PHANTOMPULSE: anatomy of a hijackable blockchain-C2 RAT
ID: 8022856a-a59f-52d9-aa17-56db5a739d64
STIX ID: report--8022856a-a59f-52d9-aa17-56db5a739d64
Feed Name: Elastic Security Labs
PHANTOMPULSE is a sophisticated Windows RAT analyzed in detail: it uses three process-injection methods (module stomping, debug-API state machine, and manual mapping), a shared hardware-breakpoint primitive to disable AMSI/WLDP/ETW, scheduled-task persistence, and a blockchain-based C2 resolver (Ethereum/Base/Optimism) that can be sinkholed due to lack of sender verification; analysts provide IOCs (SHA-256s, domains, wallet addresses), describe UAC elevation via the schuac technique, and note strong AI-assisted development fingerprints and links to DPRK-aligned crypto-targeting activity.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
