Key Findings:

• Sophisticated phishing campaign targeting Russian finance sector, using high-quality social engineering to bypass defenses.

• Malware dubbed "Phantom Stealer" deployed via malicious ISO files attached to phishing emails.

• Phantom Stealer equipped with aggressive data-harvesting modules targeting crypto wallets, chat apps, and browser data.

• Malware includes anti-analysis checks to evade security researchers.

• Campaign highlights shift towards ISO-based initial access as a tactic to bypass perimeter controls.

Background

The cybersecurity researchers at Seqrite Labs have uncovered details of a new phishing campaign, dubbed "Operation MoneyMount-ISO," that is targeting the financial sector in Russia. The campaign leverages sophisticated social engineering tactics to deliver a powerful information-stealing malware called Phantom Stealer.

Infection Chain

The attack begins with a phishing email that appears to be a legitimate financial correspondence, claiming to confirm a recent bank transfer. The email contains a ZIP archive, which holds a malicious ISO file named "Подтверждение банковского перевода.iso" (Bank transfer confirmation.iso). When the victim executes the ISO file, it auto-mounts, revealing a malicious executable that deploys the Phantom Stealer malware.

Phantom Stealer's Capabilities

Phantom Stealer is equipped with a range of data-harvesting modules that allow it to steal sensitive information from the victim's system:

• Crypto-Wallet Theft: The malware targets both browser extensions and desktop wallet applications, attempting to copy wallet data for theft.

• Discord & Telegram Hijacking: It scans for authentication tokens in Discord and Telegram directories and validates them by sending requests to the platform's API to retrieve user information.

• Browser Data Extraction: It extracts passwords, cookies, and credit card details from Chromium-based browsers by parsing their internal SQLite databases.

• Keylogging: The malware installs a global keyboard hook to capture every keystroke, writing the logs to a timestamped file.

Anti-Analysis Capabilities

Phantom Stealer is designed to evade detection by security researchers. It includes an "AntiAnalysis" class that performs checks to see if it is being observed, looking for suspicious usernames, machine names, and common analysis tools. If detected, the malware calls a "SelfDestruct" function to erase its tracks.

Significance

The Operation MoneyMount-ISO campaign highlights a strategic shift towards ISO-based initial access as a tactic to bypass perimeter controls and deliver information-stealing malware. Seqrite Labs warns that this poses a critical risk of credential theft and unauthorized financial transfers for targeted organizations in the Russian finance sector.

Related Threats

In addition to the Phantom Stealer campaign, researchers have also observed other phishing attacks targeting Russian organizations, including:

• DupeHike Campaign: Targeting HR and payroll departments with lures related to bonuses or internal financial policies to deploy a previously undocumented implant named DUPERUNNER.

• Attacks on Russian Aerospace: Leveraging phishing emails to distribute Cobalt Strike and other malicious tools like Formbook, DarkWatchman, and PhantomRemote, attributed to hacktivist groups aligned with Ukrainian interests.

Sources

• https://securityonline.info/phantom-stealer-targets-russian-finance-with-iso-phishing-deploying-keyloggers-and-crypto-wallet-theft/

• https://thehackernews.com/2025/12/phantom-stealer-spread-by-iso-phishing.html

• https://www.seqrite.com/blog/operation-moneymount-iso-deploying-phantom-stealer-via-iso-mounted-executables/