Threat researchers at Palo Alto Networks’ Unit 42 have identified a global phishing campaign delivering a stealthy multi-stage loader named PhantomVAI Loader, used to spread multiple information-stealing malware families, including Katz Stealer, AsyncRAT, XWorm, FormBook, and DCRat.
The campaign targets a wide range of sectors, including manufacturing, education, healthcare, government, and utilities, through highly obfuscated phishing operations that leverage steganography and process injection.
Multi-Stage Infection and Evasion Techniques
The attack chain begins with phishing emails themed around invoices, legal notifications, or payment details. These emails contain malicious JavaScript or VBS attachments that execute encoded PowerShell scripts.
Once launched, the script downloads a disguised image file (often a GIF) that hides a loader payload using steganographic techniques.
The hidden Base64 text within the image – marked by identifiable tags like <<sudo_png>> and <<sudo_odt>> – contains an encoded DLL file that is ultimately decoded and executed as PhantomVAI Loader.
Written in C#, PhantomVAI Loader employs a sequence of defensive evasion methods, including virtual machine detection based on hardware, BIOS, and services data.
The loader’s VAI method governs three critical steps: determining whether it runs in a virtualized environment, establishing persistence, and retrieving its final payload.
Persistence mechanisms include scheduled PowerShell tasks, WScript executions, and Windows Run registry entries, ensuring the loader can re-execute after system reboots.
PhantomVAI retrieves payloads from attacker-controlled C2 servers defined during the PowerShell execution phase and injects them into legitimate Windows processes via the process hollowing technique.
Current observations show extensive use of MSBuild.exe for code injection to evade detection by antivirus and EDR systems.
Katz Stealer: Expanding the Malware-as-a-Service Market
Originally known as Katz Stealer Loader, PhantomVAI first emerged in April 2025 when a developer under the alias katzadmin advertised Katz Stealer on BreachForums and underground marketplaces as a Malware-as-a-Service (MaaS) kit.
Katz Stealer focuses on harvesting browser credentials, cryptocurrency wallet data, Telegram access tokens, VPN and FTP credentials, and application data such as Discord and Steam.
The malware includes region-specific execution filters that terminate processes if a system’s default language matches Commonwealth of Independent States (CIS) country codes, hinting at the author’s geographic origin.
The loader’s evolution to deliver multiple malware strains underpins the ongoing diversification of MaaS ecosystems, enabling less-skilled threat actors to deploy modular payloads at scale.
Palo Alto Networks has updated its Advanced WildFire and Cortex XDR detection engines to counter PhantomVAI’s techniques, including its steganographic payload delivery and MSBuild process injection.
Organizations are advised to harden email defenses, monitor PowerShell activity logs, and block known malicious domains linked to the PhantomVAI campaigns.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
