CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 17, 2026

Fileless Phantom Stealer Targets Browser Credentials

Dark Reading Archived Jun 17, 2026 ✓ Full text saved

In addition to executing entirely in memory, the malware's infection chain incorporates other anti-analysis techniques designed to frustrate detection.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERATTACKS & DATA BREACHES CYBER RISK THREAT INTELLIGENCE NEWS Fileless Phantom Stealer Targets Browser Credentials In addition to executing entirely in memory, the malware's infection chain incorporates other anti-analysis techniques designed to frustrate detection. Jai Vijayan,Contributing Writer June 16, 2026 4 Min Read SOURCE: WIRESTOCK CREATORS VIA SHUTTERSTOCK A threat actor is targeting banks and other high-value organizations in a phishing campaign to deliver Phantom Stealer, a credential and session-stealing malware designed to evade conventional endpoint defenses. What makes the campaign concerning, according to researchers at Fortra, is the adversary's use of heavily obfuscated, fileless techniques to complicate detection and enable the malware to execute largely in memory. Credential Theft at Scale "The actor's primary objective is the silent theft of browser credentials, session cookies, and financial data, with exfiltration through four parallel channels (Telegram, Discord, FTP, SMTP) for redundancy," Fortra said in a report this week. "The combination of targeted phishing delivery, advanced evasion techniques, broad credential harvesting capabilities, and a resilient multi-channel exfiltration infrastructure places this threat in the high-severity category," the security vendor warned. Related:'Lorem Ipsum' Malware Pivots to ClickFix Delivery Phantom Stealer is a malware-as-a-service (MaaS) offering available to cybercriminals on a subscription basis for between $70 to $240. In addition to stealing credentials and session cookies stored in major browsers including Chrome, Firefox, and Edge, the malware also can capture financial data, cryptocurrency wallet information, keystrokes, screenshots, and clipboard contents. Phantom Stealer runs entirely in memory, making it all but invisible to signature-based malware detection tools, Fortra said. An Insidious Dropper The Phantom Stealer attacks that Fortra observed are ongoing. They typically begin with a phishing email containing what appears to be a legitimate business document, such as a request for quotation. If a victim opens the attachment, a heavily obfuscated batch file launches a multistage infection chain that ultimately injects Phantom Stealer into the legitimate Windows Explorer process.  In addition to executing entirely in memory, the Phantom Stealer infection chain incorporates other anti-analysis techniques designed to frustrate detection and malware analysis, Fortra said. These include obfuscated PowerShell commands, disguised API calls, hidden Unicode characters, and Base64-encoded strings for obscuring commands, file names, and other data within the malware. Phantom Stealer's dropper is particularly notable because of its layered composition, which significantly hinders visibility into what the code is actually doing, says Aranzazu Mendez Casillas, a researcher with Fortra. "What makes this specific case unique is how the dropper was composed," Casillas says in comments to Dark Reading. "It wasn’t simply Base64, it was Base64 + XOR + donut. This means the attackers aren't focusing on the malware per se, but in the dropper, which means at the moment of analysis, researchers won't have a clear view of what's actually happening." Related:The Beginning of the End of Social Engineering Once Phantom Stealer is injected into the Windows Explorer process, it gains full access to saved passwords and credentials in the browser, as well as to session cookies, autofill data, password managers, software-as-a-service (SaaS) tools, and online banking systems. It can also take screenshots of the user's desktop and maintain persistence through system reboots. "A single Phantom Stealer session on a banking endpoint can exfiltrate credentials with access to transfer systems, customer data, or network administrator credentials," Fortra said. "Since the stealer operates as MaaS, exfiltrated logs may be sold or used directly by multiple actors." In addition, the fact that Phantom Stealer is a MaaS offering means its authors actively maintain and update the malware while also making it available to multiple threat actors, Fortra said. Researchers at Group-IB who are also tracking the Phantom Stealer threat have previously described it as an example of malware that allows cybercriminals to scale credential theft activity. Between November 2025 and January 2026, Group-IB tracked a sustained Phantom Stealer campaign that targeted logistics, manufacturing, and technology organizations in Europe.  Related:Chinese, N. Korean Threat Groups Build on Asia-Pacific Success Browsers are the New Endpoint The Phantom Stealer campaign is another indication of how browsers have become the new endpoint for attackers looking to steal credentials, authentication tokens, and critical business data. A lot of it has to do with how browsers have become the primary gateway for enterprises to SaaS platforms, cloud apps, banking systems, and other critical applications. Modern browsers also store a weatlh of information for cyber criminals, making them a high-value target for attackers. Fortra has provided indicators of compromise and other telemetry organizations can use to protect against the Phantom Stealer threat. In addition, Casillas advises that organizations look beyond signature-based tools for detecting such threats. "Organizations need to prioritize deploying behavior-based AV/EDR," he notes. "This will allow them to scan for suspicious behaviors like abnormal command lines or env creations." About the Author Jai Vijayan Contributing Writer Illinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies.  Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders.  Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications. His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee.   Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS ANATOMY OF A DATA BREACH This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response. BEAT HACKERS TO IT
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 17, 2026
    Archived
    Jun 17, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