logo

PHANTOMPULSE: anatomy of a hijackable blockchain-C2 RAT

ID: 8022856a-a59f-52d9-aa17-56db5a739d64

STIX ID: report--8022856a-a59f-52d9-aa17-56db5a739d64

Feed Name: Elastic Security Labs

Threat Score
85/100

Date Published: 2026-05-22

Date Updated: 2026-06-03

...
...

PHANTOMPULSE is a sophisticated Windows RAT analyzed in detail: it uses three process-injection methods (module stomping, debug-API state machine, and manual mapping), a shared hardware-breakpoint primitive to disable AMSI/WLDP/ETW, scheduled-task persistence, and a blockchain-based C2 resolver (Ethereum/Base/Optimism) that can be sinkholed due to lack of sender verification; analysts provide IOCs (SHA-256s, domains, wallet addresses), describe UAC elevation via the schuac technique, and note strong AI-assisted development fingerprints and links to DPRK-aligned crypto-targeting activity.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.