhood, Fidelity, Notion, Gemini, Audacity, Adobe After Effects, Thunderbird, and SentinelOne. The fake GitHub pages were created on September 16, 2025, and were immediately submitted for takedown. The campaign has been active since at least April 2023, with previous similar campaigns observed in July 2025. A new AMOS infostealer campaign abuses Google search ads to lure users into Grok and ChatGPT conversations that lead to installing the AMOS malware on macOS. The campaign was first spotted by researchers at Kaspersky, with a more detailed report by Huntress. The ClickFix attack begins with victims searching for macOS-related terms, leading to malicious instructions in AI chats. The malicious instructions are hosted on legitimate LLM platforms and contain commands to install the malware. The base64-encoded URL decodes into a bash script that loads a fake password prompt dialog. The script validates, stores, and uses the provided password to execute privileged commands, including downloading and executing the AMOS infostealer. AMOS was first documented in April 2023 and is a malware-as-a-service (MaaS) operation targeting macOS systems exclusively. AMOS added a backdoor module earlier this year, allowing operators to execute commands, log keystrokes, and drop additional payloads. AMOS is dropped as a hidden file and scans for cryptocurrency wallets, browser data, macOS Keychain data, and files on the filesystem. Persistence is achieved via a LaunchDaemon running a hidden AppleScript that restarts the malware if terminated. Users are advised to be vigilant and avoid executing commands they found online, especially if they don't fully understand what they do. Kaspersky noted that asking ChatGPT if the provided instructions are safe reveals they are not.

A rapidly spreading phishing campaign is targeting Windows users and Booking.com partner accounts worldwide, stealing credentials and deploying various remote access trojans (RATs) using malicious JavaScript files and PowerShell commands. The campaign affects multiple sectors, including manufacturing, technology, healthcare, construction, retail/hospitality, and the hospitality industry. The attackers use personalized phishing pages and socially engineered scenarios to lure victims into downloading the malware. The campaign involves multiple stages, including an initial obfuscated script, a spoofed site, and the deployment of RATs such as PureHVNC, DCRat, and Babylon RAT. The attackers employ sophisticated techniques to evade detection and maintain long-term access to compromised networks. The campaign has been observed in countries including Austria, Belarus, Canada, Egypt, India, and Pakistan. The phishing emails use themes related to voicemail messages, purchases, and banking verification issues to deceive recipients into clicking on malicious links. The initial payload is a ZIP archive containing an obfuscated JavaScript file that acts as a dropper for UpCrypter, which functions as a conduit for various RATs. The malware uses steganography to embed the final payload within a harmless-looking image and includes anti-analysis and anti-virtual machine checks to evade detection. The malware is executed without writing to the file system, minimizing forensic traces. The campaign is part of a larger trend where threat actors abuse legitimate services for phishing attacks. A new campaign impersonates Ukrainian government agencies to deliver CountLoader, which drops Amatera Stealer and PureMiner. The phishing emails contain malicious SVG files designed to trick recipients into opening harmful attachments. The SVG files initiate the download of a password-protected ZIP archive containing a CHM file, which activates CountLoader. CountLoader drops various payloads, including Cobalt Strike, AdaptixC2, and PureHVNC RAT, and in this case, Amatera Stealer and PureMiner. Amatera Stealer gathers system information, collects files, and harvests data from various applications and browsers. A Vietnamese-speaking threat group uses phishing emails with copyright infringement notice themes to deploy PXA Stealer, which evolves into PureRAT. PureRAT is a modular, professionally developed backdoor that gives attackers complete control over a compromised host. The campaign demonstrates a progression from simple phishing lures to multi-layered infection sequences involving defense evasion and credential theft. The attack chain begins with a ZIP archive containing a legitimate PDF reader executable and a malicious DLL, using DLL sideloading to execute the next payload. The malware employs multiple stages of obfuscation, including Base64 encoding, steganography, and anti-analysis techniques to evade detection. The campaign uses a combination of Python scripts and .NET executables to achieve its objectives, demonstrating a progression