PhantomCore (Malware Family)

PhantomCore

VTCollection

According to Cyble, PhantomCore is a backdoor utilized by the hacktivist group Head Mare. It has been active since 2023 and is known for consistently targeting Russia. PhantomCore collects the victim’s information, including the public IP address, to gain detailed insights into the target before deploying the final-stage payload or executing additional commands on the compromised system. PhantomCore is known to deploy ransomware payloads such as LockBit and Babuk, inflicting significant damage on the victim’s systems.

References

2025-11-26 ⋅ Intrinsec ⋅ CTI Intrinsec, David Sardinha
Trouble in the air: A spree of campaigns targeting the aerospace industry in Russia
DarkWatchman CloudEyE Formbook PhantomCore Remcos

2025-09-23 ⋅ ⋅ F6 ⋅ F6
Bearlyfy: the evolution of the new group of ransomware and its connection with PhantomCore
LockBit LockBit PhantomCore Bearlyfy

2025-09-09 ⋅ Positive Technologies ⋅ Viktor Kazakov
Phantom pains: a large-scale cyberespionage campaign and a possible split within the PhantomCore APT group
PhantomCore

2024-12-10 ⋅ cyble ⋅ Cyble
Head Mare Group Intensifies Attacks on Russia with PhantomCore Backdoor
PhantomCore Head Mare

2024-09-02 ⋅ Kaspersky Labs ⋅ Kaspersky
Head Mare: adventures of a unicorn in Russia and Belarus
PhantomCore Head Mare

Yara Rules

[TLP:WHITE] win_phantomcore_auto (20260504 | Detects win.phantomcore.)

rule win_phantomcore_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.phantomcore."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.phantomcore"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 8b7930 8d5001 81fa00100000 7216 8b57fc 83c7fc 29d7 }
            // n = 7, score = 100
            //   8b7930               | mov                 edi, dword ptr [ecx + 0x30]
            //   8d5001               | lea                 edx, [eax + 1]
            //   81fa00100000         | cmp                 edx, 0x1000
            //   7216                 | jb                  0x18
            //   8b57fc               | mov                 edx, dword ptr [edi - 4]
            //   83c7fc               | add                 edi, -4
            //   29d7                 | sub                 edi, edx

        $sequence_1 = { 8d4afe 89c8 890c24 3b4c2410 72d3 7611 8d4704 }
            // n = 7, score = 100
            //   8d4afe               | lea                 ecx, [edx - 2]
            //   89c8                 | mov                 eax, ecx
            //   890c24               | mov                 dword ptr [esp], ecx
            //   3b4c2410             | cmp                 ecx, dword ptr [esp + 0x10]
            //   72d3                 | jb                  0xffffffd5
            //   7611                 | jbe                 0x13
            //   8d4704               | lea                 eax, [edi + 4]

        $sequence_2 = { 6a0f ff5018 b900000000 84c0 7405 b901000000 ba???????? }
            // n = 7, score = 100
            //   6a0f                 | push                0xf
            //   ff5018               | call                dword ptr [eax + 0x18]
            //   b900000000           | mov                 ecx, 0
            //   84c0                 | test                al, al
            //   7405                 | je                  7
            //   b901000000           | mov                 ecx, 1
            //   ba????????           |                     

        $sequence_3 = { f6464104 0f8528010000 31c0 e9???????? f6464104 0f856a010000 31c0 }
            // n = 7, score = 100
            //   f6464104             | test                byte ptr [esi + 0x41], 4
            //   0f8528010000         | jne                 0x12e
            //   31c0                 | xor                 eax, eax
            //   e9????????           |                     
            //   f6464104             | test                byte ptr [esi + 0x41], 4
            //   0f856a010000         | jne                 0x170
            //   31c0                 | xor                 eax, eax

        $sequence_4 = { e8???????? 83c410 8b45e8 64a300000000 8b45d8 83c42c 5e }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c410               | add                 esp, 0x10
            //   8b45e8               | mov                 eax, dword ptr [ebp - 0x18]
            //   64a300000000         | mov                 dword ptr fs:[0], eax
            //   8b45d8               | mov                 eax, dword ptr [ebp - 0x28]
            //   83c42c               | add                 esp, 0x2c
            //   5e                   | pop                 esi

        $sequence_5 = { 0fb6c7 0f43c5 0fbeeb 83c5bf 0fb6cb 80c320 83fd1a }
            // n = 7, score = 100
            //   0fb6c7               | movzx               eax, bh
            //   0f43c5               | cmovae              eax, ebp
            //   0fbeeb               | movsx               ebp, bl
            //   83c5bf               | add                 ebp, -0x41
            //   0fb6cb               | movzx               ecx, bl
            //   80c320               | add                 bl, 0x20
            //   83fd1a               | cmp                 ebp, 0x1a

        $sequence_6 = { e9???????? 39ca 0f8494000000 0f57c0 31ff 0f10143a 0f105c3a0c }
            // n = 7, score = 100
            //   e9????????           |                     
            //   39ca                 | cmp                 edx, ecx
            //   0f8494000000         | je                  0x9a
            //   0f57c0               | xorps               xmm0, xmm0
            //   31ff                 | xor                 edi, edi
            //   0f10143a             | movups              xmm2, xmmword ptr [edx + edi]
            //   0f105c3a0c           | movups              xmm3, xmmword ptr [edx + edi + 0xc]

        $sequence_7 = { 8b5d10 8933 898c24a8000000 898424ac000000 8b442444 89842498000000 8b442460 }
            // n = 7, score = 100
            //   8b5d10               | mov                 ebx, dword ptr [ebp + 0x10]
            //   8933                 | mov                 dword ptr [ebx], esi
            //   898c24a8000000       | mov                 dword ptr [esp + 0xa8], ecx
            //   898424ac000000       | mov                 dword ptr [esp + 0xac], eax
            //   8b442444             | mov                 eax, dword ptr [esp + 0x44]
            //   89842498000000       | mov                 dword ptr [esp + 0x98], eax
            //   8b442460             | mov                 eax, dword ptr [esp + 0x60]

        $sequence_8 = { 8d8e20010000 e8???????? 83c430 5d c3 55 83ec30 }
            // n = 7, score = 100
            //   8d8e20010000         | lea                 ecx, [esi + 0x120]
            //   e8????????           |                     
            //   83c430               | add                 esp, 0x30
            //   5d                   | pop                 ebp
            //   c3                   | ret                 
            //   55                   | push                ebp
            //   83ec30               | sub                 esp, 0x30

        $sequence_9 = { e8???????? 83c414 8b4580 837d8410 8d8d70ffffff 7206 8b8d70ffffff }
            // n = 7, score = 100
            //   e8????????           |                     
            //   83c414               | add                 esp, 0x14
            //   8b4580               | mov                 eax, dword ptr [ebp - 0x80]
            //   837d8410             | cmp                 dword ptr [ebp - 0x7c], 0x10
            //   8d8d70ffffff         | lea                 ecx, [ebp - 0x90]
            //   7206                 | jb                  8
            //   8b8d70ffffff         | mov                 ecx, dword ptr [ebp - 0x90]

    condition:
        7 of them and filesize < 1840128
}

Download all Yara Rules

PhantomCore Propose Change

References

Yara Rules

PhantomCore