Breakglass Intelligence has uncovered a campaign in which a single operator hacked the hosting accounts of two small businesses in Italy and Romania and turned them into data dump centers for AgentTesla and PhantomStealer malware and two different passwords told two completely different intrusion stories.
In cybersecurity the big campaigns are often carried out using large infrastructure but this time an operator did something different. It didn’t buy its own servers or build a complex botnet.
He compromised the hosting accounts of just two small businesses and turned them into the base camp for his entire malware operation. On April 22-23, 2026 researchers at Breakglass Intelligence identified two shared cPanel hosting accounts one in Italy at 86.107.32[.]157 (Serverplan S.r.l.) and one in Romania at 109.73.128[.]91 (Djemba IT&C SRL) that were being actively abused as FTP drop points for two different info-stealer families.One was collecting data from Argentina, the other from Fontstaller and both had the same operator.
Two Passwords Revealed the Entire Story
The most interesting thing about this campaign are the passwords that researchers recovered. The FTP password for the Italian side of AgentTesla was pass@A12345@ a predictable 12 character pattern that was probably set in 2015 and never rotated, exactly the kind of credential commonly found in commodity credential-stuffing lists.
But the password on the Romanian side of PhantomStealer was qLYMkme%hQ=S-l8X a 16 character random mixed-case and symbols-based strong password that a threat actor sets themselves when they already have shell access to the server.
These are not just two different passwords they are two completely different intrusion stories. On the Italian site, a previously weak password was likely cracked or access was gained through credential stuffing, while on the Romanian site the operator was already inside and set their own strong password. Same operator, two different Roastings are same objective.
Both compromised accounts were on shared cPanel environments SMB customers of small hosting providers. Websites appeared completely normal because the abuse was only happening on the FTP service, nothing was changed at the HTTP layer so the compromise was practically invisible.
PhantomStealer wasn’t just a simple file that was delivered directly. It arrived via a four stage Windows dropper chain and starting with a PowerShell file named update.ps1.
First the AES-256-CBC encrypted PowerShell was decrypted, then the XOR-obfuscated PowerShell was decoded, then a .NET launcher DLL which the researchers named ALTERNATE.EXECUTE hollowed out the Microsoft-signed legitimate Windows binary aspnet_compiler.exe and injected PhantomStealer’s payload into it.
This means that the malware does not execute on its own but it works secretly under the guise of Windows own trusted files and deceives endpoint security tools.
PhantomStealer v3.5.0 Configuration Analysis
Researchers cracked AES-256-CBC and PBKDF2 encryption by mirroring their the Stub.StringsCrypt.DecryptConfig method to PhantomStealers binary and recovered the entire configuration including the FTP host, username, password, mutex and module flags.
The configuration disabled the SMTP Telegram, Discord and crypto-clipper modules, and only enabled FTP exfiltration.This was the config that the cybersecurity community was asking for and researchers extracted it using their own decryptor of the binary.
AgentTesla is a .NET based information stealer that logs keystrokes, accesses the clipboard, and crawls the disk for credentials data is sent back via HTTP, SMTP and FTP or Telegram.In this campaign, the argentesla config strings were stored in the .txt section in plaintext. No random decryption just like in an open book.
Proof of campaign unity was that AgentTesla and PhantomStealer shared the same ZIP wrapper and the same GLoader binary, which was present on MalwareBazaar with both campaign tags meaning both deployments were the work of the same operator not two separate and unrelated incidents.
Security teams should closely monitor FTP exfiltration traffic and flag outbound connections to aspnet_compiler.exe and perform immediate audits on unknown cPanel accounts
