LTS Secure Warning: Phoenix Malware, A New Malware-As-A-Service Product

Phoenix, a keylogger, which has now evolved into an infostealer, is being sold as malware-as-a-service by its authors and has started gaining traction among cyber-criminals. The malware is being utilized in various campaigns every few weeks, according to threat intelligence shared by researchers.


Technical Details

Most of the infection phoenix infections identified so far have been delivered through phishing campaigns, making use of the equation editor vulnerability (office document) or using a weaponized rich text file (RTF). Upon successful installation, the malware starts collecting system information and sends it back to the attacker.

The malware has also added aggressive anti-AV & anti-VM modules, containing a list of preset process name that the malware will try to shutdown in order to keep it from being detected & analyzed.



  • Logs user’s keystrokes.
  • Take screenshots of desktop.
  • Gather information saved to the clipboard.
  • Stealing sensitive/confidential information.
  • Upload & executing payloads on the infected machines.


Recommended Actions

  • Ensure that your devices are always up-to-date with the latest patches released.
  • Always update your anti-virus software with the latest releases.
  • Periodically run “full system scan” on your endpoints.
  • Make proper security configuration for Firewall/IDS/IPS/Endpoint Protection systems so that no holes are left barred.
  • Isolate all of the compromised computers ASAP to prevent threats from spreading further inside your infrastructure.
LTS Secure Locations
  • Florida: 407-965-5509
    Los Angeles: 323-544-5013
    Mid West: 800 689 4506

  • Chicago/Midwest– 2406 Schumacher Drive, Mishawaka, IN, 46545

    201, Tower S4, Phase II, Cybercity, Magarpatta Township, Hadapsar, Pune-411013