CSC News Table of Contents
Phantom Stealer malware is proliferating through ISO phishing that targets Russian finance and accounting teams. Attackers send convincing payment confirmations to gain initial access.
Seqrite Labs attributes the activity to Operation MoneyMount-ISO and notes secondary targeting of procurement, legal, and payroll groups. Messages carry ZIP files that conceal malicious ISO images.
When opened, the ISO mounts as a virtual drive and launches a chain that side loads an embedded DLL to deploy Phantom Stealer malware, enabling large scale data theft.
Phantom Stealer malware: What You Need to Know
- Active ISO phishing in Russia delivers Phantom Stealer malware that steals credentials, wallet data, and tokens with exfiltration over Telegram, Discord, and FTP.
Recommended Security Tools to Help Block Phishing and Stealers
Bitdefender: Advanced endpoint protection to block infostealers before they execute.
1Password: Secure vaults and phishing resistant sign in with strong password hygiene.
EasyDMARC: Stop spoofed emails and strengthen mail authentication to reduce phishing risk.
IDrive: Encrypted backups to protect critical files from theft, loss, or tampering.
Inside the ISO Phishing Campaign Targeting Russia
Seqrite Labs identified a wave of emails that impersonate financial communications and ask recipients to confirm a bank transfer.
Each message includes a ZIP archive that claims to hold payment details but actually contains an ISO file titled “Подтверждение банковского перевода.iso” or “Bank transfer confirmation.iso.”
Once launched, the ISO mounts as a virtual CD and runs an executable chain that loads Phantom Stealer malware through the embedded DLL “CreativeAI.dll.”
Phantom Stealer malware prioritizes rapid data harvesting with stealth. It targets cryptocurrency wallet browser extensions in Chromium-based browsers, desktop wallet apps, local files, Discord authentication tokens, and browser passwords, cookies, and stored credit card data.
It monitors clipboard content, captures keystrokes, and checks for sandboxed or virtualized environments, then aborts if analysis is detected.
Exfiltration options include a Telegram bot and attacker-controlled Discord webhooks, along with file transfers to an FTP server. For technical details, see the Telegram Bot API and Discord Webhooks documentation.
Some related operations abused IPFS and Vercel to host credential phishing pages for Microsoft Outlook and Bureau 1440. Learn more about IPFS on Wikipedia. This aligns with the ISO phishing campaign Russia tracking.
Operation MoneyMount-ISO: Who Is Being Targeted
Seqrite reports primary targeting of finance and accounting teams across Russian organizations.
Secondary targets include procurement, legal, and payroll departments. Phantom Stealer malware suits these roles due to its access to sensitive financial data and routine handling of payment documentation.
For background, review this primer on infostealer malware and guidance on avoiding phishing attacks.
Beyond Phantom: DupeHike and AdaptixC2
Researchers also observed a separate spear phishing wave that targeted Russian HR and payroll teams with lures related to bonuses and internal financial policies.
Tracked as DupeHike and attributed to UNG0902, this activity delivers a previously undocumented implant named DUPERUNNER, which then launches AdaptixC2, an open-source C2 framework.
The infection chain starts with ZIP files that contain decoy PDF and LNK files. The LNK file named “Документ_1_О_размере_годовой_премии.pdf.lnk” or “Document_1_On_the_amount_of_the_annual_bonus.pdf.lnk” uses PowerShell to fetch DUPERUNNER from an external server.
The implant displays a decoy PDF, then injects an AdaptixC2 beacon into legitimate Windows processes such as “explorer.exe,” “notepad.exe,” and “msedge.exe.”
Wider Campaigns and Attribution Overlaps
Beyond the current ISO wave, other Russia-focused spear phishing efforts have delivered Cobalt Strike, Formbook, DarkWatchman, and PhantomRemote.
Phantom Stealer malware appears alongside these tools in some operations, and adversaries have used compromised Russian email servers to send convincing messages.
French cybersecurity company Intrinsec linked an intrusion set against Russia’s aerospace sector to hacktivists aligned with Ukrainian interests.
Activity seen from June to September 2025 overlaps with Hive0117, Operation CargoTalon, and Rainbow Hyena, also known as Fairy Trickster, Head Mare, and PhantomCore. Some flows redirected victims to credential theft pages hosted on IPFS and Vercel, showing increased use of decentralized and cloud platforms to resist takedowns.
For related trends, see how attackers scale social engineering in brand impersonation phishing and why AI can crack passwords faster than before.
Implications for Security Teams
Attackers benefit from reach and simplicity. ISO payloads blend with routine finance workflows like payment confirmations, improving initial access rates.
Once active, Phantom Stealer malware automates credential and wallet theft and supports multiple exfiltration channels. This enables quick monetization and staging for follow-on compromises.
Defenders gain from repeatable indicators. Consistent tradecraft such as ISO attachments, Russian language payment lures, and Telegram or Discord exfiltration helps tuning.
Security teams can block suspicious archives, watch for DLL side loading from mounted ISOs, and alert on clipboard scraping, keylogging, and credential access associated with Phantom Stealer malware.
Operation MoneyMount-ISO Seqrite reporting supports targeted detections and hunts.
Strengthen Your Defenses Against ISO Phishing
Tenable: Discover and prioritize exposures that enable phishing born intrusions.
Tresorit: End to end encrypted file storage for sensitive finance and legal documents.
Optery: Remove exposed personal data that fuels spear phishing and impersonation.
Conclusion
The ISO phishing campaign Russia trend shows how simple bank transfer lures can reliably deploy potent stealers. Phantom Stealer malware fits these workflows and harvests high value data.
Operation MoneyMount-ISO Seqrite research connects activity across finance, accounting, procurement, legal, and payroll teams. In parallel, DupeHike delivered DUPERUNNER and AdaptixC2 through LNK decoys.
With exfiltration over Telegram, Discord, and FTP, plus hosting on IPFS and cloud services, defenders should monitor ISO attachments, DLL side loading, and credential theft patterns tied to Phantom Stealer malware.
Questions Worth Answering
What is Phantom Stealer malware?
It is an information stealer that targets browsers, crypto wallets, local files, and tokens, with anti analysis checks and multiple exfiltration options.
How is Phantom Stealer malware delivered?
Through phishing emails that include ZIP archives with ISO images. The ISO mounts as a virtual drive and launches the stealer through an embedded DLL.
Who is being targeted in this campaign?
Primarily Russian finance and accounting teams, with procurement, legal, and payroll as secondary targets, according to Operation MoneyMount-ISO Seqrite reporting.
What data can Phantom Stealer malware collect?
Browser passwords, cookies, credit card data, Discord tokens, crypto wallet secrets, local files, clipboard contents, and keystrokes.
How does data leave infected systems?
Via a Telegram bot, Discord webhooks, and FTP transfers controlled by the operators.
Why do attackers use ISO files?
ISOs can bypass some scanning heuristics and support multi file execution chains with embedded components such as DLLs.
What other activity overlaps with this campaign?
DupeHike campaigns that deploy DUPERUNNER and AdaptixC2, plus operations delivering Cobalt Strike, Formbook, DarkWatchman, and PhantomRemote.
About Seqrite Labs
Seqrite Labs analyzed and named Operation MoneyMount-ISO, documenting ISO based delivery and payload behavior used to deploy Phantom Stealer malware.
The team detailed how finance and related teams in Russia were targeted with realistic bank transfer lures and ZIP packaged ISO files.
Seqrite Labs also reported parallel activity that delivered DUPERUNNER and AdaptixC2 in HR and payroll focused campaigns, informing detections and response.
