Executive Summary
Fortra Intelligence and Research Experts (FIRE) have identified an active phishing campaign targeting high-capital organizations, particularly those operating within the banking sector. The campaign uses evasive techniques to distribute Phantom Stealer, a commercially available Malware-as-a-Service (MaaS) infostealer used to steal credentials, financial data, and sensitive information. The tool is sold under a subscription model by a threat actor operating under the alias Oldphantomoftheopera, affiliated with the Phantom Softwares group.
The attack begins with phishing emails containing malicious attachments disguised as business documents. Once executed, the malware runs entirely in memory, helping it evade traditional defenses.
The Phantom Stealer targets major browsers (Chrome, Firefox, Edge and beyond) as well as Discord, Telegram and Steam. It is also used to steal financial information, cryptocurrency assets and actively collect keystrokes, screenshots and clipboard data.
The core risk in this campaign is not the technical sophistication of the malware itself — it is the combination of convincing delivery, multi-layer obfuscation, and fully in-memory operation that makes the malicious activity invisible to conventional controls.
At the time of publishing, the campaign infrastructure is still operating and is actively distributing new samples.
Why it matters: Phantom Stealer has been observed as part of an active phishing campaign specifically targeting high-capital organizations within the banking sector. This targeting is deliberate: financial institutions represent a high-value environment where a single compromised employee credential can unlock access to sensitive customer data, internal financial systems, and privileged network resources.
What makes this threat particularly significant is its commercial nature. Being offered as a Malware-as-a-Service product means it is continuously maintained, updated to evade new defenses, and available to multiple threat actors simultaneously — significantly increasing the probability of repeated or parallel campaigns against the same industry.
Furthermore, the sample demonstrated a notably high level of obfuscation (fully detailed in the technical section of this report), making it resistant to traditional signature-based detection and underscoring the need for behavioral defense strategies.
The combination of targeted phishing delivery, advanced evasion techniques, broad credential harvesting capabilities, and a resilient multi-channel exfiltration infrastructure places this threat in the high-severity category for any organization operating in or adjacent to the financial sector.
Business impact: This threat poses a high risk to organizations in the financial sector. By obtaining browser credentials and session cookies from a single compromised employee, a threat actor could:
Access sensitive customer banking data stored in internal systems
Exfiltrate financial data and cryptocurrency assets
Exfiltrate other data that can be used for further, targeted attacks
Pivot laterally across the network using harvested credentials
In a worst-case scenario, establish sufficient persistence and access to deploy a ransomware attack, causing operational and reputational damage at scale
The MaaS nature of this tool means it is actively maintained, updated, and accessible to multiple threat actors simultaneously, increasing the likelihood of repeated or parallel campaigns.
Top Actions
The following actions should be prioritized and executed immediately:
Deploy behavior-based AV/EDR — Ensure endpoint protection relies on behavioral analysis rather than hash-based signatures, as the high obfuscation level renders static detection ineffective
Block http://icanhazip.com/ at the firewall, proxy, and DNS levels immediately
Monitor and alert on anomalous outbound traffic, particularly encrypted data packets to Telegram, Discord, FTP, or SMTP endpoints
Audit browser-stored credentials on endpoints and enforce credential rotation for sensitive accounts
Conduct phishing awareness training emphasizing unsolicited .bat file attachments
Enforce multi-factor authentication (MFA) across all accounts.
Introduction
The sample arrived as a RAR archive (56HhO_1y) containing a malicious batch file (2026REQUEST_FOR_QUOTE.bat). The sample was analyzed in a controlled environment (ANY.RUN) to observe real-time behavior before approaching the file directly.
The first red flag appeared almost immediately in the process tree: the BAT file was spawning browser processes — Chrome, Firefox, and Edge — but none of them were initiated by the user. This behavior is a known indicator of credential harvesting.
Network activity confirmed the suspicion: a single HTTP request to http://icanhazip.com/ — a public service that simply returns the external IP. Malware frequently queries this endpoint as a pre-exfiltration reconnaissance step to log the victim's IP.
The campaign remains active, with infrastructure continuing to distribute new samples at the time of publication.
Threat Landscape
Info stealers delivered via phishing remain one of the most prevalent initial access methods observed across sectors. The distinguishing characteristic of this campaign is the use of a heavily obfuscated, multi-stage delivery chain with fully in-memory injection.