from simple phishing lures to multi-layered infection sequences. The final payload, PureRAT, is a modular, professionally developed backdoor that provides complete control over a compromised host. The threat actor uses Telegram bot descriptions and URL shorteners to dynamically fetch and execute the next payload, allowing for flexible updates to the attack chain. The malware includes defense evasion techniques such as AMSI patching and ETW unhooking to avoid detection by security tools. The campaign is attributed to a Vietnamese-speaking threat group associated with the PXA Stealer malware family, using infrastructure traced to Vietnam. The threat actor demonstrates proficiency in multiple languages and techniques, including Python bytecode loaders, WMI enumeration, .NET process hollowing, and reflective DLL loading. The pivot from a custom-coded stealer to a commercial RAT like PureRAT lowers the barrier to entry for the attacker, providing access to a stable, feature-rich toolkit. A large-scale phishing operation has been targeting Booking.com partner accounts since at least April 2025. The campaign exploits hotel systems and customer data, using a sophisticated malware campaign. The intrusion begins with malicious emails sent from legitimate hotel accounts or impersonating Booking.com, leading victims to execute a PowerShell command that downloads PureRAT. PureRAT allows attackers to remotely control infected machines, steal credentials, capture screenshots, and exfiltrate sensitive data. The malware initially targets hotel staff to steal login credentials for booking platforms, which are then used in fraudulent schemes. The campaign demonstrates the growing professionalization of cybercrime targeting the hospitality industry, with hundreds of malicious domains active as of October 2025. The firm continues to monitor adversary infrastructure and improve detection methods to help protect booking platforms and their customers. Researchers have uncovered a broad campaign in which threat actors target hotels with ClickFix attacks to steal customer data as part of ongoing attacks against the hospitality sector that includes secondary attacks against the establishments' customers. The initial attack against hotels uses a compromised email account to send malicious messages to multiple hotel establishments. In some instances, attackers alter the "From" header to impersonate Booking.com, while subject lines are often related to guest matters, including references to last-minute booking, listings, reservations, and the like. The attack chain then uses a redirection URL that ultimately leads to a ClickFix reCAPTACHA challenge in which users are prompted to copy a malicious PowerShell command. This command eventually leads to the deployment of infostealing and remote access Trojan (RAT) malware. The campaign has led to secondary attacks against hotel customers, with attackers contacting them via WhatsApp or email using legitimate reservation details of the target. Attackers then ask victims to validate banking details by visiting a URL, which leads to the phishing page that mimics Booking.com’s typography and layout and which harvests the victim’s banking information. A Russian-speaking threat behind an ongoing, mass phishing campaign has registered more than 4,300 domain names since the start of the year. The activity, per Netcraft security researcher Andrew Brandt, is designed to target customers of the hospitality industry, specifically hotel guests who may have travel reservations with spam emails. The campaign is said to have begun in earnest around February 2025. Of the 4,344 domains tied to the attack, 685 domains contain the name "Booking", followed by 18 with "Expedia," 13 with "Agoda," and 12 with "Airbnb," indicating an attempt to target all popular booking and rental platforms. The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website. The customizations use the logos from major online travel industry brands, including Airbnb and Booking.com. The attack begins with a phishing email urging recipients to click on a link to confirm their booking within the next 24 hours using a credit card. Should they take the bait, the victims are taken to a fake site instead after initiating a chain of redirects. These bogus sites follow consistent naming patterns for their domains, featuring phrases like confirmation, booking, guestcheck, cardverify, or reservation to give them an illusion of legitimacy. The pages support 43 different languages, allowing the threat actors to cast a wide net. The page then instructs the victim to pay a deposit for their hotel reservation by entering their card information. In the event that any user directly attempts to access the page without a unique identifier called AD_CODE, they are greeted with a blank page. The bogus sites