In June 2025, researchers documented a new phishing wave dubbed Phantom Papa that distributes the Phantom information stealer. The campaign targets both Russian‑ and English‑speaking users, relies on compressed attachments to bypass basic email controls, and introduces a rare webcam‑trigger feature aimed at extortion. Evidence points to a Malware‑as‑a‑Service (MaaS) operation built on repurposed open‑source code and popular consumer platforms for data exfiltration.
Phishing delivery: RAR → IMG/ISO chain boosts bypass and clicks
Messages are sent in Russian and English; several Russian texts appear machine‑translated. Lures span from provocative subjects (e.g., “See My Nude Pictures and Videos”) to ordinary business pretexts (“Attached payment copy #06162025”), increasing the chance of opening attachments.
Attachments arrive as RAR archives that unwrap to .img or .iso disk images. When opened, Windows mounts the image and exposes an executable inside—an approach that can evade baseline mail scanning and user scrutiny. Attackers’ pivot to IMG/ISO aligns with post‑2022 trends after Office macros were disabled by default, pushing threat actors toward archives and disk images as alternative delivery vectors (Microsoft; Proofpoint).
Targeting and footprint across sectors and geographies
Collected telemetry indicates victims across retail, manufacturing, construction, and IT. Activity has been observed on devices in at least 19 countries—including the United States, Russia, the United Kingdom, Romania, Spain, Kazakhstan, and Belarus—though some hits reflect researcher virtual machines, not true infections.
Phantom stealer: capabilities, anti-analysis, and persistence
Phantom is derived from the public Stealerium codebase, accelerating development and customization. The stealer enumerates system data (Windows version, hostname, UI language, AV presence, CPU/GPU/RAM, battery status, display count/type, webcam availability) and harvests browser cookies, saved passwords, and payment data, alongside documents and images.
Exfiltration is supported over Telegram, Discord, and SMTP, with multiple samples forwarding loot to the Telegram bot papaobilogs active since April 2025. Abuse of consumer communications platforms to blend with benign traffic mirrors broader operator behavior observed in recent years (e.g., Check Point, Cloudflare).
The malware includes anti‑analysis, autorun, and a keylogger, and is compatible with popular obfuscators. For persistence, samples copy themselves to %APPDATA%\iWlfdcmimm.exe and %TEMP%\tmpB043.tmp and create a delayed Windows Scheduled Task.
“PornDetector” module: from screenshots to webcam capture
A distinct module monitors the active window title and, upon detecting substrings such as “porn”, “sex”, “hentai”, or “chaturbate”, immediately captures a desktop screenshot (stored under %LOCALAPPDATA%\[0-9a-f]{32}\logs\nsfw\yyyy-MM-dd\HH.mm.ss\). If the window remains active, it captures a webcam photo 12 seconds later. This feature expands the extortion surface by pairing credential theft with potential reputational pressure.
Infrastructure and MaaS storefront
Distribution traces back to a site whose domain was registered in February 2025 and advertises adjacent tools: Phantom crypter, Phantom stealer advanced, and Phantom stealer basic. Such MaaS storefronts lower the barrier to entry, streamline operator onboarding, and facilitate scale.
Why it matters: alignment with MITRE ATT&CK techniques
The campaign’s TTPs closely map to MITRE ATT&CK patterns: spear‑phishing attachments; collection of browser credentials and artifacts; keylogging; persistence via scheduled tasks; and exfiltration over web services such as Telegram/Discord. Delivery via IMG/ISO reduces email gateway visibility while exploiting user trust in “disk images.” The add‑on webcam module measurably increases privacy risk and coercion potential.
Detection and mitigations security teams can implement now
Network egress controls: Restrict workstation access to Telegram/Discord and similar messengers unless required by business use. Monitor and alert on unusual API calls and HTTPS destinations associated with these platforms.
Email and file controls: Quarantine or block RAR/IMG/ISO attachments; apply additional scanning. Enforce policies that prevent non‑admins from mounting disk images.
Behavioral EDR/NGAV: Alert on creation of scheduled tasks by unknown processes; execution of binaries from mounted images; write activity in %APPDATA% and %TEMP%; and bulk reads of browser profile directories.
Camera and peripheral hardening: Segment webcam access, require user prompts, and log camera API calls. Extend telemetry to clipboard and other sensitive peripherals.
Security awareness: Train staff to spot poor machine translations, provocative lures, and unexpected “payment” attachments. Validate invoices or confirmations via out‑of‑band channels before opening files.
Phantom Papa underscores how familiar phishing, disk image delivery, and commodity stealer modules can combine into an effective data‑theft and extortion toolkit. Organizations should tighten controls on high‑risk attachments and outbound traffic, use behavior‑based detections, and continuously educate users. Early disruption in the kill chain materially reduces the likelihood of credential loss, financial exposure, and sensitive data leakage.