This approach reflects a broader maturation in attacker tradecraft, where evading behavioral and network detection is prioritized over payload sophistication. The commercial nature of the stealer (Phantom Softwares sells subscriptions ranging from $70 to $240 USD) means multiple actors may be deploying the same tool simultaneously with minor variations.
Delivery via .bat files disguised as business documents ( REQUEST_FOR_QUOTE) is contextually plausible for targets in the banking and corporate sector, suggesting the actor tailors delivery lures to specific targets rather than conducting broad spray campaigns.
Threat Specifics
Origin and intent: The actor's primary objective is the silent theft of browser credentials, session cookies, and financial data, with exfiltration through four parallel channels (Telegram, Discord, FTP, SMTP) for redundancy. The commercial distribution infrastructure (Phantom Softwares) points toward financial motivation.
Delivery mechanism: Phishing emails with RAR attachments containing the BAT dropper disguised as corporate quote request documents.
Execution flow:
The victim executes the RAR/BAT file. The BAT is heavily obfuscated with non-functional variable noise. It establishes persistence, copies a hidden version of itself to AppData, registers a RunOnce key, and performs a COM object hijack. A massive Base64 blob (~807.8 KB) is decoded into TERROR.ps1. The PowerShell script performs a three-layer decryption routine (Base64 → XOR × 2 → AES-256-CBC) to extract DonutLoader shellcode. The shellcode injects Phantom Stealer directly into the explorer.exe process entirely in memory. The stealer launches browsers in isolated mode to harvest credentials and exfiltrates them.
Anti-analysis techniques:
Single-instance relaunch guard via environment variable ( D3YYJUGH)
Minimized window on relaunch to avoid user visibility
PowerShell command-line obfuscation with escape characters ( -n^o^p, -^w H^i^d^d^e^n)
Fully in-memory payload — no PE (portable executable) on disk at any stage
Windows API names aliased (e.g., pX2QxOi9m3Tev = OpenProcess)
Invisible Unicode characters ( \u2028, \u2029) embedded in the Base64 blob to break decoders
Target process name ( explorer) stored as Base64 ( ZXhwbG9yZXI=)
Observed TTPs (MITRE ATT&CK):
Tactic | Technique | ID |
Execution | Command and Scripting Interpreter: Windows Command Shell | T1059.003 |
Execution | Command and Scripting Interpreter: PowerShell | T1059.001 |
Defense Evasion | Obfuscated Files or Information: Command Obfuscation | T1027.010 |
Defense Evasion | Obfuscated Files or Information: Base64 Encoding | T1027 |
Defense Evasion | Process Injection: Shellcode Injection | T1055.004 |
Defense Evasion | Modify Registry | T1112 |
Defense Evasion | Hide Artifacts: Hidden Files and Directories | T1564.001 |
Defense Evasion | Execution Guardrails: Environmental Keying | T1480 |
Persistence | Boot or Logon Autostart Execution: Registry Run Keys | T1547.001 |
Persistence | Hijack Execution Flow: COM Hijacking | T1546.015 |
Discovery | System Information Discovery | T1082 |
Discovery | System Network Configuration Discovery (External IP) | T1016.001 |
Collection | Credentials from Web Browsers | T1555.003 |
Collection | Screen Capture | T1113 |
Exfiltration | Exfiltration Over C2 Channel (Telegram/Discord/FTP) | T1041 |
Exfiltration | Exfiltration Over Alternative Protocol: SMTP | T1048.003 |
Threat actor infrastructure:
Telegram: https://t[.]me/Oldphantomoftheopera
Website: https://www.phantomsoftwares[.]site/home
Discord API: https://discord[.]com/api/v9/users/@me
Exfiltration SMTP: mail.wwvvinc[.]com → 31.222.235[.]198:587 (Ukraine)
Static Analysis
This section documents the full static analysis process applied to the sample — the decisions made, the dead ends encountered, and how each finding led to the next. It is intentionally written in first person to reflect the analyst's actual thought process.
Stage 1 — Safe Approach to the BAT File
Before touching the BAT file directly, a deliberate decision was made: rename it to .txt first. This is a simple but critical precaution — it prevents accidental double-clicks or shell associations from triggering execution while the file is being read. It is the kind of habit that separates careful analysis from careless analysis.
