Phantom v3.5 Alert: New Info-Stealer Disguised as Adobe Update Uses SMTP to Loot Digital Lives
Ddos 
A new variant of the Phantom information stealer has emerged in the wild, masquerading as a routine software update to trick users into handing over their digital lives. Analysis from K7 Security Labs details how the malware, now in version 3.5, utilizes a fake “Adobe 11.7.7 installer” to bypass suspicion and deploy a sophisticated data extraction toolkit.
First detected in late October 2025, this campaign highlights the persistent danger of downloading software from unverified sources. As the researchers note, “With the increased use and vast amount of files that are available on the internet, most oblivious users fail to differentiate between safe and malicious content they are downloading”.
The attack vector is deceptively simple: a file named Adobe 11.7.7 installer.xml. While the name suggests a legitimate patch, the version number is fictitious—a telltale sign for the observant, but easily missed by the hasty.
“It all starts with a file ‘Adobe 11.7.7 installer’ which in our case is obviously a fake name,” the report states.
Upon execution, this isn’t a standard executable file. It is an obfuscated XML file with embedded JavaScript. When a user runs it, the script triggers a PowerShell process that quietly reaches out to a malicious domain (positivepay-messages[.]com) to download the actual payload components, including the core stealer binary.
Once established on a victim’s machine, Phantom v3.5 acts as a comprehensive digital vacuum. It targets a wide array of sensitive applications, aiming to strip the host of its most valuable credentials.
According to the analysis, “Phantom, a stealer malware, sends back sensitive data like passwords, browser cookies, credit card information, crypto wallet credentials, victim’s IP addresses, etc to the attacker”.
The malware targets:
- Web Browsers: Harvesting login data and session cookies.
- Cryptocurrency Wallets: Stealing keys and funds.
- Identity Data: Collecting IP addresses and system information.
This stolen data can be weaponized immediately for financial theft or sold on the dark web for “identity theft, account takeovers or even worse the infected machine can be used as a tool to orchestrate bigger malware attacks”.
Unlike many modern stealers that use Telegram bots or dedicated Command-and-Control (C2) panels for data exfiltration, Phantom utilizes the Simple Mail Transfer Protocol (SMTP) to email the stolen goods directly to the attackers.
The malware contains configuration settings to facilitate this, but the developers made a slight effort to hide their tracks. “The SMTP credentials are stored into a base64 encoded value and hardcoded into a variable,” the report explains. Code analysis reveals routines specifically designed to decrypt the SMTP server, sender, and password details at runtime to establish the connection.
The emergence of Phantom v3.5 serves as a stark reminder to verify the authenticity of all software installers. Users are advised to download updates only from official vendor websites and to be skeptical of version numbers or file types (such as .xml or scripts) that claim to be installers.
Donate