Stealth Stealer: PhantomVAI Loader Uses Steganography in Images to Inject Katz Stealer and Evade Sandboxes
Ddos 
The PhantomVAI Loader attack chain | Image: Unit 42
Researchers from Palo Alto Networks’ Unit 42 have uncovered a multi-stage phishing campaign delivering a new stealthy loader known as PhantomVAI Loader, which deploys a range of information-stealing malware — including Katz Stealer, AsyncRAT, XWorm, FormBook, and DCRat — across industries worldwide.
“Threat actors wage these campaigns to deliver obfuscated scripts and loaders that use steganography techniques to conceal payloads,” Unit 42 researchers wrote in their report.
Originally dubbed Katz Stealer Loader, this evolving malware has been reclassified due to its growing sophistication and ability to deliver multiple payloads through complex, evasive stages.
The infection chain starts with a phishing email containing a malicious JavaScript or VBS attachment disguised as a sales or legal document.
“The emails contain themes like sales, payments and legal actions to trick targeted users into opening the malicious attachment,” Unit 42 explained.
Some messages even employed homograph attacks, replacing Latin characters with Unicode variants to bypass email defenses.
Once opened, the script decodes a Base64-encoded PowerShell script that downloads a GIF or image file hiding the loader payload via steganography.
“The PowerShell script downloads a GIF or other image file that conceals the loader payload… the text is a Base64-encoded DLL file,” the researchers wrote.
The encoded data, extracted from between markers such as <<sudo_png>> and <<sudo_odt>>, is decoded into the .NET-based PhantomVAI Loader, which then launches the attack’s main stages.
The PhantomVAI Loader, written in C#, is designed for stealth and flexibility. Its “VAI” method performs three core actions:
- Virtual Machine detection (to evade sandboxes and analysis)
- Persistence creation through scheduled tasks and registry keys
- Payload retrieval and process injection
“When PhantomVAI Loader is executed, it performs checks to determine whether it is running on a virtual machine,” the report noted, citing its reliance on open-source GitHub code from VMDetector.
If the loader detects virtualization, it terminates to avoid being analyzed by security researchers. Otherwise, it establishes persistence and injects the final payload into a legitimate process.
“In most cases observed… PhantomVAI Loader injected the payload into the Microsoft Build Engine executable, MSBuild.exe,” Unit 42 observed.
This process hollowing technique allows the malware to execute within a trusted Windows binary, further reducing detection likelihood.
At the core of PhantomVAI’s ecosystem lies Katz Stealer, a new malware-as-a-service (MaaS) platform first advertised by a user named katzadmin on BreachForums in April 2025.
“Katz Stealer is a type of MaaS that collects sensitive data from a variety of applications hosted on infected machines,” Unit 42 stated.
Katz Stealer harvests an extensive range of information, including:
- Browser credentials and cookies
- Cryptocurrency wallet data
- Telegram and Discord messages
- VPN and FTP credentials
- Screenshots, clipboard data, and system information
To avoid infecting users in the Commonwealth of Independent States (CIS), Katz Stealer checks system language and halts execution if it detects certain regional language codes.
“The country codes that Katz Stealer checks are all part of the CIS… If it finds a match, Katz Stealer stops executing,” the report confirmed.
This regional exclusion pattern is a common trait of Eastern European and Russian-speaking threat actor ecosystems, offering clues to the malware’s origins.
According to Unit 42 telemetry, PhantomVAI Loader has been used in campaigns targeting organizations across manufacturing, education, utilities, technology, healthcare, government, and information sectors.
“Threat actors deploy PhantomVAI Loader in attacks worldwide, targeting organizations from a wide spectrum of industries,” the researchers stated.
This broad targeting reflects the tool’s commercialized distribution model, where multiple criminal groups purchase or lease access through underground marketplaces.
Unit 42 researchers highlighted that PhantomVAI campaigns exemplify multi-stage infection design, where each phase is crafted for evasion:
- Phishing delivery: deceptive emails with JavaScript or VBS attachments.
- Obfuscation: scripts conceal PowerShell downloaders.
- Steganography: images embed Base64-encoded DLL payloads.
- Virtualization checks: detection of sandboxes or analysis tools.
- Persistence: via registry and scheduled tasks.
- Process injection: payload deployed within trusted binaries.
“Combining social engineering via phishing emails, obfuscated scripts, steganography and a .NET loader, this multi-stage infection chain demonstrates the lengths attackers go to in attempts to evade detection and bypass defenses,” Unit 42 summarized.
Related Posts:
- Katz Stealer: New Stealthy MaaS Steals Everything, Hides in Images, and Hijacks Discord
- Beware Katz Stealer: Sophisticated Malware-as-a-Service Steals Everything
- Katz Stealer: The $100/Month MaaS Threat Plundering Digital Identities Undetected
- JavaScript-Based Malware Exploits Steganography for Covert Data Theft
- DCRat: Sophisticated RAT Delivered via Phishing Campaign Impersonating Government Entity
Donate