A newly analyzed remote access trojan called PHANTOMPULSE has drawn serious attention for its advanced approach to compromising Windows systems.
The malware is the final-stage payload in a broader attack chain known as REF6598, a threat cluster actively targeting the cryptocurrency sector.
What makes PHANTOMPULSE particularly dangerous is how it chains multiple advanced techniques together to evade most security tools.
The attack begins when victims are targeted through abuse of Obsidian plugins, a tool popular among developers and researchers. Once a foothold is established, an in-memory loader called PHANTOMPULL drops the PHANTOMPULSE implant onto the compromised system.
From that point, the RAT takes over, establishing persistence, evading detection, and opening a communication channel back to its operators.
Analysts at Elastic Security Labs identified and documented PHANTOMPULSE in a detailed reverse-engineering report shared with Cyber Security News (CSN).
According to the Elastic Security Labs report, the implant carries three separate process injection techniques, a blockchain-based command-and-control channel, and a UAC bypass method that quietly elevates privileges without triggering standard security alerts.
The malware also shows strong signs of AI-assisted development, visible in its unusually verbose and carefully structured internal debug strings.
The threat cluster behind PHANTOMPULSE aligns closely with DPRK-linked groups such as Lazarus, BlueNoroff, and UNC5342, also known as Contagious Interview.
The malware’s focus on cryptocurrency wallets, cross-platform targeting across Windows and macOS, and use of Telegram as a fallback channel all match known patterns from those North Korean clusters.
These signals collectively point to a mature and well-resourced threat actor operating across multiple regional markets.
Organizations in the crypto sector are strongly advised to monitor for suspicious scheduled tasks, especially those running under the Microsoft Windows .NET Framework path.
Security teams should also watch for rundll32.exe executing with unusual arguments, and flag any hardware breakpoint-based tampering with Windows security APIs. Elastic has released YARA detection rules under the identifier Windows.Trojan.PhantomPulse to support threat hunters.
PHANTOMPULSE RAT Uses Process Injection and UAC Bypass
PHANTOMPULSE ships with three distinct injection methods, each designed for a different payload type.
Shellcode is injected using a technique called PhantomInject, which stomps a legitimate Windows DLL named dbghelp.dll rather than allocating new executable memory.
This makes the injected thread appear to live inside a trusted Windows file, helping it evade memory scanners.
For executable payloads, the malware uses a method called DbgNexum, which was lifted directly from a public proof-of-concept published on GitHub in January 2026.
It drives execution through the Windows Debug API one exception at a time, so no direct memory writes to the target process are ever required.
DLL payloads are handled through a full manual mapping routine that strips PE headers from memory, removing common forensic artifacts.
The UAC bypass relies on a documented technique catalogued as UACME issue #129. It exploits a Windows COM interface that hands non-admin callers an elevated instance, which the implant uses to register a high-privilege scheduled task that relaunches it with full administrator rights.
If that path fails, PHANTOMPULSE falls back to spawning a rundll32 proxy process to retry the elevation with several registration variants.
Blockchain-Based C2 and Sinkhole Opportunity
One of the most unusual aspects of PHANTOMPULSE is how it locates its command-and-control server. Rather than using hardcoded domains or fast-flux DNS, it reads the input field of the latest transaction from a specific cryptocurrency wallet across three blockchain networks: Ethereum, Base, and Optimism.
The URL is XOR-encrypted using the wallet address as the key, and the implant falls back to a hardcoded panel domain if blockchain resolution fails.
What makes this notable from a defender’s perspective is that the resolver contains no sender verification whatsoever.
Anyone who posts a transaction to the target wallet with their own XOR-encoded URL will redirect every polling PHANTOMPULSE instance to their server.
This means a single blockchain transaction could theoretically sinkhole an entire campaign, which Elastic researchers highlighted as a viable and low-cost option for network defenders.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| SHA-256 | 99dacf9f87ba3c1248718e3c6836c8a3b8bed38ba1d8fe3b3bde8378fb77e670 | PHANTOMPULSE RAT — Final payload |
| SHA-256 | 36bbb97b36f1d9748fdd7448deaa93b9b97d98b3fb44d87a3c848dad5ba91b34 | syncobs.exe — PHANTOMPULL loader |
| SHA-256 | df488b3fc91b9b9bfc1b7d748b683b1c97c97d6c38f787f19bfe877c8bd9c63f | Go beacon — GTESTIC_WIN check-in |
| Domain | panel.feea8679.net | PHANTOMPULSE hardcoded C2 fallback panel |
| Domain | fea8679.net | C2 domain — encrypted in binary |
| IPv4 Address | 73.9.888.831 | Staging server — PowerShell/loader delivery |
| Crypto Wallet | 0xc778d9f2ab3c97a6bdd69ef6b9a28f8cd3dbc6d | Blockchain C2 wallet — ETH/Base/Optimism |
| Crypto Wallet | 0x97e84f3c7b2e3ef5f1a7c793be908f3ec6bc6e3 | Funding wallet — C2 resolution funding |
| Domain | th.blockscout.com | Blockchain provider — C2 URL resolution (Ethereum) |
| Domain | base.blockscout.com | Blockchain provider — C2 URL resolution (Base L2) |
| Domain | optimism.blockscout.com | Blockchain provider — C2 URL resolution (Optimism L2) |
| Mutex | HVS3U10R9$G#ZZ# | Single-instance mutex — XOR-decrypted |
| File Name | svcagent.dll | Stub DLL — Persistence payload |
| Directory | AssetMon | Stub DLL directory — %ProgramData% or %APPDATA% |
| File Name | healthmon.exe | Dropper — Original executable name |
| File Name | diagcore.dll | Legacy sideload DLL — migrated by MigrateSideload |
| File Name | .elevate | Elevation marker — routes the elevated relaunch |
| Scheduled Task | DotNetSvcUpdateTask | Primary persistence — 3-minute interval |
| Scheduled Task | DotNetSvcCoreTask | SYSTEM persistence — 15-min interval, hidden |
| Scheduled Task | DotNetSvcUserTask | User persistence — logon trigger |
| Task URI | Microsoft\Windows\.NET Framework\DotNetSvcCoreTask | Boot task path — hidden scheduled task |
| COM Moniker | Elevation:Administrator!new:{A9B3FEA2-679a-7b8e-a-e97-f9a5=3e7076} | UAC bypass — elevated ITaskService |
| Domain | 0x999.info | macOS C2 — macOS dropper |
| URL | t.me369bot | Telegram fallback — macOS C2 dead-drop |
| Domain | thoroughly-publisher-troy-clara.trycloudflare.com | Prior C2 — Cloudflare Tunnel (prior reporting) |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
