Phantom Project's subscription-based cybercrime toolkit model
Threat Actor Meta
Summary
Hide ▲
Show ▼
Phantom Project now reflects a more packaged subscription-based cybercrime toolkit model, bundling a stealer, crypter, and RAT to scale credential theft and downstream identity compromise. That shift matters because it lowers the barrier to entry for operators and increases the reach of infostealer-driven fraud and ransomware staging.
Related Happenings
Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling
Threat Actor Meta
H score31
First: 08.05.2026 11:41
Last: 08.05.2026 11:41
Sources 1
About this happening:
**darkworm** lowered the price of **PamDOORa** on the **Rehub Russian cybercrime forum**, signaling a push to monetize an **operator-grade Linux backdoor** and widen its undergrou...
Darkworm monetizes PamDOORa on Rehub as underground operator-grade tooling
Threat Actor MetaAbout this happening: **darkworm** lowered the price of **PamDOORa** on the **Rehub Russian cybercrime forum**, signaling a push to monetize an **operator-grade Linux backdoor** and widen its undergrou...
Phantom Stealer Europe phishing campaign
Campaign
H score33
First: 31.03.2026 17:00
Last: 31.03.2026 17:00
Sources 1
How related:
Between November 2025 and January 2026, Group-IB observed a sustained phishing campaign delivering Phantom Stealer to organizations in the logistics, manufacturing and technology sectors across Europe.
About this happening:
A **sustained phishing campaign** delivered **Phantom Stealer** to organizations in **logistics, manufacturing and technology** across **Europe**, creating a broad credential-thef...
Phantom Stealer Europe phishing campaign
CampaignHow related: Between November 2025 and January 2026, Group-IB observed a sustained phishing campaign delivering Phantom Stealer to organizations in the logistics, manufacturing and technology sectors across Europe.
About this happening: A **sustained phishing campaign** delivered **Phantom Stealer** to organizations in **logistics, manufacturing and technology** across **Europe**, creating a broad credential-thef...
Dark LLM-WormGPT ecosystem shift changes threat-actor operations
Threat Actor Meta
H score22
First: 20.01.2026 14:15
Last: 20.01.2026 14:15
Sources 1
About this happening:
**Dark web vendors** are commoditizing **AI-enabled cybercrime services** into scalable subscriptions, lowering the cost and skill needed for **phishing**, **fraud**, **malware**,...
Dark LLM-WormGPT ecosystem shift changes threat-actor operations
Threat Actor MetaAbout this happening: **Dark web vendors** are commoditizing **AI-enabled cybercrime services** into scalable subscriptions, lowering the cost and skill needed for **phishing**, **fraud**, **malware**,...
STAC6565 spear-phishing campaign targeting Canadian organizations
Campaign
H score41
First: 09.12.2025 11:35
Last: 09.12.2025 11:35
Sources 1
About this happening:
The **STAC6565** campaign has driven **almost 40 intrusions** against **Canadian organizations**, making it a sustained operation with a sharply focused target set. Attackers use...
STAC6565 spear-phishing campaign targeting Canadian organizations
CampaignAbout this happening: The **STAC6565** campaign has driven **almost 40 intrusions** against **Canadian organizations**, making it a sustained operation with a sharply focused target set. Attackers use...
Timeline
-
31.03.2026 17:00 2 articles · 3mo ago
Researchers detail Phantom Project's subscription-based toolkit
Technical Analysis UpdateGroup-IB detailed a .NET-based infostealer ecosystem sold under subscription tiers that bundles Phantom Stealer with a crypter and a RAT, and it described a sustained phishing campaign that used archive attachments with an obfuscated JavaScript dropper or a malicious executable to target logistics, manufacturing and technology organizations across Europe. The researchers said the campaign used impersonation of a legitimate equipment trading company, procurement-themed subject lines, and consistent indicators such as SPF authentication failures and missing DKIM signatures, while Phantom Stealer collected browser credentials, cookies, saved passwords, autofill data, payment card information, session data, Wi-Fi credentials and other sensitive information before sending the stolen data through messaging platforms, SMTP and FTP.
Show sources
- Phantom Project Bundles Infostealer, Crypter and RAT For Sale — www.infosecurity-magazine.com — 31.03.2026 17:00
- Phantom Project Bundles Infostealer, Crypter and RAT For Sale — www.infosecurity-magazine.com — 31.03.2026 17:00