Phantom-Goblin: Covert Credential Theft and VSCode Tunnel Exploitation

Key Takeaways Threat Actors (TA) use social engineering to trick users into executing a malicious LNK file disguised as a PDF document, leading to malware infection. The malware then leverages PowerShell to download and execute malicious payloads from a GitHub repository while ensuring persistence through registry modifications. The malware extracts browser cookies by enabling remote debugging, bypassing Chrome's App Bound Encryption (ABE) for stealthy data exfiltration. A malicious binary estab