With the file safely renamed, the code was opened. The first impression was a wall of noise: dozens of set statements assigning single characters to single-letter variables ( set e=e, set c=c...), random number assignments, and if exist %TEMP% checks scattered everywhere. None of it does anything meaningful. This is junk padding — deliberately designed to make the file long, confusing, and exhausting to read.
Scanning past the noise, a few things stood out immediately as genuinely functional:
A self-relaunch guard (if not defined D3YYJUGH) that restarts the script minimized — anti-analysis behavior to prevent double execution and complicate sandbox re-runs.
A file copy + hide operation dropping invest.bat into AppData with hidden+system attributes.
Registry writes creating persistence via RunOnce and registering a suspicious fake COM object.
A massive Base64 blob occupying the majority of the file body — so large it practically consumed the entire file. Something significant was hidden inside it.
Stage 2 — Peeling the First Layer: Base64 → PowerShell
The standard approach to a Base64 blob is straightforward: pipe it through base64 -d and see what comes out. Doing so revealed a PowerShell script — TERROR.ps1. The name alone was a signal, but more importantly, the decoded script confirmed it was designed to run entirely hidden:
powershell -nop -w Hidden -ep Bypass
No profile loading, hidden window, execution policy bypassed. This is not how legitimate scripts run. The decoded PowerShell became the new focus.
Stage 3 — The PowerShell Script
The decoded TERROR.ps1 script was structured around a series of operations that, even before fully understanding the cryptography, told a clear story:
A mutex check — the script would exit if already running. Malware uses this to avoid infecting the same machine twice and to complicate sandbox re-runs. The mutex string was constructed via XOR arithmetic on character arrays and checked via System.Threading.Mutex::OpenExisting().
A search for explorer.exe by process name — but the name was stored as a Base64 string ( ZXhwbG9yZXI=). Decoding that short string confirmed: it was looking for the Windows shell process. Target identified.
A large Base64 string — again. But this one was different. In VS Code, the file was flagged as 807.2 KB just for that single line. That is not a script — that is a binary hiding inside a string.
At this point, a simple base64 -d on the large blob returned nothing readable. No text, no headers — just bytes. This meant the data was encrypted or transformed beyond simple encoding.
Stage 4 — Reverse-Engineering the Decryption Routine
The PowerShell script laid out the decryption logic explicitly, but executing it directly was not an option — running unknown PowerShell is exactly what should be avoided during static analysis. Instead, the logic was replicated manually in Go, chosen for its clean standard library support for AES and SHA256 without external dependencies.
The decryption chain, read directly from the PowerShell source:
Step | Operation |
1 | Base64 decode the blob to raw bytes |
2 | XOR every byte with primary key 112 (0x70) — hardcoded as $Multiple = 112 |
3 | Extract structural components: byte 0 = secondary XOR key, bytes 1–32 = seed, bytes 33–48 = AES IV, byte 49 onward = ciphertext |
4 | XOR the ciphertext again with the secondary key from byte 0 |
5 | Derive the AES-256 key via SHA256(seed + "cyberm") — the string "cyberm" was hardcoded as a passphrase |
6 | Decrypt with AES-256-CBC using the derived key and extracted IV |
A critical roadblock was encountered on the first attempt: invisible Unicode characters ( \u2028, \u2029) embedded in the Base64 string were breaking the decoder silently. These characters look like whitespace but are not standard line endings, and most Base64 decoders choke on them without any obvious error. Stripping them explicitly and retrying finally produced output.
Result: 627,473 bytes of decrypted data, starting with magic bytes E8 52 30 09. The byte E8 is the x86/x64 opcode for CALL — the very first instruction of raw shellcode. There were no MZ headers, no import tables, no readable strings. Just position-independent shellcode.
Stage 5 — Identifying the Shellcode: DonutLoader
The decrypted payload was uploaded to OPSWAT Metadefender. Five of twenty-six engines flagged it, all pointing to the same family: Donut / DonutLoader.
DonutLoader is an open-source offensive security tool — originally a legitimate red team utility — that wraps any .NET executable into a blob of position-independent shellcode that runs entirely in memory. It deliberately produces output with no PE (portable executable) headers, no imports, and no readable strings, which explains why static analysis of the raw payload yielded nothing useful. The actual malware is packaged inside the DonutLoader wrapper, encrypted and compressed.
