New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

PhantomVAI: custom loader built on an old RunPE utility used in worldwide campaigns

January 26, 2026

PhantomVAI: custom loader built on an old RunPE utility used in worldwide campaigns

Key findings

 

  • Review of the literature on the use of a custom loader for worldwide campaigns. We encountered this loader in a DarkCloud analysis and noticed that several other security editors wrote articles on its use for malicious campaigns. The review enabled us to assess that all these editors wrote about the same loader, while giving it different naming which could confuse readers.

  • Pivots on the process hollowing function inside the loader. This function was identified as being a utility named “Mandark”, developed and open-sourced by a HackForums user years ago. We explained the functioning of the utility, with details on its parameters and execution flow.

  • Threat hunting and Yara rule available to track this loader. Almost all samples masked as “Microsoft.Win32.TaskScheduler.dll”, based on a legitimate project found on GitHub. Detected samples were associated with different malware such as Remcos, XWorm, AsyncRAT, DarkCloud, SmokeLoader. We also noted the large number and variety of phishing lures.

 

Intrinsec's CTI services

 

Organizations are facing a rise in the sophistication of threat actors and intrusion sets. To address these evolving threats, it is now necessary to take a proactive approach in the detection and analysis of any element deemed malicious. Such a hands-on approach allows companies to anticipate, or at least react as quickly as possible to the compromises they face.

For this report, shared with our clients in January 2025, Intrinsec relied on its Cyber Threat Intelligence service, which provides its customers with high value-added, contextualized and actionable intelligence to understand and contain cyber threats. Our CTI team consolidates data & information gathered from our security monitoring services (SOC, MDR, etc.), our incident response team (CERT-Intrinsec) and custom cyber intelligence generated by our analysts using custom heuristics, honeypots, hunting, reverse-engineering & pivots.

Intrinsec also offers various services around Cyber Threat Intelligence:

  • Risk anticipation: which can be leveraged to continuously adapt the detection & response capabilities of our clients' existing tools (EDR, XDR, SIEM, …) through:
      • an operational feed of IOCs based on our exclusive activities.
      • threat intel notes & reports, TIP-compliant.
  • Digital risk monitoring:
      • data leak detection & remediation
      • external asset security monitoring (EASM)
      • brand protection

For more information, go to intrinsec.com/en/cyber-threat-intelligence/.

Follow us on LinkedIn and X

Download the report
Contact