Phantom Stealer Europe phishing campaign
Campaign
Summary
Hide ▲
Show ▼
A sustained phishing campaign delivered Phantom Stealer to organizations in logistics, manufacturing and technology across Europe, creating a broad credential-theft risk for multiple unrelated companies. The operation ran in five waves between November 2025 and January 2026 and used archive attachments with obfuscated JavaScript droppers or malicious executables. Even though the emails were blocked before reaching end users, the repeated delivery pattern shows a coordinated stealer operation built for repeat targeting and downstream abuse.
Related Happenings
FBI-led takedown of W3LL phishing network
Law Enforcement
First: 13.04.2026 13:35
Last: 13.04.2026 13:35
Sources 1
About this happening:
**FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...
FBI-led takedown of W3LL phishing network
Law EnforcementAbout this happening: **FBI Atlanta** and **US and Indonesian law enforcement** took down the **W3LL** phishing network, escalating a cross-border cybercrime case tied to **more than $20 million in fra...
Phantom Project's subscription-based cybercrime toolkit model
Threat Actor Meta
First: 31.03.2026 17:00
Last: 31.03.2026 17:00
Sources 1
How related:
A .NET-based infostealer sold as part of a commercial cybercrime toolkit that bundles a stealer, crypter and remote access tool (RAT) under subscription tiers has been detailed further by cybersecurity researchers.
About this happening:
**Phantom Project** now reflects a more packaged **subscription-based cybercrime toolkit** model, bundling a **stealer**, **crypter**, and **RAT** to scale credential theft and do...
Phantom Project's subscription-based cybercrime toolkit model
Threat Actor MetaHow related: A .NET-based infostealer sold as part of a commercial cybercrime toolkit that bundles a stealer, crypter and remote access tool (RAT) under subscription tiers has been detailed further by cybersecurity researchers.
About this happening: **Phantom Project** now reflects a more packaged **subscription-based cybercrime toolkit** model, bundling a **stealer**, **crypter**, and **RAT** to scale credential theft and do...
Fake shipment tracking SMS phishing campaign
Campaign
First: 16.03.2026 16:45
Last: 16.03.2026 16:45
Sources 1
About this happening:
A **global surge** in **fake shipment tracking phishing campaigns** is stealing **funds and credentials** at scale, with activity rising from almost none in 2024 to **over 100 cam...
Fake shipment tracking SMS phishing campaign
CampaignAbout this happening: A **global surge** in **fake shipment tracking phishing campaigns** is stealing **funds and credentials** at scale, with activity rising from almost none in 2024 to **over 100 cam...
Phantom Stealer phishing delivery and exfiltration activity
Malware Activity
First: 15.12.2025 18:00
Last: 15.12.2025 18:00
Sources 1
About this happening:
**Phantom Stealer** is being delivered through a **phishing campaign** that uses a **ZIP-to-ISO attachment chain** to bypass mail defenses, exposing **Russian-speaking organizatio...
Phantom Stealer phishing delivery and exfiltration activity
Malware ActivityAbout this happening: **Phantom Stealer** is being delivered through a **phishing campaign** that uses a **ZIP-to-ISO attachment chain** to bypass mail defenses, exposing **Russian-speaking organizatio...
MuddyWater global phishing campaign using compromised email accounts
Campaign
First: 22.10.2025 18:00
Last: 22.10.2025 18:00
Sources 1
About this happening:
A newly uncovered **MuddyWater** phishing campaign abused **compromised email accounts** to target **international organizations** across multiple regions, increasing the risk of...
MuddyWater global phishing campaign using compromised email accounts
CampaignAbout this happening: A newly uncovered **MuddyWater** phishing campaign abused **compromised email accounts** to target **international organizations** across multiple regions, increasing the risk of...
Timeline
-
31.03.2026 17:00 2 articles · 1mo ago
Group-IB details Phantom Stealer campaign across Europe
Campaign Scope UpdateGroup-IB details a sustained phishing campaign that delivered Phantom Stealer to logistics, manufacturing and technology organizations across Europe in five waves between November 2025 and January 2026. The emails used procurement-themed lures, archive attachments containing either an obfuscated JavaScript dropper or a malicious executable, and recurring indicators such as SPF authentication failures, missing DKIM signatures, reused templates, impersonal greetings, spelling mistakes, spoofed business identity and rotating infrastructure. The campaign was detected through sender authentication checks, content analysis and malware detonation in a controlled environment.
Show sources
- Phantom Project Bundles Infostealer, Crypter and RAT For Sale — www.infosecurity-magazine.com — 31.03.2026 17:00
- Phantom Project Bundles Infostealer, Crypter and RAT For Sale — www.infosecurity-magazine.com — 31.03.2026 17:00