The low detection count (5/26) is a direct consequence of this wrapping technique. Most endpoint security engines look for known patterns in PE files. When there is no PE file, many of them simply do not flag it.
Engine | Detection Name |
Bitdefender | Generic.ShellCode.Donut.Marte.4.F9797FC0 |
Emsisoft | Generic.ShellCode.Donut.Marte.4.F9797FC0 (B) |
Avira | TR/W64.Donut.E |
Trellix | W32/Foxveil!sc |
Sophos | ATK/DonutLdr-B |
Stage 6 — Extracting Strings: Cutter
A DonutLoader-wrapped payload cannot be easily reverse-engineered without executing it — but there is a middle ground. A partial decode tool was used to strip enough of the Donut wrapper to expose some of the inner payload's content. The result was loaded into Cutter (a GUI frontend for the radare2 disassembler) specifically to search for readable strings.
This approach paid off immediately. Among the recovered strings:
Stub.TelegramSendLogs+<SendMessageAsync>
Stub.TelegramSendLogs+<SendMessageInfoAsync>d__3
Stub.TelegramSendLogs+<SendReportAsync>d__
Stub.UploadToFtp+<SendMessageAsync>d__X
Uploading logs to Discord
Telegram contact <https://t[.]me/Oldphantomoftheopera>
website <https://www.phantomsoftwares[.]site/home>
<https://discord[.]com/api/v9/users/@me>
These are not generic stealer strings — they are the internal .NET class names and hardcoded contact information of a specific stealer family. The class names ( Stub.TelegramSendLogs, Stub.UploadToFtp) reveal the exfiltration architecture directly from the source code structure. The Telegram handle Oldphantomoftheopera and the website phantomsoftwares[.]site are the operator's own embedded branding — left inside the binary and exposed through string extraction.
This is how the threat actor's identity was confirmed. A .bat file that looked like junk had revealed, through successive layers of static decoding, a commercially distributed info-stealer delivered via DonutLoader shellcode, targeting browser credentials across all major browsers and exfiltrating through four separate channels.
Impact Assessment
Operational impact: Phantom Stealer running inside explorer.exe has full access to all browser-stored data: credentials, cookies, session tokens, and autofill data. This includes access to all browsers, online banking systems, corporate portals, web-based password managers, and SaaS applications. The stealer also captures screenshots of the active desktop. Persistence via RunOnce and COM hijack ensures re-execution after reboots.
Financial exposure: A single Phantom Stealer session on a banking endpoint can exfiltrate credentials with access to transfer systems, customer data, or network administrator credentials. Since the stealer operates as MaaS, exfiltrated logs may be sold or used directly by multiple actors.
Detection difficulty: The payload operates entirely in memory — no executable PE (portable executable) exists on disk at any point in the chain. The injection host ( explorer.exe) is a legitimate Windows process. The DonutLoader shellcode detection rate was only 5/26 engines on OPSWAT Metadefender. Outbound network traffic on port 587 may be confused with legitimate corporate SMTP activity.
Reputational risk: Exposure of customer credentials, financial records, or internal communications carries significant regulatory exposure, particularly in the banking sector under frameworks such as PCI-DSS, GDPR, or equivalent local regulations.
Mitigation Guidance
Immediate (within 24 hours):
Block or alert on outbound traffic to mail.wwvvinc[.]com ( 31.222.235[.]198:587) on perimeter controls.
Block icanhazip.com at corporate DNS/proxy (indicator of pre-exfiltration reconnaissance).
Block the RAR and BAT hashes at the email gateway and EDR.
Hunt for %APPDATA%\Microsoft\Windows\Templates\invest.bat on all endpoints — its presence confirms compromise.
Review HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce for the PUBLISHER value.
Review HKCU\Software\Classes\CLSID\{C113AACC-AB1A-C43D-00BA-4AF9CAFD7652} — fake COM registration.
Short term (within one week):
Hunt for explorer.exe with outbound connections on port 587 — highly suspicious.
Rotate all browser-stored credentials on potentially exposed systems.
Enable PowerShell Script Block Logging (Event ID 4104) to detect similar obfuscated stagers.
Update email gateway rules to flag or quarantine RAR archives containing executables/batch files from unverified external senders.
Deploy detection rules in EDR/SIEM for the behavioral sequence: cmd.exe → powershell.exe with -w Hidden -ep Bypass → csc.exe in the same process tree.
