PHANTOMPULSE
PHANTOMPULSE is a previously undocumented Windows remote access trojan/backdoor analyzed by Elastic Security Labs and used as the final-stage payload in the REF6598 intrusion chain. Reporting states the broader campaign targeted individuals and organizations in the financial and cryptocurrency sectors, including digital financial platforms, and delivered PHANTOMPULSE via abuse of Obsidian community plugins. On Windows, malicious Obsidian Shell Commands activity launched PowerShell that downloaded an intermediate in-memory loader, PHANTOMPULL, which decrypted and launched PHANTOMPULSE in memory.
PHANTOMPULSE is described as a full-featured RAT with telemetry collection, command execution, file upload, screenshot capture, inline keylogging with clipboard monitoring, process injection, uninstall, privilege escalation, downgrade, and self-restart/self-healing logic. Reported command handlers include inject, drop, screenshot, keylog, uninstall, elevate, downgrade, and restart. It gathers host telemetry including machine ID, CPU, GPU, RAM, OS, username, computer name, privilege level, public IP, installed applications, and AV/EDR products. It also checks for targeted applications such as Ledger, Trezor, Electrum, Exodus, Telegram, Discord, Signal, Outlook, Authy, FileZilla, WinSCP, and Steam, and reporting notes harvesting of cryptocurrency wallets and messaging databases.
The malware uses advanced defense evasion. Elastic reported AMSI, WLDP, and ETW bypasses implemented via shared hardware breakpoints and a vectored exception handler rather than inline patching, specifically targeting APIs including AmsiScanBuffer, WldpQueryDynamicCodeTrust, and EtwEventWrite. It also uses direct/private syscall wrappers after resolving system service numbers from system libraries, helping evade user-mode hooks. Additional anti-analysis behavior includes XOR-based string/configuration obfuscation and anti-sandbox checks against hashed usernames and computer names such as WDAGUtilityAccount and known sandbox personas. Researchers also noted unusually verbose, structured debug strings and tracing patterns assessed as indicative of heavy AI-assisted development.
PHANTOMPULSE supports three process-injection/execution techniques: PhantomInject, which performs module stomping using legitimate DLLs such as dbghelp.dll mapped as SEC_IMAGE and overwrites executable regions; DbgNexum-like execution using the native Windows Debug API; and ManualMap, which manually maps DLL payloads, handles relocations/imports, wipes PE headers, changes protections, and hijacks threads. For privilege escalation, PHANTOMPULSE uses a schuac/UACME issue #129-style UAC bypass via IElevatedFactoryServer and Task Scheduler COM objects. Reporting states it can register a transient elevated scheduled task and may retry elevation through rundll32.exe if needed.
Persistence is established through scheduled tasks including DotNetSvcUpdateTask, DotNetSvcCoreTask, DotNetSvcUserTask, and a transient DotNetSvcElevateTask. DotNetSvcCoreTask was reported under \Microsoft\Windows\NetFramework\ with HighestAvailable privileges. The malware also drops an embedded DLL named svcagent.dll to locations such as %ProgramData%\AssetMon\svcagent.dll, %APPDATA%\AssetMon\svcagent.dll, or %TEMP%\svcagent.dll, and includes self-healing logic to restore persistence if unhealthy.
A notable feature is its blockchain-based command-and-control resolution. PHANTOMPULSE queries Blockscout-accessible transaction data on Ethereum, Base, and Optimism for the latest transaction associated with hard-coded wallet 0xc117688c530b660e15085bF3A2B664117d8672aA, decodes the transaction input, XORs it with wallet-address-derived bytes, and accepts the result if it begins with "http". Reported provider hosts include eth.blockscout[.]com, base.blockscout[.]com, and optimism.blockscout[.]com. Elastic noted the resolver does not verify the sender of the transaction, creating a potential sinkholing opportunity. Reported fallback C2 domains include panel.feea8679.net and panel.fefea22134[.]net, and observed blockchain-published C2 URLs included https://panel.fefea22134[.]net and https://thoroughly-publisher-troy-clara[.]trycloudflare[.]com. PHANTOMPULSE uses WinHTTP and runtime API paths under /v1/telemetry/ for heartbeat, task retrieval, uploads, command results, and keylog exfiltration.
The reporting assesses PHANTOMPULSE tradecraft, targeting, and infrastructure as aligned with DPRK-linked cryptocurrency-focused intrusion clusters, including Lazarus, BlueNoroff, UNC5342/Contagious Interview, and APT38, though the content frames this as an assessment/alignment rather than definitive attribution.