also feature a fake CAPTCHA check that mimics Cloudflare to deceive the target. The ongoing campaign employs a sophisticated phishing kit that customizes the page presented to the site visitor depending on a unique string in the URL path when the target first visits the website. The customizations use the logos from major online travel industry brands, including Airbnb and Booking.com. The attack begins with a phishing email urging recipients to click on a link to confirm their booking within the next 24 hours using a credit card. Should they take the bait, the victims are taken to a fake site instead after initiating a chain of redirects. These bogus sites follow consistent naming patterns for their domains, featuring phrases like confirmation, booking, guestcheck, cardverify, or reservation to give them an illusion of legitimacy. The pages support 43 different languages, allowing the threat actors to cast a wide net. The page then instructs the victim to pay a deposit for their hotel reservation by entering their card information. In the event that any user directly attempts to access the page without a unique identifier called AD_CODE, they are greeted with a blank page. The bogus sites also feature a fake CAPTCHA check that mimics Cloudflare to deceive the target. The campaign uses a unique identifier called AD_CODE to ensure consistent branding across pages. The phishing pages attempt to process a transaction in the background while displaying a support chat window for 3D Secure verification. The identity of the threat group remains unknown, but Russian is used in source code comments and debugger output. The campaign is linked to a previous phishing campaign targeting the hospitality industry with PureRAT malware. The phishing kit is a fully automated, multi-stage platform designed for efficiency and stealth. The phishing kit employs CAPTCHA filtering to evade security scans and uses Telegram bots to exfiltrate stolen credentials and payment information.

The ClickFix malware campaign has evolved to include multi-OS support and video tutorials that guide victims through the self-infection process. The campaign, which uses fake Cloudflare CAPTCHA pages and malicious PowerShell scripts, has been observed deploying various payloads, including information stealers and backdoors. The FileFix attack, a variant of the ClickFix family, impersonates Meta account suspension warnings to trick users into installing the StealC infostealer malware. The campaign has evolved over two weeks with different payloads, domains, and lures, indicating an attacker testing and adapting their infrastructure. The FileFix technique, created by red team researcher mr. d0x, uses the address bar in File Explorer to execute malicious commands. The campaign employs steganography to hide a second-stage PowerShell script and encrypted executables inside a JPG image, which is believed to be AI-generated. The StealC malware targets credentials from various applications, cryptocurrency wallets, and cloud services, and can take screenshots of the active desktop. The FileFix attack uses a multilingual phishing site to trick users into executing a malicious command via the File Explorer address bar. The attack leverages Bitbucket to host the malicious components, abusing a legitimate source code hosting platform to bypass detection. The attack involves a multi-stage PowerShell script that downloads an image, decodes it into the next-stage payload, and runs a Go-based loader to launch StealC. The attack uses advanced obfuscation techniques, including junk code and fragmentation, to hinder analysis efforts. The FileFix attack is more likely to be detected by security products due to the payload being executed by the web browser used by the victim. The FileFix attack demonstrates significant investment in tradecraft, with carefully engineered phishing infrastructure, payload delivery, and supporting elements to maximize evasion and impact. The MetaStealer attack, a variant of the ClickFix family, uses a fake Cloudflare Turnstile lure and an MSI package disguised as a PDF to deploy the MetaStealer infostealer malware. The attack involves a multi-stage infection chain that includes a DLL sideloading technique using a legitimate SentinelOne executable. The MetaStealer attack targets crypto wallets and other sensitive information, using a combination of social engineering and technical evasion techniques to deploy malware. Recently, threat actors have been abusing the decades-old Finger protocol to retrieve and execute remote commands on Windows devices. The Finger protocol is used to deliver commands that create a random-named path, download a zip archive disguised as a PDF, and extract a Python malware package. The Python program is executed using pythonw.exe __init__.py, and a callback is made