Closing Notes
The core risk in this campaign is not the technical sophistication of the malware itself — it is the combination of convincing delivery, multi-layer obfuscation, and fully in-memory operation that makes the malicious activity invisible to conventional controls.
The final payload (Phantom Stealer) is an actively maintained commercial product with multiple redundant exfiltration channels. Even if the SMTP channel is blocked, the actor retains exfiltration capability via Telegram and Discord — protocols that are rarely blocked in corporate environments.
The two highest-impact immediate actions are blocking the actor's network infrastructure ( mail.wwvvinc[.]com) and hunting for persistence artifacts on disk. These actions directly identify already-compromised systems and prevent further exfiltration.
The actor is actively maintaining this campaign under the Phantom Softwares brand. New lures and recompiled samples with updated hashes should be expected.
Immediate next steps and owners:
Network/Firewall team: Block mail.wwvvinc[.]com, 31.222.235[.]198:587, and icanhazip.com.
Endpoint/EDR team: Hunt for invest.bat in AppData, registry persistence keys, explorer.exe with outbound SMTP traffic.
Threat Intel team: Submit hashes to threat intelligence platforms, monitor Phantom Softwares infrastructure.
Email Security team: Update gateway rules for RAR archives containing executable/batch content.
Appendices
Appendix A — Sample Information
Field | Value |
File Name | 56HhO_1y / 2026REQUEST_FOR_QUOTE.bat |
File Type | RAR Archive (v5) containing a Windows Batch file |
MIME Type | application/x-rar |
MD5 (RAR) | C98C1CCC3B7FBE9A65854074DC1DADB4 |
SHA1 (RAR) | 82507768D991A4C52C392090A4F4B7937F9E3722 |
SHA256 (RAR) | 9CDD292D53B880A828E2AA398A76974E46AF61255003C60FA474624BEBDBA302 |
MD5 (BAT) | 8FC8DCB0A62E4D640CAE10ACE329E982 |
SHA256 (BAT) | 9E0D3A2C34AF11934297080F6B52D46EE8466AACE76122077F548ACA81075EB5 |
SHA256 (TERROR.ps1) | 002AFEE0E04CB5490CA8BD538C9663F44724D5DA0B13ED25564E5BB133FA92EE |
SHA256 (Compiled DLL) | 449D54AE9CB3DFF7DA26CFE950BC236308C3F93D946A07434056B81A30FC7001 |
Compressed Size | 784,682 bytes |
Uncompressed Size | 1,133,988 bytes |
Analysis Date | April 22, 2026 — 11:21:46 UTC |
OS Target | Windows 10 Professional (Build 19044, 64-bit) |
Language | C# |
Tags | arch-exec susp-powershell api-base64 phantom-stealer evasion donutloader loader |
Appendix B — Process Tree (ANY.RUN)
PID | Process | Role |
1684 | WinRAR.exe | Extracts the RAR archive |
6804 | notepad++.exe | Opens the BAT for inspection (user action) |
8188 | cmd.exe | Initial execution of the BAT |
7836 | cmd.exe | BAT re-launch (minimized, self-restart) |
3136 | attrib.exe | Hides invest.bat |
7532/7944/7996/6912 | reg.exe | Registry persistence & COM hijack |
5116 | powershell.exe | Decodes Base64 blob → TERROR.ps1 |
2680 | powershell.exe | Executes TERROR.ps1, decrypts & injects DonutLoader |
3580 | csc.exe | Compiles EVOLUTION C# injection class |
4696 | explorer.exe | Injection target — PHANTOM stealer runs here |
1352/6532 | firefox.exe | Launched by stealer for credential harvesting |
4684 | chrome.exe | Launched by stealer for credential harvesting |
7588 | msedge.exe | Launched by stealer for credential harvesting |
Appendix C — Payload Decryption Parameters
Layer | Operation |
Layer 1 | Base64 decode → raw bytes |
