Ddos 
In a digital landscape often obsessed with the “newest” and “most sophisticated” zero-day exploits, a new report from Intrinsec highlights a stark reality: sometimes, the old tricks are the most dangerous. Researchers have uncovered a widespread campaign utilizing PhantomVAI, a custom loader built on the bones of a decade-old hacking utility, effectively turning digital nostalgia into a modern nightmare.
The report details how this loader is being used in worldwide campaigns to deliver a variety of payloads, proving that malware authors are increasingly recycling and refining proven code to bypass modern defenses.
“PhantomVAI: custom loader built on an old RunPE utility used in worldwide campaigns” — Intrinsec Report
One of the most peculiar findings in the analysis is the loader’s DNA. Deep within its code structure, researchers identified the namespace Hackforums.gigajew. This fingerprint points back to an old “RunPE” (Run Portable Executable) utility that circulated on hacking forums years ago.
RunPE tools are designed to hollow out legitimate processes and inject malicious code, a technique known as process hollowing. By repurposing this legacy framework, the operators behind PhantomVAI have created a stable and effective delivery vehicle that hides behind the noise of legitimate system activity.
The report identifies a core component of the infection chain dubbed Mandark (specifically x64.load). This component is responsible for the heavy lifting—preparing the victim’s environment and executing the final payload.
A key evasion tactic described in the report is “Windows Task Scheduler masquerading.” By mimicking the behavior and appearance of the legitimate Windows Task Scheduler, PhantomVAI attempts to blend in with standard administrative processes, making it difficult for security teams to distinguish between routine maintenance and active compromise.
The global reach of these campaigns suggests a broad targeting strategy, often delivering infostealers capable of harvesting browser data and credentials. Intrinsec’s analysis emphasizes that while the code base may be old, the threat is current and requires proactive defense measures.
The report advises organizations to focus on identity protection and network visibility to counter this threat:
“Enable multi-factor authentication (MFA) for browser-related accounts to mitigate credential theft.” — Intrinsec Report
Furthermore, because loaders like PhantomVAI eventually need to “phone home” or fetch additional payloads, network monitoring remains a critical line of defense.
“Set up network monitoring to identify unusual or unauthorized outbound connections, particularly to known Command and Control (C2) servers.” — Intrinsec Report
Related Posts:
- Stealth Stealer: PhantomVAI Loader Uses Steganography in Images to Inject Katz Stealer and Evade Sandboxes
- BiDi Swap: A Decade-Old Unicode Flaw Still Enables URL Spoofing
- Microsoft 365 Startup Boost: Faster Apps, But Is It On by Default Now?
- The Database Was the Door: A Ransomware Attack Began with an Exposed Oracle Serve
Donate