Perceptive Security
SOC/SIEM Consultancy
Phantom Stealer Spread by ISO Phishing Emails Hitting Russian Finance Sector
Published:
15 december 2025 om 09:24:00
Alert date:
15 december 2025 om 10:01:50
Source:
thehackernews.com
Ransomware & Malware, Data Breach & Exfiltration
An active phishing campaign codenamed Operation MoneyMount-ISO is targeting Russian finance and accounting sectors with malicious ISO disc images containing Phantom Stealer malware. The campaign uses phishing emails to deliver the stealer, which targets sensitive financial information. Primary victims include finance, accounting, procurement, legal, and payroll organizations in Russia. This represents an ongoing threat to critical financial infrastructure with active malware distribution.
Technical details
Operation MoneyMount-ISO uses phishing emails with fake payment confirmation lures to deliver Phantom Stealer malware through a multi-stage attack chain. The campaign begins with phishing emails containing ZIP archives that include malicious ISO files. When mounted, the ISO file 'Подтверждение банковского перевода.iso' (Bank transfer confirmation.iso) executes Phantom Stealer via an embedded DLL 'CreativeAI.dll'. The malware extracts cryptocurrency wallet data from browser extensions and desktop apps, steals files, Discord tokens, browser passwords, cookies, and credit card details. It monitors clipboard content, logs keystrokes, and includes anti-analysis features to detect virtualized environments. Data is exfiltrated via Telegram bots, Discord webhooks, or FTP servers. Related campaigns include Operation DupeHike using DUPERUNNER implant to deploy AdaptixC2 framework, and other campaigns deploying Cobalt Strike, Formbook, DarkWatchman, and PhantomRemote using compromised Russian email servers.
Mitigation steps:
Monitor for malicious ISO files and suspicious ZIP attachments in phishing emails claiming to be bank transfer confirmations or bonus notifications. Implement detection for DLL files named CreativeAI.dll and monitor for unusual PowerShell execution. Watch for data exfiltration to Telegram bots, Discord webhooks, and unauthorized FTP transfers. Be alert for phishing campaigns targeting finance, accounting, procurement, legal, payroll, HR, and aerospace sectors. Monitor for credential theft attempts targeting Microsoft Outlook and company-specific login pages. Implement email security measures to detect and block spear-phishing attempts, especially those using compromised Russian company email servers.
Affected products:
Chromium-based browsers
Desktop cryptocurrency wallet applications
Discord
Windows explorer.exe
Windows notepad.exe
Windows msedge.exe
PowerShell
Microsoft Outlook
Bureau 1440
Related links:
https://thehackernews.com/2025/09/noisy-bear-targets-kazakhstan-energy.html#cyber-attacks-reported-against-russia
https://www.seqrite.com/blog/operation-moneymount-iso-deploying-phantom-stealer-via-iso-mounted-executables/
https://thehackernews.com/2025/10/russian-ransomware-gangs-weaponize-open.html
https://www.seqrite.com/blog/operation-dupehike-ung0902-targets-russian-employees-with-duperunner-and-adaptixc2/
https://www.seqrite.com/blog/operation-frostbeacon-multi-cluster-cobalt-strike-campaign-targets-russia/
https://thehackernews.com/2025/05/darkwatchman-sheriff-malware-hit-russia.html
https://thehackernews.com/2025/07/cyber-espionage-campaign-hits-russian.html
https://thehackernews.com/2025/07/weekly-recap-sharepoint-0-day-chrome.html#:~:text=Rainbow%20Hyena%20Goes%20After%20Russian%20Firms
https://thehackernews.com/2022/11/several-cyber-attacks-observed.html
https://www.intrinsec.com/campaigns-targeting-the-aerospace-industry-in-russia/
Related CVE's:
Related threat actors:
IOC's:
Подтверждение банковского перевода.iso, Bank transfer confirmation.iso, CreativeAI.dll, Документ_1_О_размере_годовой_премии.pdf.lnk, Document_1_On_the_amount_of_the_annual_bonus.pdf.lnk
This article was created with the assistance of AI technology by Perceptive.