Layer 2 | XOR all bytes with primary key 0x70 (112) |
Layer 2b | XOR ciphertext bytes with secondary key k (byte 0 of decoded blob) |
Layer 3 | AES-256-CBC decryption using SHA256(seed + "cyberm") as key |
XOR Primary Key: 112 (0x70)
XOR Secondary Key (k): 61
AES Key: ef158a3f9349a9bdbe408e206ad8f83fbeb484836edca5745692a6ecabe698bb
AES Salt/Passphrase: "cyberm" (hardcoded)
Decrypted Payload Size: 627,473 bytes
Magic Bytes: E8 52 30 09 → Raw x64 shellcode ( E8 = CALL opcode)
Appendix D — Indicators of Compromise (IOC Summary)
File Hashes:
Type | Value |
MD5 (RAR) | C98C1CCC3B7FBE9A65854074DC1DADB4 |
SHA1 (RAR) | 82507768D991A4C52C392090A4F4B7937F9E3722 |
SHA256 (RAR) | 9CDD292D53B880A828E2AA398A76974E46AF61255003C60FA474624BEBDBA302 |
MD5 (BAT) | 8FC8DCB0A62E4D640CAE10ACE329E982 |
SHA256 (BAT) | 9E0D3A2C34AF11934297080F6B52D46EE8466AACE76122077F548ACA81075EB5 |
SHA256 (TERROR.ps1) | 002AFEE0E04CB5490CA8BD538C9663F44724D5DA0B13ED25564E5BB133FA92EE |
SHA256 (Compiled DLL) | 449D54AE9CB3DFF7DA26CFE950BC236308C3F93D946A07434056B81A30FC7001 |
Network IOCs:
Type | Value | Port | Purpose |
IP (SMTP exfil) | 31.222.235[.]198 | 587 | SMTP exfiltration endpoint |
IP (extracted from domain) | 176.202.27[.]216 | — | Additional infrastructure |
Domain (SMTP) | mail.wwvvinc[.]com | 587 | Exfiltration SMTP relay (Ukraine) |
URL (IP recon) | http://icanhazip.com/ | 80 | External IP lookup (pre-exfil recon) |
Telegram | https://t[.]me/Oldphantomoftheopera | — | Operator contact / C2 channel |
Actor website | https://www.phantomsoftwares[.]site/home | — | Threat actor infrastructure |
Discord API | https://discord[.]com/api/v9/users/@me | — | Alternative exfiltration channel |
Registry IOCs:
Key | Value |
HKCU\...\RunOnce → PUBLISHER | cmd.exe /c "...\invest.bat" |
HKCU\...\CLSID\{C113AACC-AB1A-C43D-00BA-4AF9CAFD7652} | InProcServer32 = rundll32.exe (Apartment) |
|
|
File System IOCs:
Path | Description |
%APPDATA%\Microsoft\Windows\Templates\invest.bat | Persisted copy of dropper (hidden+system) |
%TEMP%\GENERATE.tmp | Base64-encoded PS1 blob |
%TEMP%\TERROR.ps1 | Decoded PowerShell stager |
AV Detections (DonutLoader Shellcode, 5/26):
Engine | Detection Name |
Bitdefender | Generic.ShellCode.Donut.Marte.4.F9797FC0 |
Emsisoft | Generic.ShellCode.Donut.Marte.4.F9797FC0 (B) |
Avira | TR/W64.Donut.E |
Trellix | W32/Foxveil!sc |
Sophos | ATK/DonutLdr-B |
Appendix E — Data Exfiltration Evidence
Files created by the stealer during execution, staged in %TEMP%\463ced3b6253e9d5f42ead92ed9486f2\:
File | Description |
Chromium_cookies_DESKTOPJGLLJLD_2026-04-22_13.24.12.json | Stolen Chromium cookies |
Gecko_passwords_DESKTOPJGLLJLD_2026-04-22_13.24.14.txt | Stolen Firefox passwords |
Gecko_cookies_DESKTOP-JGLLJLD_2026-04-22_13.24.14.json | Stolen Firefox cookies |
DESKTOPJGLLJLD_20260422_132438.png | Screenshot taken by the stealer |
Appendix F — Revision History
Date | Description |
2026-04-22 | Initial version — dynamic analysis in ANY.RUN |
2026-04-22 | Static analysis of BAT — obfuscation stage identification |
2026-04-23 | Base64 blob decoding → TERROR.ps1 |
2026-04-24 | Reverse-engineering of decryption routine — Go script |
2026-04-25 | DonutLoader shellcode identification — OPSWAT Metadefender |
2026-04-26 | String extraction via Cutter — Phantom Stealer identification |
2026-04-29 | Final version — complete report with IOCs and recommendations |
