PHANTOMPULSE RAT Targets Crypto Sector with Advanced Process Injection and Blockchain C2
A sophisticated remote access trojan, PHANTOMPULSE, linked to DPRK-aligned threat groups, is actively compromising Windows systems in the cryptocurrency sector using advanced evasion techniques and a novel blockchain-based command-and-control mechanism.
A newly analyzed remote access trojan (RAT) named PHANTOMPULSE has emerged as a significant threat, particularly targeting the cryptocurrency sector. This malware is the final-stage payload within a broader attack chain identified as REF6598, which is actively orchestrated by threat actors with suspected ties to North Korea. PHANTOMPULSE distinguishes itself through its sophisticated multi-stage approach, chaining together advanced techniques to bypass security measures and maintain a persistent presence on compromised systems.
The attack chain typically begins with the exploitation of Obsidian plugins, a tool commonly used by developers and researchers. Once an initial foothold is established, an in-memory loader known as PHANTOMPULL deploys the PHANTOMPULSE implant. From this point, the RAT takes control, focusing on establishing persistence, evading detection mechanisms, and establishing a covert communication channel back to its operators. Elastic Security Labs has provided detailed analysis of this threat, highlighting its complex operational security and evasion tactics.
PHANTOMPULSE is equipped with three distinct process injection techniques, each designed to evade different types of security monitoring. The malware employs a method called PhantomInject for shellcode injection, which overwrites a legitimate Windows DLL (dbghelp.dll) rather than allocating new executable memory. This technique helps the injected code blend in with trusted system processes, making it harder for memory scanners to detect. For executable payloads, PHANTOMPULSE utilizes a technique named DbgNexum, adapted from a publicly available proof-of-concept, which leverages the Windows Debug API to achieve execution without direct memory writes to the target process.
Furthermore, the RAT handles DLL payloads through a manual mapping routine that strips Portable Executable (PE) headers from memory, thereby removing common forensic artifacts that security tools might look for. Complementing these injection methods is a User Account Control (UAC) bypass technique, cataloged as UACME issue #129. This bypass exploits a Windows COM interface to grant non-administrator users elevated privileges, which PHANTOMPULSE then uses to register a high-privilege scheduled task, ensuring its relaunch with full administrator rights. If this primary bypass fails, the malware attempts to use a rundll32 proxy process to retry elevation through various registration methods.
A particularly novel aspect of PHANTOMPULSE is its command-and-control (C2) communication mechanism. Instead of relying on traditional hardcoded domains or DNS techniques, the RAT queries the latest transaction from a specific cryptocurrency wallet on the Ethereum, Base, and Optimism blockchain networks. The C2 URL is XOR-encrypted using the wallet address as the key. This method is notable because the resolver lacks sender verification, meaning any attacker could potentially redirect PHANTOMPULSE instances to their own servers by posting a transaction with an encoded URL to the target wallet. Elastic researchers have pointed out that this presents a potential sinkholing opportunity for defenders.
The threat actor behind PHANTOMPULSE exhibits characteristics consistent with DPRK-linked groups such as Lazarus, BlueNoroff, and UNC5342 (Contagious Interview). Indicators include the malware's focus on the cryptocurrency sector, cross-platform targeting (Windows and macOS), and the use of Telegram as a fallback C2 channel. The malware's internal debug strings are also unusually verbose and structured, suggesting potential AI-assisted development, a trend observed in other sophisticated threat operations. These combined factors indicate a mature and well-resourced threat actor.
Organizations, especially those within the cryptocurrency industry, are advised to monitor for suspicious scheduled tasks, particularly those involving the Microsoft Windows .NET Framework. Security teams should also be vigilant for unusual rundll32.exe execution patterns and any attempts to tamper with Windows security APIs using hardware breakpoints. Elastic Security Labs has released YARA detection rules (Windows.Trojan.PhantomPulse) to aid in identifying this threat. The potential for sinkholing the C2 infrastructure via blockchain transactions offers a unique defensive avenue for security professionals.