Phantom Project's subscription-based cybercrime toolkit model
Threat Actor Meta
Summary
Hide ▲
Show ▼
Phantom Project now reflects a more packaged subscription-based cybercrime toolkit model, bundling a stealer, crypter, and RAT to scale credential theft and downstream identity compromise. That shift matters because it lowers the barrier to entry for operators and increases the reach of infostealer-driven fraud and ransomware staging.
Related Happenings
Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling
Threat Actor Meta
First: 08.05.2026 11:41
Last: 08.05.2026 11:41
Sources 1
About this happening:
**darkworm** lowered the price of **PamDOORa** on the **Rehub Russian cybercrime forum**, signaling a push to monetize an **operator-grade Linux backdoor** and widen its undergrou...
Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling
Threat Actor MetaAbout this happening: **darkworm** lowered the price of **PamDOORa** on the **Rehub Russian cybercrime forum**, signaling a push to monetize an **operator-grade Linux backdoor** and widen its undergrou...
Phantom Stealer Europe phishing campaign
Campaign
First: 31.03.2026 17:00
Last: 31.03.2026 17:00
Sources 1
How related:
Between November 2025 and January 2026, Group-IB observed a sustained phishing campaign delivering Phantom Stealer to organizations in the logistics, manufacturing and technology sectors across Europe.
About this happening:
A **sustained phishing campaign** delivered **Phantom Stealer** to organizations in **logistics, manufacturing and technology** across **Europe**, creating a broad credential-thef...
Phantom Stealer Europe phishing campaign
CampaignHow related: Between November 2025 and January 2026, Group-IB observed a sustained phishing campaign delivering Phantom Stealer to organizations in the logistics, manufacturing and technology sectors across Europe.
About this happening: A **sustained phishing campaign** delivered **Phantom Stealer** to organizations in **logistics, manufacturing and technology** across **Europe**, creating a broad credential-thef...
STAC6565 spear-phishing campaign targeting Canadian organizations
Campaign
First: 09.12.2025 11:35
Last: 09.12.2025 11:35
Sources 1
About this happening:
The **STAC6565** campaign has driven **almost 40 intrusions** against **Canadian organizations**, making it a sustained operation with a sharply focused target set. Attackers use...
STAC6565 spear-phishing campaign targeting Canadian organizations
CampaignAbout this happening: The **STAC6565** campaign has driven **almost 40 intrusions** against **Canadian organizations**, making it a sustained operation with a sharply focused target set. Attackers use...
Timeline
-
31.03.2026 17:00 2 articles · 1mo ago
Researchers detail Phantom Project's subscription-based toolkit
Technical Analysis UpdateGroup-IB detailed a .NET-based infostealer ecosystem sold under subscription tiers that bundles Phantom Stealer with a crypter and a RAT, and it described a sustained phishing campaign that used archive attachments with an obfuscated JavaScript dropper or a malicious executable to target logistics, manufacturing and technology organizations across Europe. The researchers said the campaign used impersonation of a legitimate equipment trading company, procurement-themed subject lines, and consistent indicators such as SPF authentication failures and missing DKIM signatures, while Phantom Stealer collected browser credentials, cookies, saved passwords, autofill data, payment card information, session data, Wi-Fi credentials and other sensitive information before sending the stolen data through messaging platforms, SMTP and FTP.
Show sources
- Phantom Project Bundles Infostealer, Crypter and RAT For Sale — www.infosecurity-magazine.com — 31.03.2026 17:00
- Phantom Project Bundles Infostealer, Crypter and RAT For Sale — www.infosecurity-magazine.com — 31.03.2026 17:00