CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Commercial stealer-as-a-service campaign delivers Phantom Stealer across European enterprises via phishing

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A coordinated phishing campaign from November 2025 to January 2026 delivered the .NET-based Phantom Stealer infostealer to organizations in European logistics, manufacturing and technology sectors. The malware was distributed as a commercial toolkit bundling a stealer, crypter and remote access tool (RAT) under subscription tiers, enabling credential harvesting, session data theft and sensitive information exfiltration via messaging platforms, SMTP and FTP. Attackers impersonated a legitimate equipment trading company, using procurement-themed emails with professional formatting and consistent email authentication failures to bypass defenses.

Timeline

  1. 31.03.2026 17:00 1 articles · 15h ago

    Phantom Stealer delivered via stealer-as-a-service phishing campaign across Europe

    Between November 2025 and January 2026, a phishing campaign delivered the Phantom Stealer infostealer to European organizations in logistics, manufacturing and technology sectors. The campaign used procurement-themed emails with professional formatting, consistent email authentication failures and obfuscated droppers or executables to distribute a .NET-based infostealer bundled with a crypter and RAT under a commercial subscription model.

    Show sources
    Open in new tab

Information Snippets

  • The infostealer, named Phantom Stealer, targets browser credentials, cookies, saved passwords, autofill data and payment card information.

    First reported: 31.03.2026 17:00
    1 source, 1 article
    Show sources

  • Phantom Stealer also extracts session data from messaging and email platforms, Wi-Fi credentials and other sensitive information.

    First reported: 31.03.2026 17:00
    1 source, 1 article
    Show sources

  • Stolen data is exfiltrated via messaging platforms, SMTP and FTP.

    First reported: 31.03.2026 17:00
    1 source, 1 article
    Show sources

  • The campaign operated in five waves between November 2025 and January 2026, targeting organizations in logistics, manufacturing and technology sectors across Europe.

    First reported: 31.03.2026 17:00
    1 source, 1 article
    Show sources

  • Phishing emails included obfuscated JavaScript droppers or malicious executables disguised as archive attachments with procurement-related subject lines.

    First reported: 31.03.2026 17:00
    1 source, 1 article
    Show sources

  • Campaign indicators included SPF authentication failures, missing DKIM signatures, reused email templates, consistent spelling mistakes, spoofed business identities and rotating infrastructure.

    First reported: 31.03.2026 17:00
    1 source, 1 article
    Show sources

  • Detection involved layered analysis combining sender authentication checks, content analysis and malware detonation in a controlled environment.

    First reported: 31.03.2026 17:00
    1 source, 1 article
    Show sources