Reported indicators associated with PHANTOMPULSE and its delivery chain include SHA-256 hashes 99dacf9f87ba3c1248718e3c6836c8a3b8bed38ba1d8fe3b3bde8378fb77e670 and 33dacf9f854f636216e5062ca252df8e5bed652efd78b86512f5b868b11ee70f for PHANTOMPULSE samples; 36bbb97b36f1d9748fdd7448deaa93b9b97d98b3fb44d87a3c848dad5ba91b34 and 70bbb38b70fd836d66e8166ec27be9aa8535b3876596fc80c45e3de4ce327980 for PHANTOMPULL/syncobs.exe; staging server 195.3.222[.]251; wallet 0xc117688c530b660e15085bF3A2B664117d8672aA; mutex hVNBUORXNiFLhYYh; dropped filename svcagent.dll; and scheduled task names DotNetSvcUpdateTask, DotNetSvcCoreTask, DotNetSvcUserTask, and DotNetSvcElevateTask.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
4 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Elastic Security Labs published a comprehensive PHANTOMPULSE malware analysis highlighting advanced evasion strategies... The malicious agent retrieves its primary operational server locations through a decentralized blockchain C2 channel... AMSI, WLDP, and ETW are bypassed via a single shared HWBP primitive... the command dispatcher supports three functional injection techniques...
Elastic Security Labs published a comprehensive PHANTOMPULSE malware analysis highlighting advanced evasion strategies... The malicious agent retrieves its primary operational server locations through a decentralized blockchain C2 channel... AMSI, WLDP, and ETW are bypassed via a single shared HWBP primitive... the command dispatcher supports three functional injection techniques...
Elastic Security Labs published a comprehensive PHANTOMPULSE malware analysis highlighting advanced evasion strategies... The malicious agent retrieves its primary operational server locations through a decentralized blockchain C2 channel... AMSI, WLDP, and ETW are bypassed via a single shared HWBP primitive... the command dispatcher supports three functional injection techniques...
On Windows, the commands are used to invoke a PowerShell script to drop an intermediate loader codenamed PHANTOMPULL that decrypts and launches PHANTOMPULSE in memory. PHANTOMPULSE is an artificial intelligence (AI)-generated backdoor that uses the Ethereum blockchain for resolving its command-and-control (C2) server by fetching the latest transaction associated with a hard-coded wallet address.
Techniques & procedures
38 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
6 techniques
Execution
...the implant uses to register a high-privilege scheduled task that relaunches it with full administrator rights... Organizations in the crypto sector are strongly advised to monitor for suspicious scheduled tasks... Scheduled Task DotNetSvcUpdateTask Primary persistence... DotNetSvcCoreTask SYSTEM persistence... DotNetSvcUserTask User persistence...
PHANTOMPULSE installs three scheduled tasks via the COM ITaskService interface, each executing rundll32.exe "<stub_dll>",DllRegisterServer
On Windows, the commands are used to invoke a PowerShell script to drop an intermediate loader codenamed PHANTOMPULL that decrypts and launches PHANTOMPULSE in memory.
Furthermore, the malware bypasses user-mode API monitoring by constructing private syscall structures dynamically. The system resolves internal system service numbers by parsing the main system library files directly.
Persistence
4 techniques
Persistence
...the implant uses to register a high-privilege scheduled task that relaunches it with full administrator rights... Organizations in the crypto sector are strongly advised to monitor for suspicious scheduled tasks... Scheduled Task DotNetSvcUpdateTask Primary persistence... DotNetSvcCoreTask SYSTEM persistence... DotNetSvcUserTask User persistence...
PHANTOMPULSE installs three scheduled tasks via the COM ITaskService interface, each executing rundll32.exe "<stub_dll>",DllRegisterServer
Privilege Escalation
9 techniques
Privilege Escalation
...the implant uses to register a high-privilege scheduled task that relaunches it with full administrator rights... Organizations in the crypto sector are strongly advised to monitor for suspicious scheduled tasks... Scheduled Task DotNetSvcUpdateTask Primary persistence... DotNetSvcCoreTask SYSTEM persistence... DotNetSvcUserTask User persistence...
PHANTOMPULSE installs three scheduled tasks via the COM ITaskService interface, each executing rundll32.exe "<stub_dll>",DllRegisterServer
Subsequently, the command dispatcher supports three functional injection techniques tailored to distinct payload formats. The first method leverages module stomping into legitimate system libraries using file-backed sections... Finally, the third pipeline manually maps library payloads into remote process boundaries completely.
The first method leverages module stomping into legitimate system libraries using file-backed sections. This approach hides active memory regions under trusted file headers like dbghelp.dll.
Alternatively, the second path executes executable formats using the native Windows debugging programming interface. This advanced mechanism replicates a public technique known as DbgNexum to drive execution via exceptions.
