Signed & Stolen: “Phantom Stealer” Hijacks Java App via Fake DHL Invoice

A sophisticated new malware campaign is turning the trust of legitimate software against users, weaponizing a signed Java utility to deliver a potent information stealer. Threat researcher Manoj Kshirsagar has uncovered a multi-stage attack that uses a fake DHL invoice as a lure to deploy Phantom Stealer v3.5.0, a modular .NET-based malware designed to harvest sensitive credentials.

The discovery highlights a dangerous evolution in how attackers are bypassing traditional defenses, using a technique known as DLL sideloading to hide their malicious code inside trusted applications.

The attack begins with a classic social engineering hook: a spam email masquerading as a DHL invoice. The email urges the recipient to open a ZIP attachment, ostensibly to view the document.

However, inside the archive lies a trap. The ZIP contains a legitimate, signed Java utility called jdeps.exe, which the attackers have renamed to DHL-INVOICE.exe. Alongside it sits a malicious file named jli.dll.

When the user clicks the “invoice,” they unknowingly launch the trusted Java application. But because of how Windows handles library loading, the application grabs the malicious DLL sitting next to it instead of the real one.

As Kshirsagar explains in the report: “Execution is achieved through DLL sideloading, allowing the trusted Java launcher to load the malicious DLL and transfer execution to the XLoader”.

Once the XLoader (disguised as jli.dll) is active, it begins a complex dance to avoid detection. It uses “obfuscated, state-driven logic” to parse its configuration and decrypt the final payload.

Instead of running the malware directly, the loader uses a technique called Process Hollowing. It spawns a legitimate Microsoft process, AddInProcess32.exe, hollows out its insides, and injects the malicious code.

“The payload is injected via process hollowing into AddInProcess32.exe, enabling execution under a legitimate Microsoft process,” the report notes. This allows the malware to hide in plain sight, appearing to security tools as a standard Microsoft background task.

The final stage of this intricate chain is Phantom Stealer v3.5.0. This malware is a “modular .NET-based information stealer supporting credential theft and multi-channel data exfiltration”.

The campaign’s reliance on signed binaries and advanced injection techniques marks a significant step up from typical spam runs. Kshirsagar concludes that the operation is “demonstrating a mature and stealth-focused delivery chain” designed to slip past modern endpoint protection.

The report also sheds light on the encryption used to protect the malware’s configuration. The attackers employed AES-256 in CBC mode, with keys derived using PBKDF2, to secure their command-and-control settings. This level of operational security ensures that even if the malware is intercepted, its internal workings remain difficult to analyze without the proper decryption keys.

Related Posts:

• LUMMA Malware: Cybercriminals Elevate Tactics with Fake Invoice Campaign
• Phantom Stealer Targets Russian Finance with ISO Phishing, Deploying Keyloggers and Crypto-Wallet Theft
• Phantom Goblin Malware: Stealthy Attacks via VSCode Tunnels
• Operation Phantom Circuit: North Korea’s Global Data Exfiltration Campaign Unveiled
• FBI arrests CEO Phantom who sold customized BlackBerry to Sinaloa drug trafficking group