Dark ReadingArchived Jun 17, 2026✓ Full text saved
In addition to executing entirely in memory, the malware's infection chain incorporates other anti-analysis techniques designed to frustrate detection.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
CYBER RISK
THREAT INTELLIGENCE
NEWS
Fileless Phantom Stealer Targets Browser Credentials
In addition to executing entirely in memory, the malware's infection chain incorporates other anti-analysis techniques designed to frustrate detection.
Jai Vijayan,Contributing Writer
June 16, 2026
4 Min Read
SOURCE: WIRESTOCK CREATORS VIA SHUTTERSTOCK
A threat actor is targeting banks and other high-value organizations in a phishing campaign to deliver Phantom Stealer, a credential and session-stealing malware designed to evade conventional endpoint defenses.
What makes the campaign concerning, according to researchers at Fortra, is the adversary's use of heavily obfuscated, fileless techniques to complicate detection and enable the malware to execute largely in memory.
Credential Theft at Scale
"The actor's primary objective is the silent theft of browser credentials, session cookies, and financial data, with exfiltration through four parallel channels (Telegram, Discord, FTP, SMTP) for redundancy," Fortra said in a report this week. "The combination of targeted phishing delivery, advanced evasion techniques, broad credential harvesting capabilities, and a resilient multi-channel exfiltration infrastructure places this threat in the high-severity category," the security vendor warned.
Related:'Lorem Ipsum' Malware Pivots to ClickFix Delivery
Phantom Stealer is a malware-as-a-service (MaaS) offering available to cybercriminals on a subscription basis for between $70 to $240. In addition to stealing credentials and session cookies stored in major browsers including Chrome, Firefox, and Edge, the malware also can capture financial data, cryptocurrency wallet information, keystrokes, screenshots, and clipboard contents. Phantom Stealer runs entirely in memory, making it all but invisible to signature-based malware detection tools, Fortra said.
An Insidious Dropper
The Phantom Stealer attacks that Fortra observed are ongoing. They typically begin with a phishing email containing what appears to be a legitimate business document, such as a request for quotation. If a victim opens the attachment, a heavily obfuscated batch file launches a multistage infection chain that ultimately injects Phantom Stealer into the legitimate Windows Explorer process.
In addition to executing entirely in memory, the Phantom Stealer infection chain incorporates other anti-analysis techniques designed to frustrate detection and malware analysis, Fortra said. These include obfuscated PowerShell commands, disguised API calls, hidden Unicode characters, and Base64-encoded strings for obscuring commands, file names, and other data within the malware.
Phantom Stealer's dropper is particularly notable because of its layered composition, which significantly hinders visibility into what the code is actually doing, says Aranzazu Mendez Casillas, a researcher with Fortra. "What makes this specific case unique is how the dropper was composed," Casillas says in comments to Dark Reading. "It wasn’t simply Base64, it was Base64 + XOR + donut. This means the attackers aren't focusing on the malware per se, but in the dropper, which means at the moment of analysis, researchers won't have a clear view of what's actually happening."
Related:The Beginning of the End of Social Engineering
Once Phantom Stealer is injected into the Windows Explorer process, it gains full access to saved passwords and credentials in the browser, as well as to session cookies, autofill data, password managers, software-as-a-service (SaaS) tools, and online banking systems. It can also take screenshots of the user's desktop and maintain persistence through system reboots. "A single Phantom Stealer session on a banking endpoint can exfiltrate credentials with access to transfer systems, customer data, or network administrator credentials," Fortra said. "Since the stealer operates as MaaS, exfiltrated logs may be sold or used directly by multiple actors." In addition, the fact that Phantom Stealer is a MaaS offering means its authors actively maintain and update the malware while also making it available to multiple threat actors, Fortra said.
Researchers at Group-IB who are also tracking the Phantom Stealer threat have previously described it as an example of malware that allows cybercriminals to scale credential theft activity. Between November 2025 and January 2026, Group-IB tracked a sustained Phantom Stealer campaign that targeted logistics, manufacturing, and technology organizations in Europe.
Related:Chinese, N. Korean Threat Groups Build on Asia-Pacific Success
Browsers are the New Endpoint
The Phantom Stealer campaign is another indication of how browsers have become the new endpoint for attackers looking to steal credentials, authentication tokens, and critical business data. A lot of it has to do with how browsers have become the primary gateway for enterprises to SaaS platforms, cloud apps, banking systems, and other critical applications. Modern browsers also store a weatlh of information for cyber criminals, making them a high-value target for attackers.
Fortra has provided indicators of compromise and other telemetry organizations can use to protect against the Phantom Stealer threat. In addition, Casillas advises that organizations look beyond signature-based tools for detecting such threats. "Organizations need to prioritize deploying behavior-based AV/EDR," he notes. "This will allow them to scan for suspicious behaviors like abnormal command lines or env creations."
About the Author
Jai Vijayan
Contributing Writer
Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.
Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.
Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications.
His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS
ANATOMY OF A DATA BREACH
This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response.
BEAT HACKERS TO IT