Cybersecurity researchers have identified a new phishing campaign targeting individuals in Pakistan with a custom backdoor known as PHANTOM#SPIKE. The threat actors behind this campaign have utilized military-related phishing documents to trigger the infection sequence.
In a report shared with The Hacker News, researchers Den Iuzvyk, Tim Peck, and Oleg Kolesnikov explained that the threat actors used ZIP files containing a password-protected payload archive to deploy malware.
This campaign stands out for its simplicity and the use of basic payloads to gain remote access to targeted machines.
The phishing emails contain a ZIP archive masquerading as meeting minutes for the International Military-Technical Forum Army 2024, a legitimate event organized by the Ministry of Defense of the Russian Federation. Inside the ZIP file, there is a Microsoft Compiled HTML Help (CHM) file that runs a hidden executable (“RuntimeIndexer.exe”) when opened, setting up a backdoor for remote access.
This backdoor establishes connections with a remote server over TCP to execute commands on the compromised host, passing along system information and exfiltrating the results back to the server.
The backdoor acts as a remote access trojan (RAT) that allows attackers to control the infected system, steal data, and execute additional payloads remotely.
This campaign demonstrates the importance of cybersecurity vigilance and awareness to protect against such threats.
