PHANTOMPULSE: anatomy of a hijackable blockchain-C2 RAT
PHANTOMPULSE is a sophisticated RAT attributed to DPRK-aligned actors that utilizes hardware breakpoints to bypass AMSI, WLDP, and ETW. It establishes a resilient, sinkhole-able command and control channel by resolving C2 URLs from blockchain transaction inputs and employs multiple process injection and UAC bypass techniques.
Authors: Salim Bitam
- domain0x666[.]infomacOS C2 domain
- domainfea22134[.]netC2 domain encrypted in binary
- domainpanel[.]fefea22134[.]netHardcoded C2 fallback domain
- domainthoroughly-publisher-troy-clara[.]trycloudflare[.]comPrior C2 Cloudflare Tunnel
- filenamesvcagent.dllStub DLL dropped to disk for persistence
- ip195[.]3[.]222[.]251Staging server for PowerShell/loader delivery
- mutexhVNBUORXNiFLhYYhSingle instance mutex used by the malware
- sha25633dacf9f854f636216e5062ca252df8e5bed652efd78b86512f5b868b11ee70fFinal PHANTOMPULSE RAT payload
- sha25670bbb38b70fd836d66e8166ec27be9aa8535b3876596fc80c45e3de4ce327980syncobs.exe (PHANTOMPULL loader)
- sha256def66275fa3baffb16e6e4ae0297861d9790ae7161fbc271a2ba05d121f13c70Go beacon (GTESTIC_WIN check-in)
- urlhxxps://panel[.]fefea22134[.]netHardcoded C2 fallback URL
Detection / HunterGoogle
What Happened
Security researchers have analyzed a new malicious program called PHANTOMPULSE, which is linked to North Korean hackers targeting the cryptocurrency sector. This malware infects Windows and macOS computers, using advanced tricks to hide from antivirus software and secretly communicate with its operators via blockchain networks. It is highly dangerous because it can steal keystrokes, take screenshots, and download additional malicious tools. Organizations should update their security monitoring to look for its unique behavioral patterns and block its known communication channels.
Key Takeaways
- PHANTOMPULSE uses hardware breakpoints (HWBP) to bypass AMSI, WLDP, and ETW from a single shared primitive.
- The RAT resolves its C2 via Ethereum, Base, and Optimism blockchain transaction inputs without sender verification, making it sinkhole-able.
- It implements three distinct process injection techniques (PhantomInject, DbgNexum, ManualMap) adapted from public PoCs.
- The malware utilizes the public 'schuac' technique for UAC bypass via COM elevation monikers.
- The binary contains strong indicators of AI-assisted development, such as verbose diagnostic logging and structured step numbering.
Affected Systems
- Windows
- macOS
Attack Chain
PHANTOMPULSE initializes by resolving APIs via direct syscalls and deploying hardware breakpoints to bypass AMSI, WLDP, and ETW. It establishes persistence by dropping an encrypted DLL and creating multiple scheduled tasks via COM interfaces. The malware resolves its C2 infrastructure by querying blockchain transaction inputs on Ethereum, Base, or Optimism networks. Once connected, it can execute commands, perform UAC bypasses using the schuac technique, and inject various payloads (shellcode, DLLs, EXEs) into host processes.
Detection Availability
- YARA Rules: Yes
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: Yes
- Platforms: Elastic Security, BigQuery
Elastic Security provides a YARA rule (Windows.Trojan.PhantomPulse) to identify the malware. A BigQuery SQL snippet is also provided to hunt for the C2 resolver signature on public blockchains.
Detection Engineering Assessment
EDR Visibility: Medium — Direct syscalls and hardware breakpoint (HWBP) evasion techniques blind standard user-mode API hooks for AMSI and ETW, reducing EDR telemetry. However, process creation (rundll32) and scheduled task registration remain visible. Network Visibility: Medium — C2 resolution relies on HTTPS queries to legitimate blockchain explorers (Blockscout), which blends with normal traffic, but the specific XOR signature (0x580c) in transaction inputs can be hunted on the blockchain. Detection Difficulty: Hard — The use of HWBP for evasion, direct syscalls for disk writes, and decentralized blockchain C2 resolution makes signature-based and network-based detection difficult.
