RegPhantom Backdoor Threat Analysis

**Executive Summary:** RegPhantom is a stealthy, signed Windows kernel rootkit that intercepts registry writes as an XOR-encrypted command channel to reflectively map and execute arbitrary PE payloads in kernel space, then erases traces (blocks writes, wipes memory, encodes hook pointers) to avoid detection; multiple samples and Chinese-issued code-signing certificates indicate active maintenance by a China‑nexus actor at moderate confidence, and defenders should prioritize detection of the driver binary and stable byte-level patterns (YARA) rather than relying on runtime artifacts.