According to experts, the new attacks used a chain of several backdoors, rather than a single backdoor as in March 2025. This involves the malicious software PhantomRemote, PhantomCSLoader, and PhantomSAgent. In addition, in some cases, attackers also installed SSH tunnels for remote access to the compromised infrastructure.
Kaspersky Lab noted:
The attackers were likely trying to bypass security measures, hoping that if one backdoor was detected, the others would remain in the system.
The attacks still begin with the distribution of malicious emails. This time, they contained an attachment with the PhantomRemote backdoor, allowing remote execution of commands on the infected device.
The attackers prepared a set of additional components in advance and used a chain of backdoors — PhantomCSLoader and PhantomSAgent — to gain persistence in the system. This malware is written in different programming languages, uses a similar model of interaction with the command-and-control server, but differs in internal mechanisms of operation.