New insights into PHANTOMPULSE, a sophisticated remote access trojan (RAT), reveal its role as a final payload in a multi-stage attack chain that exploits vulnerabilities in Windows environments. This malware has been linked to previous incidents involving Obsidian plugin abuse and in-memory loaders, but the focus of recent analysis is on its advanced post-exploitation capabilities.
PHANTOMPULSE distinguishes itself through a combination of stealth techniques, including process injection, User Account Control (UAC) bypass, and a decentralized blockchain-based command-and-control (C2) mechanism. These features collectively enable persistent and covert access to compromised systems.
One of the standout attributes of PHANTOMPULSE is its employment of three distinct process injection techniques. Depending on the type of payload, the malware utilizes:
- Module stomping
- Manual DLL mapping
- Debug-driven execution methods derived from public proof-of-concept tools
These techniques facilitate the execution of malicious code within legitimate processes, such as explorer.exe or dllhost.exe, thereby significantly reducing the likelihood of detection by endpoint security tools.
To further evade defenses, PHANTOMPULSE opts for direct system calls instead of standard Windows APIs, effectively bypassing user-mode hooks commonly implemented by endpoint detection and response (EDR) solutions. Prior coverage by Elastic Security Labs of REF6598 documented an intrusion set utilizing a Windows toolchain that infiltrated systems via Obsidian plugin abuse, escalating through an in-memory PE loader known as PHANTOMPULL.
Moreover, PHANTOMPULSE incorporates a unique hardware breakpoint (HWBP) mechanism designed to disable key security protections, including the Antimalware Scan Interface (AMSI), Windows Lockdown Policy (WLDP), and Event Tracing for Windows (ETW). Rather than modifying code in memory, the malware intercepts execution at runtime and fabricates clean return values, complicating detection efforts.
PHANTOMPULSE RAT Uses UAC
Another critical feature of PHANTOMPULSE is its blockchain-based C2 resolution. Instead of relying on static domains, the malware retrieves its C2 server address from transaction data on Ethereum, Base, and Optimism networks. It extracts and decrypts the “input” field of recent transactions associated with a hardcoded wallet address. However, researchers have identified a significant vulnerability: the resolver does not verify the transaction sender, allowing defenders to potentially hijack the communication channel through a single crafted transaction, effectively sinkholing all infected hosts.
Persistence is achieved through multiple scheduled tasks that execute a malicious DLL via rundll32.exe during system startup and user logon. Additionally, PHANTOMPULSE supports self-healing, automatically restoring deleted components or tasks during periodic checks.
Privilege escalation is accomplished using the publicly known “schuac” UAC bypass technique. By exploiting COM interfaces such as IElevatedFactoryServer, PHANTOMPULSE can spawn elevated processes without triggering user prompts, allowing it to operate with high integrity privileges.
PHANTOMPULSE disables AMSI, the Windows Lockdown Policy code-trust check, and ETW telemetry through a single shared primitive: a hardware breakpoint planted on each API entry.
The malware conducts extensive system reconnaissance, gathering details such as OS version, hardware specifications, installed applications, and security products. It specifically checks for cryptocurrency wallets, messaging apps, and file transfer tools, indicating a focus on financially motivated operations. However, no direct credential or wallet theft functionality was observed in this variant, suggesting it serves as a staging platform for subsequent payloads.
Interestingly, the binary exhibits strong indicators of AI-assisted development. Debug strings reveal structured logging patterns, verbose diagnostics, and consistent function tracing artifacts typically associated with code generated by large language models.
PHANTOMPULSE ships three injection techniques, tailored to specific payload types. The inject C2 command directs shellcode to PhantomInject, DLLs to ManualMap, and EXEs to DbgNexum.
Elastic researchers have also noted overlaps with tactics employed by DPRK-aligned threat groups, particularly those targeting cryptocurrency platforms. The use of blockchain-based C2, along with cross-platform targeting and crypto wallet reconnaissance, aligns with previously reported campaigns attributed to clusters such as BlueNoroff and UNC5342.
PHANTOMPULSE exemplifies the evolving landscape of modern malware, which increasingly merges publicly available offensive techniques with innovative infrastructure, resulting in highly evasive and resilient threats. Its combination of injection methods, stealthy defense bypasses, and decentralized C2 underscores the growing complexity that defenders must navigate in enterprise environments.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
