ACCORDING to Intrinsec Report, Digital Ghost: “PhantomVAI” is a custom loader built on a decade-old RunPE utility, repurposed to power worldwide campaigns that deliver a variety of payloads. Researchers found the loader’s DNA in the code under the namespace Hackforums[.]gigajew, pointing to the old RunPE framework used by hackers years ago.
RunPE techniques hollow out legitimate processes to inject malicious code, with PhantomVAI using this legacy base to create a stable delivery mechanism that blends with normal system activity. The infection chain features a core component dubbed Mandark (x64[.]load), which prepares the victim environment and executes the final payload, while another evasion tactic called Windows Task Scheduler masquerading aims to impersonate legitimate administrative processes.
The campaigns are broadly targeting and often deliver infostealers capable of harvesting browser data and credentials, and the report emphasises that despite the age of the code, the threat is current and requires proactive defence such as MFA for browser accounts and network monitoring to spot unusual outbound connections. The article also notes that loaders like PhantomVAI need to phone home to fetch additional payloads, underscoring the importance of network visibility.