Tracing a Multi-Vector Malware Campaign: From VBS to Open Infrastructure  This investigation details a multi-stage, reusable malware delivery framework that used obfuscated VBS launchers, a fileless PowerShell loader, PNG-embedded .NET loaders (PhantomVAI), and openly hosted directories to stage and deliver multiple payload families. The campaign delivered and rotated payloads including Remcos RAT and XWorm variants from attacker-controlled infrastructure such as news4me[.]xyz and Cloudflare-backed hosts, enabling additional infection paths via a weaponized “PDF” and batch scripts #PhantomVAI #RemcosRAT

A multi-vector malware campaign employed obfuscated VBS launchers, fileless PowerShell, and PNG-embedded .NET loaders (PhantomVAI), rotating payloads like Remcos RAT and XWorm via open hosting and weaponized PDFs. #PhantomVAI #RemcosRAT

PhantomVAI Loader is targeting organizations globally, deploying multiple infostealers through sophisticated phishing campaigns. Stay vigilant and strengthen your cybersecurity defenses. #CyberSecurity #PhantomVAI #Infostealer Link: thedailytechfeed.com/phantomvai-l...

PhantomVAI Loader Delivers Infostealers

~Paloalto~
PhantomVAI Loader uses phishing and steganography to deliver multiple infostealers like Katz Stealer, AsyncRAT, and XWorm.
-
IOCs: (None identified)
-
#Infostealer #Malware #PhantomVAI #ThreatIntel