Phantom Stealer: Credential Theft as a Service

Group-IB observed and blocked a multi-wave phishing campaign (Nov 2025–Jan 2026) delivering Phantom Stealer — a commercial .NET infostealer — to European logistics, manufacturing, and technology firms; attackers used procurement-themed, spoofed emails with archived droppers, and the report includes IOCs (domain and several IPs) and detection details from Group-IB’s Business Email Protection and Malware Detonation Platform.