PhantomNet
PhantomNet, also known as SManager and DOWNTOWN, is a simple plugin-capable backdoor that has been linked in public reporting to Chinese-nexus espionage activity, including TA428, and has also been noted in overlap reporting involving REF5961 and Worok. It has been used in cyberespionage operations targeting government entities in Southeast Asia and Russia, and was observed as part of broader Chinese state-sponsored intrusion activity against a high-profile Southeast Asian government organization.
A well-documented delivery vector was a 2020 software supply-chain compromise of the Vietnam Government Certification Authority (VGCA) website ca.gov.vn, where trojanized MSI installers (gca01-client-v2-x32-8.3.msi and gca01-client-v2-x64-8.3.msi) delivered PhantomNet to users who manually downloaded and executed them from the official HTTPS site. The installers launched the legitimate VGCA application alongside a malicious component to reduce suspicion. In that case, the malware dropped a malicious file to C:\Program Files\VGCA\Authentication\SAC\x32\eToken.exe, extracted 7z.cab containing the backdoor, and established persistence either by writing the backdoor to C:\Windows\apppatch\netapi32.dll and registering it as a Windows service when run as administrator, or by writing it to %TEMP%\Wmedia<GetTickCount>.tmp and creating a scheduled task when run without elevated privileges.
PhantomNet is capable of collecting victim information, retrieving proxy configuration, and installing or managing malicious plugins. Reported command support includes victim information gathering, plugin cleanup, plugin management, structure field modification, and password generation using SSPI functions. It communicates over HTTPS with hardcoded command-and-control domains including vgca.homeunix[.]org and office365.blogdns[.]com, and implements certificate pinning using SSPI functions while storing the downloaded certificate in the Windows certificate store. The export name "Entery" has been noted as overlapping with TManger/TA428-linked samples.
Observed follow-on capability includes at least one plugin identified via VirusTotal, named SnowballS in debug paths, that appeared to support credential theft and lateral movement through embedded Invoke-Mimikatz. In Sophos reporting on the Crimson Palace campaign, Cluster Alpha used multiple PhantomNet samples, including sslwnd64.exe, oci.dll, and nethood.exe, as persistent C2 implants alongside Merlin Agent, RUDEBIRD, EAGERBEE, and PowHeartBeat.
Additional reporting argues that the Mail-O malware used against Russian government organizations, including the FSB, is a variant of PhantomNet/SManager. Shared characteristics cited include the unusual exported function name "Entery," the presence of "ServiceMain," and overlapping strings and behavior. Mail-O was described as a downloader disguised to resemble legitimate Mail.ru Disk-O software and associated with TA428-related activity.
Known indicators directly mentioned in the content include the compromised VGCA installers gca01-client-v2-x32-8.3.msi and gca01-client-v2-x64-8.3.msi; file paths C:\Program Files\VGCA\Authentication\SAC\x32\eToken.exe and C:\Windows\apppatch\netapi32.dll; temporary path %TEMP%\Wmedia<GetTickCount>.tmp; and C2 domains vgca.homeunix[.]org and office365.blogdns[.]com.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Use of multiple persistent C2 channels including Merlin Agent, PhantomNet backdoor, RUDEBIRD malware, EAGERBEE malware, and PowHeartBeat backdoor.
Use of multiple persistent C2 channels including Merlin Agent, PhantomNet backdoor, RUDEBIRD malware, EAGERBEE malware, and PowHeartBeat backdoor.
Techniques & procedures
18 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
5 techniques
Execution
The researchers noted that the malware’s persistence was established via a scheduled task that called the malicious DLL’s export, ‘Entery’.
If the user doesn’t have admin privileges, PhantomNet persists via a scheduled task.
ServiceMain takes a service name as an argument and attempts to register a service control handler with a specific HandlerProc function meant to check and set the status of that service. With a valid service status handle, Mail-O detaches the calling process from its console, changes the service status values to reflect its current running state, and calls the Entery function.
MDR launched the hunt after the discovery of a DLL sideloading technique that exploited VMNat.exe, a VMware component... The Crimson Palace campaign included over 15 distinct DLL sideloading scenarios... Cluster Alpha activity included multiple sideloading attempts to deploy various malware... Cluster Bravo used renamed versions of a signed side-loadable binary (mscorsvw.exe) to obfuscate backdoor deployment.
Persistence
3 techniques
Persistence
Privilege Escalation
3 techniques
Privilege Escalation
Stealth
4 techniques
Stealth
Use of renamed versions of a signed side-loadable binary (mscorsvw.exe) to obfuscate backdoor deployment and move laterally... Sophos observed the PhantomNet backdoor implant (sslwnd64.exe)...
the HUI loader (msedge_elf.dll), which de-obfuscated the file log.ini to reveal a Cobalt Strike reflective Loader
the actor frequently abused endpoint protection software binaries to sideload their malicious payloads.
MDR launched the hunt after the discovery of a DLL sideloading technique that exploited VMNat.exe, a VMware component... The Crimson Palace campaign included over 15 distinct DLL sideloading scenarios... Cluster Alpha activity included multiple sideloading attempts to deploy various malware... Cluster Bravo used renamed versions of a signed side-loadable binary (mscorsvw.exe) to obfuscate backdoor deployment.
Discovery
2 techniques
Discovery
Command and Control
5 techniques
Command and Control
the overall goal behind the campaign was to maintain access to the target network for cyberespionage... deploying various malware implants for command-and control (C2) communications... Use of multiple persistent C2 channels including Merlin Agent, PhantomNet backdoor, RUDEBIRD malware, EAGERBEE malware, and PowHeartBeat backdoor... Deployment of several samples of... PocoProxy for persistent C2 communications.
PhantomNet can retrieve the proxy configuration of the default browser and use it to connect to the C&C server.
IOCs tracked for this family
13 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A simple backdoor used to establish C2 communications, collect victim information, and load additional plugins or payloads.
A backdoor used as a persistent C2 implant in the campaign.
Espionage toolset component used in campaigns attributed to Worok/shared tooling ecosystems.
A relatively well-known malware family assessed in the content as closely related to or a variant basis for Mail-O. It was used in a Vietnamese supply-chain attack and is associated with scheduled-task persistence invoking the DLL export 'Entery'.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.