to the attacker's server to confirm execution. A related batch file indicates that the Python package is an infostealer. Another campaign uses the Finger protocol to retrieve and run commands that look for malware research tools and exit if found. If no malware analysis tools are found, the commands download a zip archive disguised as PDF files and extract the NetSupport Manager RAT package. The commands configure a scheduled task to launch the remote access malware when the user logs in. The Finger protocol abuse appears to be carried out by a single threat actor conducting ClickFix attacks. A new EVALUSION ClickFix campaign has been discovered, delivering Amatera Stealer and NetSupport RAT. Amatera Stealer, an evolution of ACR Stealer, is available under a malware-as-a-service (MaaS) model and targets crypto-wallets, browsers, messaging applications, FTP clients, and email services. It employs advanced evasion techniques such as WoW64 SysCalls and is packed using PureCrypter. The stealer is injected into the MSBuild.exe process to harvest sensitive data and contact an external server to execute a PowerShell command to fetch and run NetSupport RAT. The campaign also involves phishing attacks using various malware families and phishing kits named Cephas and Tycoon 2FA. Tycoon 2FA is a phishing kit that bypasses multi-factor authentication (MFA) and authentication apps by intercepting usernames, passwords, session cookies, and MFA flows in real-time. It has been used in over 64,000 attacks this year, primarily targeting Microsoft 365 and Gmail. Tycoon 2FA includes anti-detection layers and can lead to total session takeover, allowing attackers to move laterally into various enterprise systems. Legacy MFA methods are vulnerable to Tycoon 2FA, and phishing-proof MFA solutions like Token Ring and Token BioStick are recommended to prevent such attacks. A new operation embedding StealC V2 inside Blender project files has been observed targeting victims for at least six months. The attackers placed manipulated .blend files on platforms such as CGTrader, where users downloaded them as routine 3D assets. When opened with Blender’s Auto Run feature enabled, the files executed concealed Python scripts that launched a multistage infection. The infection chain began with a tampered Rig_Ui.py script embedded inside the .blend file. This script fetched a loader from a remote workers.dev domain, which then downloaded a PowerShell stage and two ZIP archives containing Python-based stealers. Once extracted into the Windows temp directory, the malware created LNK files to secure persistence, then used Pyramid C2 channels to retrieve encrypted payloads. StealC V2, promoted on underground forums since April 2025, has rapidly expanded its feature set. It now targets more than 23 browsers, over 100 plugins, more than 15 desktop wallets, and a range of messaging, VPN and mail clients. Its pricing, from $200 per month to $800 for 6 months, has made it accessible to low-tier cybercriminals seeking ready-to-use tools. ClickFix attack variants have been observed using a realistic-looking Windows Update animation in a full-screen browser page to trick users into executing malicious commands. The new ClickFix variants drop the LummaC2 and Rhadamanthys information stealers. The attack uses steganography to encode the final malware payload inside an image. The process involves multiple stages that use PowerShell code and a .NET assembly (the Stego Loader) responsible for reconstructing the final payload embedded inside a PNG file in an encrypted state. The shellcode holding the infostealer samples is packed using the Donut tool. The Rhadamanthys variant that used the Windows Update lure was first spotted by researchers back in October, before Operation Endgame took down parts of its infrastructure on November 13. A new campaign codenamed JackFix leverages fake adult websites (xHamster, PornHub clones) as its phishing mechanism, likely distributed via malvertising. The JackFix campaign displays highly convincing fake Windows update screens in an attempt to get the victim to run malicious code. The attack heavily leans on obfuscation to conceal ClickFix-related code and blocks users from escaping the full-screen alert by disabling the Escape and F11 buttons, along with F5 and F12 keys. The initial command executed is an MSHTA payload that's launched using the legitimate mshta.exe binary, which contains JavaScript designed to run a PowerShell command to retrieve another PowerShell script from a remote server. The PowerShell script attempts to elevate privileges and creates Microsoft Defender Antivirus exclusions for command-and-control (C2) addresses and paths where the payloads are staged. The PowerShell script serves up to eight different payloads, including Rhadamanthys Stealer, Vidar