In January, security analysts observed a new wave of targeted phishing attacks linked to the PhantomCore threat group. According to researchers at F6, large-scale campaigns took place on 19 and 21 January, focusing on organizations across key sectors of the Russian economy — including housing and utilities, finance, aerospace, and major online marketplaces — with companies in Belarus also among the recurring targets.
Who PhantomCore Targets and Why the Group Matters
The PhantomCore group has been actively tracked since 2024 and appears to specialize in cyber-espionage operations against Russian and Belarusian organizations. The name is associated with the use of a Phantom namespace in their .NET tooling, as well as the string MicrosoftStatisticCore previously observed in scheduled tasks on compromised hosts.
PhantomCore follows a now-classic espionage playbook: spear-phishing emails, execution of PowerShell scripts, persistence via Windows mechanisms, and subsequent remote command-and-control (C2). The latest campaign is notable for combining an LNK shortcut file with an archive disguised as a DOC document, a tactic designed to bypass basic email filters and mislead users into believing they are opening a harmless office file.
Phishing Email Content and Initial Infection Chain
Use of LNK Attachments and Fake DOC Files
The attackers distribute emails with the subject line “ТЗ на согласование” (“Terms of Reference for approval”), which looks legitimate in a business context. The email contains an archive attachment holding two files: a LNK shortcut and a fake DOC file. In reality, the “DOC” is a RAR archive bundling a decoy document. The victim sees a normal-looking file, while the malicious activity has already been triggered.
When the user launches the LNK file, it executes a cmd command that locates and runs PowerShell via environment variables, then downloads the first-stage malicious script. This “living off the land” technique abuses built-in Windows tools instead of dropping traditional executables, making simple signature-based detection significantly harder — a pattern increasingly common in modern attacks, as also reflected in recent threat intelligence and incident reports.
Persistence Via Windows Task Scheduler
The downloaded first-stage PowerShell script performs three critical operations: it opens a decoy document for the user, loads the next malware stage into memory, and registers itself in Windows Task Scheduler for persistence.
The newly created scheduled task runs immediately upon creation, then every 61 seconds, and again at the start of each new day. This timing ensures continuous presence on the system across reboots and basic cleanup attempts. Without centralized logging and monitoring of scheduled tasks, administrators may easily overlook this activity, especially in large environments where new tasks are routinely created by legitimate software.
PowerShell Backdoor Capabilities of PhantomCore
The second stage is a PowerShell script closely resembling the previously documented variant PhantomCore.PollDL (PhantomeRemote). Once executed, the backdoor contacts a C2 server via an HTTP GET request, sending a unique device ID (UUID), computer name, and domain name for identification and profiling.
The C2 server responds with a command string in the format cmd:{command}|{command_id}. The script executes the received instruction using the PowerShell Invoke-Command function and returns the output via an HTTP POST request. In the current campaign, the backdoor supports only the cmd command type, although previous versions also implemented a download command for delivering additional payloads.
This effectively provides attackers with a remote shell on compromised hosts. Such access can be used for internal reconnaissance, credential theft, lateral movement, and deployment of further malware such as data stealers or ransomware, depending on the group’s operational objectives.
Malicious Infrastructure and Indicators of Compromise
During their investigation, F6 experts identified several domains used to host malicious scripts: ink-master[.]ru, spareline[.]ru, shibargan[.]ru, act-print[.]ru, metelkova[.]ru, mistralkorea[.]ru, and ast-automation[.]ru. Any outbound connections to these domains should be treated as indicators of compromise (IOCs) and investigated promptly by SOC teams.
Phishing emails were sent from addresses belonging to apparently legitimate Russian companies, including npocable-s[.]ru, satnet-spb[.]ru, nppntt[.]ru, tk-luch[.]ru, and skbkp.tarusa[.]ru. This strongly suggests that these organizations’ mail servers or accounts were compromised and then abused as part of the campaign. Using real corporate domains significantly increases the likelihood that employees will trust the messages and open the attachments.
Defensive Measures Against PhantomCore and Similar Threats
Mitigating the risk of PhantomCore and comparable targeted phishing campaigns requires a layered security approach combining email protection, endpoint hardening, and user awareness. Recommended measures include:
1. Strengthen email security. Implement and correctly configure SPF, DKIM, and DMARC, and use modern secure email gateways capable of analyzing attachments and URLs, plus sandbox solutions to safely detonate suspicious archives and LNK files before delivery to end users.
2. Restrict and monitor PowerShell usage. Enable PowerShell Script Block Logging, block execution of unsigned scripts where possible, enforce application control via AppLocker or Windows Defender Application Control, and create detections for unusual PowerShell commands, especially those launched by cmd.exe or from user profile directories.
3. Audit Windows Task Scheduler. Regularly review new and modified scheduled tasks, correlate their creation with legitimate software installations or updates, and forward Task Scheduler events to a SIEM platform for centralized monitoring and alerting.
4. Train employees against spear-phishing. Provide practical training on identifying phishing emails related to topics such as “approval,” “invoice,” or “contract,” and establish clear procedures for reporting suspicious messages to the security team. Industry studies consistently show that the human element plays a role in the majority of breaches, making security awareness a critical control.
Organizations that suspect exposure to this campaign should cross-check logs for traffic to the listed malicious domains and for emails originating from the compromised sender domains, as well as inspect systems for suspicious scheduled tasks and anomalous PowerShell executions. A detailed technical breakdown of the attack chain and malware behavior is available in the F6 report on the Malware Detonation platform and can serve as a solid foundation for fine-tuning detections and strengthening overall cyber defense.