Acquires SeDebugPrivilege (via OpenProcessToken / LookupPrivilegeValueW / AdjustTokenPrivileges )
PHANTOMPULSE installs three scheduled tasks via the COM ITaskService interface... DotNetSvcUpdateTask User Logon + Time 3 min ... DotNetSvcCoreTask Boot + Time 15 min ... DotNetSvcUserTask User Logon
The UAC bypass relies on a documented technique catalogued as UACME issue #129. It exploits a Windows COM interface that hands non-admin callers an elevated instance, which the implant uses to register a high-privilege scheduled task that relaunches it with full administrator rights.
Stealth
13 techniques
Stealth
PHANTOMPULSE uses four XOR layers for different artifacts.
Subsequently, the command dispatcher supports three functional injection techniques tailored to distinct payload formats. The first method leverages module stomping into legitimate system libraries using file-backed sections... Finally, the third pipeline manually maps library payloads into remote process boundaries completely.
The first method leverages module stomping into legitimate system libraries using file-backed sections. This approach hides active memory regions under trusted file headers like dbghelp.dll.
Alternatively, the second path executes executable formats using the native Windows debugging programming interface. This advanced mechanism replicates a public technique known as DbgNexum to drive execution via exceptions.
Uninstall... Step 4/6 Delete stub DLLs, sleeper logs, registry PE blob, ProgramData directories Step 5/6 Delete install path and self path from disk
Acquires SeDebugPrivilege (via OpenProcessToken / LookupPrivilegeValueW / AdjustTokenPrivileges )
For each provider, the implant issues an HTTPS GET... pulls the input field of the latest transaction, hex-decodes it, XOR-decrypts with the wallet address bytes as the key, and validates that the result begins with http.
The drop command supports DLL, EXE, shellcode (APC injection), and MSI payloads.
PHANTOMPULSE installs three scheduled tasks via the COM ITaskService interface, each executing rundll32.exe "<stub_dll>",DllRegisterServer
Shellcode is injected using a technique called PhantomInject, which stomps a legitimate Windows DLL named dbghelp.dll rather than allocating new executable memory.
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
Discovery
6 techniques
Discovery
At startup, the implant DJB2-hashes the user name and computer name and looks each up in a precomputed table.
Acquires SeDebugPrivilege... then walks the process snapshot for one of seven host-process candidates
Collection
3 techniques
Collection
Command and Control
5 techniques
Command and Control
The malicious agent retrieves its primary operational server locations through a decentralized blockchain C2 channel. Specifically, the program queries public L1 and L2 ledger platforms to harvest encoded transaction inputs.
For each provider, the implant issues an HTTPS GET (port 443, SSL cert errors ignored)...
PHANTOMPULSE decentralizes C2 lookup through three Blockscout providers: eth.blockscout[.]com (Ethereum L1) base.blockscout[.]com (Base L2) optimism.blockscout[.]com (Optimism L2)
Exfiltration
1 technique
Exfiltration
Other
3 techniques
Other
The application disables the Anti-Malware Scan Interface (AMSI) and Event Tracing for Windows (ETW) concurrently... via a single shared HWBP primitive planted on each API entry, intercepted by a vectored exception handler that fakes the return value without inline patching.
PHANTOMPULSE disables AMSI, the Windows Lockdown Policy code-trust check, and ETW telemetry through a single shared primitive: a hardware breakpoint planted on each API entry, intercepted by a vectored exception handler that fakes the return value without inline patching.
A "novel" social engineering campaign has been observed abusing Obsidian... leveraging elaborate social engineering tactics through LinkedIn and Telegram... approaching prospective individuals under the guise of a venture capital firm and then moving the conversation to a Telegram group...
IOCs tracked for this family
23 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A highly sophisticated implant/RAT linked to DPRK-aligned espionage and crypto-targeting activity. It uses blockchain-based command-and-control discovery, advanced AMSI/ETW/WLDP bypass via hardware breakpoints and vectored exception handling, private syscall wrappers to evade user-mode hooks, and multiple process injection methods including module stomping, DbgNexum-style execution, and manual mapping.
Remote access trojan used as the final-stage payload in the REF6598 attack chain. It establishes persistence, evades detection, performs process injection, uses a UAC bypass for privilege escalation, and communicates with operators via a blockchain-based C2 with fallback infrastructure.
A Windows remote access implant/final-stage payload that provides command-and-control, process injection, persistence via scheduled tasks, UAC bypass, AMSI/WLDP/ETW evasion via hardware breakpoints, keylogging, screenshot capture, system reconnaissance, and blockchain-based C2 resolution with a hardcoded fallback URL.
A previously undocumented Windows remote access trojan/backdoor used in a social engineering campaign abusing Obsidian. It resolves C2 via the Ethereum blockchain and uses WinHTTP to communicate, enabling telemetry collection, command execution, file and screenshot upload, keylogging, code injection, persistence removal, and privilege escalation.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.