Stealer 2.0, RedLine Stealer, Amadey, and other unspecified loaders and RATs. The threat actor often changes the URI used to host the first mshta.exe stage and has been observed moving from hosting the second stage on the domain securitysettings.live to xoiiasdpsdoasdpojas.com, although both point to the same IP address 141.98.80.175. An initial access broker tracked as Storm-0249 is abusing endpoint detection and response solutions and trusted Microsoft Windows utilities to load malware, establish communication, and persistence in preparation for ransomware attacks. The threat actor has moved beyond mass phishing and adopted stealthier, more advanced methods that prove effective and difficult for defenders to counter. In one attack analyzed by researchers at cybersecurity company ReliaQuest, Storm-0249 leveraged the SentinelOne EDR components to hide malicious activity. The attack started with ClickFix social engineering that tricked users into pasting and executing curl commands in the Windows Run dialog to download a malicious MSI package with SYSTEM privileges. A malicious PowerShell script is also fetched from a spoofed Microsoft domain, which is piped straight onto the system's memory, never touching the disk and thus evading antivirus detection. The MSI file drops a malicious DLL (SentinelAgentCore.dll), which is placed strategically alongside the pre-existing, legitimate SentinelAgentWorker.exe, which is already installed as part of the victim's SentinelOne EDR. Next, the attacker loads the DLL using the signed SentinelAgentWorker (DLL sideloading), executing the file within the trusted, privileged EDR process and obtaining stealthy persistence that survives operating system updates. Once the attacker gains access, they use the SentinelOne component to collect system identifiers through legitimate Windows utilities like reg.exe and findstr.exe, and to funnel encrypted HTTPS command-and-control (C2) traffic. The compromised systems are profiled using 'MachineGuid,' a unique hardware-based identifier that ransomware groups like LockBit and ALPHV use for binding encryption keys to specific victims. The abuse of trusted, signed EDR processes bypasses nearly all traditional monitoring. The researchers recommend that system administrators rely on behavior-based detection that identifies trusted processes loading unsigned DLLs from non-standard paths. Furthermore, it is helpful to set stricter controls for curl, PowerShell, and LoLBin execution. A new variation of the ClickFix attack dubbed 'ConsentFix' abuses the Azure CLI OAuth app to hijack Microsoft accounts without the need for a password or to bypass multi-factor authentication (MFA) verifications. ConsentFix tricks victims into completing the Azure CLI OAuth flow and steals the resulting authorization code, which is exchanged for full account access. The attack starts with victims landing on a compromised, legitimate website that ranks high on Google Search results. Victims are shown a fake Cloudflare Turnstile CAPTCHA widget that asks for a valid business email address, filtering out bots and non-targets. Victims are instructed to click a 'Sign in' button that opens a legitimate Microsoft URL in a new tab, leading to an Azure login page. The attack completes when victims paste the URL containing the Azure CLI OAuth authorization code into the malicious page, granting attackers access to the Microsoft account via Azure CLI. The attack triggers only once per victim IP address, preventing repeated phishing attempts on the same IP. Defenders are advised to monitor for unusual Azure CLI login activity, such as logins from new IP addresses, and to check for legacy Graph scopes used by attackers to evade detection.

The Noodlophile malware campaign has expanded its global reach, targeting enterprises in the U.S., Europe, Baltic countries, and the Asia-Pacific region. The threat actors use spear-phishing emails disguised as copyright infringement notices, leveraging reconnaissance-derived details to deploy the information stealer. The campaign employs advanced delivery mechanisms, including Telegram for command-and-control and obfuscation techniques to evade detection. The malware targets browser data, indicating a focus on enterprises with significant social media presence, particularly on Facebook. Ongoing development efforts aim to expand the stealer's capabilities, potentially making it more versatile and dangerous. The latest iteration of the campaign targets organizations through copyright complaints, using legitimate, signed applications vulnerable to DLL side loading and batch scripts to install the infostealer. The infostealer harvests web data, system data, credentials, credit card information, security controls, and browser support, and employs self-deletion techniques to complicate detection.