Required Log Sources
- Process Creation (Event ID 4688 / Sysmon 1)
- Scheduled Task Creation (Event ID 4698)
- File Creation (Event ID 11)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for rundll32.exe executing with the DllRegisterServer argument, especially when spawned by svchost.exe (Schedule), which may indicate the persistence mechanism. | Process Creation | Persistence | Medium |
| Evaluate whether you can monitor for the creation of scheduled tasks with names like DotNetSvcUpdateTask or DotNetSvcCoreTask, particularly those running as HighestAvailable. | Scheduled Task Creation | Persistence | Low |
| If you have visibility into blockchain transaction data, consider hunting for input fields starting with 0x580c, which indicates the PHANTOMPULSE C2 resolver signature. | Network / External Blockchain Data | Command and Control | Low |
Control Gaps
- User-mode EDR hooks (bypassed via direct syscalls)
- AMSI and ETW telemetry (bypassed via HWBP)
Key Behavioral Indicators
- rundll32.exe spawning with DllRegisterServer
- Creation of a .elevate marker file
- Scheduled tasks created via COM ITaskService
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Consider blocking the known hardcoded C2 domains and IP addresses in your network perimeter controls.
- Evaluate whether to hunt for the presence of the hVNBUORXNiFLhYYh mutex or the svcagent.dll file in %ProgramData% or %APPDATA%.
Infrastructure Hardening
- Consider restricting the execution of rundll32.exe from unusual directories like %ProgramData% or %APPDATA%.
- Evaluate implementing strict UAC enforcement and monitoring for COM elevation moniker abuse.
User Protection
- If applicable, ensure EDR agents are configured to detect hardware breakpoint manipulation and direct syscall usage.
Security Awareness
- Consider educating developers and cryptocurrency sector employees about targeted social engineering and fake recruiter lures.
MITRE ATT&CK Mapping
- T1055.001 - Process Injection: DLL Injection
- T1053.005 - Scheduled Task/Job: Scheduled Task
- T1562.001 - Impair Defenses: Disable or Modify Tools
- T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
- T1056.001 - Input Capture: Keylogging
- T1102 - Web Service
- T1106 - Native API
Additional IOCs
- Domains:
fea22134[.]net- C2 domain encrypted in binarythoroughly-publisher-troy-clara[.]trycloudflare[.]com- Prior C2 Cloudflare Tunnel
- Urls:
hxxps://panel[.]fefea22134[.]net- Hardcoded C2 fallback URL
- File Hashes:
70bbb38b70fd836d66e8166ec27be9aa8535b3876596fc80c45e3de4ce327980(sha256) - syncobs.exe (PHANTOMPULL loader)def66275fa3baffb16e6e4ae0297861d9790ae7161fbc271a2ba05d121f13c70(sha256) - Go beacon (GTESTIC_WIN check-in)
- File Paths:
%ProgramData%\AssetMon\svcagent.dll- Primary drop path for the persistence stub DLL%APPDATA%\AssetMon\svcagent.dll- Secondary drop path for the persistence stub DLL%TEMP%\svcagent.dll- Tertiary drop path for the persistence stub DLL
- Command Lines:
- Purpose: Executes the dropped DLL to establish persistence and bypass UAC | Tools:
rundll32.exe| Stage: Persistence and Privilege Escalation |rundll32.exe "<deployed_dll>",DllRegisterServer
- Purpose: Executes the dropped DLL to establish persistence and bypass UAC | Tools:
- Other:
0xc117688c530b660e15085bF3A2B664117d8672aA- Blockchain C2 wallet address (ETH/Base/Optimism)0x38796B8479fDAE0A72e5E7e326c87a637D0Cbc0E- Funding wallet for C2 resolutionElevation:Administrator!new:{A6BFEA43-501F-456F-A845-983D3AD7B8F0}- COM Moniker used for UAC bypassDotNetSvcUpdateTask- Primary persistence scheduled task nameDotNetSvcCoreTask- SYSTEM persistence scheduled task nameDotNetSvcUserTask- User persistence scheduled task name.elevate- Marker file used to route the elevated relaunch
