Security researchers on Tuesday identified “Phantom Stealer” — a fileless credential stealer targeting browser credentials across all major browsers. Unlike conventional stealer malware that relies on disk-resident binaries, Phantom Stealer executes entirely in memory from initial infection through credential exfiltration, significantly reducing its visibility to endpoint detection tools.
The malware targets Chromium-based browsers including Chrome, Edge, and Brave, as well as Firefox and Safari, extracting saved passwords, cookies, autofill data, and session tokens. By operating exclusively in memory, the malware leaves no file system artifacts that traditional antivirus scanners would detect.
Anti-Analysis Techniques: Process Hollowing, API Unhooking, and Sandbox Detection
Phantom Stealer’s infection chain incorporates multiple anti-analysis techniques including process hollowing, API unhooking, and timing-based sandbox detection. The malware’s in-memory architecture means signature-based detection produces zero signal from file system scanning.
Process hollowing allows the malware to execute code within a legitimate process’s memory space, masking its presence from standard task manager tools. API unhooking removes monitoring hooks placed by endpoint detection APIs, effectively blinding security tools that rely on API callback monitoring. Timing-based sandbox detection allows the malware to detect virtualized or monitored environments and alter its behavior to avoid detection.
Browser Credential Stealing Scope Across All Major Platforms
The credential-stealing component targets all major browser platforms, extracting saved passwords, cookies, autofill data, and session tokens. The browser-level scope means a single infection can compromise credentials across the full set of major browsers rather than a single platform, increasing the range of potentially affected accounts and services.
Browser credential theft directly compromises accounts that are often reused across services, amplifying the impact of a single infection beyond the initially targeted browser. The credential data is harvested in plaintext format from the browser’s local storage mechanisms before the session is terminated.
