The recent discovery of the REF6598 intrusion set has unveiled a highly sophisticated Remote Access Trojan (RAT) known as PHANTOMPULSE. This malware, initially disseminated through malicious Obsidian plugins, employs intricate evasion techniques, a blockchain-based command and control (C2) channel, and a public User Account Control (UAC) bypass to infiltrate Windows systems.
Notably, the binary exhibits distinct characteristics of AI coding assistance. The developers have left behind detailed debug strings and structured step numbering, such as “[STEP 1] Staged mode,” which closely resemble the diagnostic outputs generated by Large Language Models.
PHANTOMPULSE RAT Bypasses UAC
PHANTOMPULSE is fortified against contemporary security measures, effectively disabling the Antimalware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), and Event Tracing for Windows (ETW) through a highly evasive hardware-breakpoint technique. Rather than patching API code in memory, the malware strategically sets a hardware breakpoint on the target security function.
When the system attempts to execute this function, a custom exception handler intercepts the call, fabricating a “success” response and allowing the program to continue running. This tactic effectively blinds signature-based memory scanners, enhancing the malware’s stealth.
To maintain its presence across system reboots, PHANTOMPULSE conceals its core files within encrypted registry blobs and deposits temporary files in standard user directories. It also establishes multiple scheduled tasks, masquerading them as routine .NET Framework updates.
The C2 framework for PHANTOMPULSE is decentralized, relying on data extracted from public blockchains. The malware queries three distinct blockscout providers for Ethereum, Base, and Optimism ledgers, identifying a specific wallet address, reading the latest transaction input, and decrypting the information to retrieve its active C2 URL.
This approach, while innovative, introduces a significant vulnerability for the attackers. The malware does not authenticate the sender of the transaction, allowing network defenders to send their own transactions containing a sinkhole URL. This maneuver can redirect all active PHANTOMPULSE implants to a secure, defender-controlled server.
Once communication is established, the malware conducts a thorough inventory of the system, checking for standard antivirus software and specifically targeting high-value applications such as cryptocurrency wallets, encrypted messaging services, and two-factor authentication tools.
Research from Elastic indicates that PHANTOMPULSE employs a known UAC bypass technique referred to as “schuac.” This method exploits a Windows maintenance COM interface that is automatically granted elevated permissions. The malware utilizes this trusted interface to interact with the Task Scheduler, registering a temporary elevated task that promptly relaunches the malware with full administrative rights, circumventing standard user restrictions without triggering security alerts.
Cybersecurity analysts have linked this campaign to DPRK-aligned threat actors, particularly groups such as BlueNoroff. The malware’s pronounced focus on cryptocurrency wallets, its similarities with macOS malware variants, and the exploitation of blockchain networks for C2 resolution are all indicative of North Korean operational tactics.
Defenders can proactively search for new infrastructure by examining blockchain ledgers for the unique 0x580c0x580c hex signature, which is consistently generated by the malware’s C2 encryption routine.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
