A sophisticated new malware campaign is turning the trust of legitimate software against users by weaponising a signed Java utility to deliver Phantom Stealer v3.5.0. The attack begins with a spam email masquerading as a DHL invoice, urging the recipient to open a ZIP attachment that contains a legitimate, signed Java utility renamed DHL-INVOICE[.]exe and a malicious file named jli[.]dll.
According to Manoj Kshirsagar, the loader uses DLL sideloading to have the trusted Java launcher load the malicious DLL and transfer execution to the XLoader, while the final payload is delivered by Phantom Stealer v3.5.0, a modular .NET-based information stealer. The malware employs Process Hollowing to inject into AddInProcess32[.]exe, enabling it to run under a legitimate Microsoft process and evade detection.
It also encrypts its configuration with AES-256 in CBC mode, with keys derived via PBKDF2 to protect C2 settings. The campaign was reported on 2 February 2026.