Chasing Phantoms: How a Multi-Stage Stealer Abuses…

Phantom Stealer is a multi-stage information-stealer that leverages process hollowing and legitimate Microsoft-signed binaries (msedge.exe, cookie_exporter.exe) to blend malicious activity into normal system behavior, harvest browser credentials, crypto wallets, Discord tokens, Credential Manager data, and keystrokes, and exfiltrate stolen data via Telegram, Discord webhooks, or FTP; the report outlines the infection chain, persistence via scheduled tasks named under “Updates”, detection opportunities across endpoint and network telemetry, and recommended threat-hunting indicators.