How does PhantomStealer maintain communication with its C2?

It uses Application Layer Protocols (MITRE T1071.001) to perform periodic HTTP beaconing, typically requesting specific file paths (like .txt files) at regular intervals.

Can malware cause local network congestion?

Yes. The persistent C2 traffic and high retransmission rates can saturate host buffers (TCP Zero Window) and cause severe DNS gateway congestion, leading to high latency.

What file formats can I upload?

We accept native .pcap and .pcapng packet-capture files only. Compressed archives (ZIP, RAR, 7-Zip, etc.) are not supported.

Is there an upload size limit?

Yes. Plan-based upload size limits apply.

How long do you retain my PCAP and the report?

Both the original file and its PDF report are stored for one hour and then permanently deleted.

What does the one-time payment include?

A single $9 payment covers one upload, full AI analysis, and a downloadable PDF report—no recurring fees.

Which plans let me upload multiple files?

Monthly and yearly subscription tiers include multiple uploads per cycle, as shown in the pricing table.

Do you provide an API for automated uploads?

Yes. Our REST API is available to Advanced subscribers. Generate an access key and integrate from CI, SIEM, or custom scripts.

In what format is the analysis delivered?

Results are provided as a professionally formatted PDF with network statistics, threat findings, and remediation advice.

What if I miss the 1-hour download window?

For security, both the capture and its report are erased after an hour. Re-upload the file to run a new analysis.

Do you collect any personal data from the files?

No. We cannot track user-identifiable information, and everything is auto-purged after processing.

What personal information is required for subscriptions?

Only the minimal billing details required by our payment processor (card, country, email) are collected.

How does your AI engine work?

Our engine blends deep-packet inspection with machine-learning to decode protocols, detect anomalies, extract credentials, and map threats to MITRE ATT&CK.

Can I upgrade or cancel my subscription at any time?

Yes. You can upgrade, downgrade, or cancel anytime from your dashboard; changes apply immediately or at the next billing cycle.

Do you store or display the passwords found in my PCAP?

No. Pcap AI operates on strict zero-trust principles. Any cleartext credentials or sensitive payloads detected during the analysis are immediately mathematically masked (e.g., [REDACTED]). Your PDF report will prove the exposure exists without ever printing the actual secrets, ensuring your compliance with SOC2 and GDPR.

How to Detect PhantomStealer C2 Tunnels and Network Anomalies

The Challenge: Spotting Stealthy C2 Beacons

When an endpoint gets infected by an Infostealer like PhantomStealer, it establishes an active Command and Control (C2) channel to exfiltrate data and receive instructions. Because attackers use standard web protocols to blend in with normal traffic, spotting this beaconing is difficult.

Lost in the Noise

Standard monitors might miss periodic 10-second beaconing to external IP addresses like 185.27.134.154.

Collateral Damage

Malware infections often cause severe local network degradation, such as DNS gateway congestion resulting in high latency (e.g., 265ms), and TCP Zero Window events due to saturated network buffers.

The Solution: Automated Detection of Infostealer C2 Tunnels

Pcap AI instantly flags malicious C2 tunnels in seconds, maps the behavior, and correlates network performance issues to the root cause.

✦ MITRE T1071.001 (Application Layer Protocol: Web Protocols): Instantly detects periodic beaconing every 10 seconds from the victim host to the attacker's infrastructure.
✦ Secondary Anomaly Detection: Flags unusual HTTP payload retrievals (like /arquivo_20260129190545.txt) and unauthorized outbound SMTP relay attempts on port 587 to secondary IPs.
✦ Root Cause Correlation: Automatically links the C2 beaconing to high TCP retransmission rates (up to 39.47%) and local DNS congestion.

Wireshark Manual Analysis vs. Pcap AI

Manual (Wireshark)

Filtering HTTP traffic, calculating time deltas between packets to spot the 10-second beacon interval, and manually correlating TCP retransmissions.

Pcap AI

Automated mapping of the C2 tunnel to MITRE T1071.001 and correlation of network degradation in seconds.

Try it yourself with the original PCAP

The network traffic analyzed in this case study was sourced from the excellent community repository malware-traffic-analysis.net . You can download the exact .pcap file from their site to test our engine.

Upload PCAP to Test

AI Analysis Output (Sample)

AI Analysis Proof for How to Detect PhantomStealer C2 Tunnels and Network Anomalies

Download Full PDF Report See exactly what our AI discovers.