Phantom Stealer Campaign Hits Russian Financial Sector
Cybersecurity experts have uncovered a sophisticated phishing campaign that leverages ISO image files to distribute the notorious Phantom Stealer malware across various sectors in Russia. The campaign, dubbed Operation MoneyMount-ISO by Seqrite Labs, is primarily targeting entities in finance and accounting, with secondary attacks on procurement, legal, and payroll departments.
Seqrite Labs revealed that the attackers use fake payment confirmation emails to lure victims into opening malicious attachments. These emails appear convincingly legitimate and prompt the recipient to verify a recent bank transaction.
Malicious ISO Files Deliver Phantom Malware
The phishing emails come with a ZIP archive attachment that purports to contain financial documents. However, inside the archive lies an ISO file that, when executed, mounts itself as a virtual CD-ROM. The ISO file, labeled “Bank Transfer Confirmation.iso,” is crafted to execute Phantom Stealer through a DLL file named CreativeAI.dll.
Once activated, Phantom Stealer proceeds to extract sensitive data, including:
- Information from cryptocurrency wallet browser extensions and desktop wallets
- Files stored on the infected system
- Discord authentication tokens
- Browser-stored passwords, cookies, and credit card data
The malware also performs clipboard monitoring, keystroke logging, and environmental checks to evade detection. If it detects it’s running in a sandbox or virtual machine, it will terminate automatically.
Data Exfiltration Tactics
Phantom Stealer exfiltrates collected data using multiple channels. These include sending data through a Telegram bot or a Discord webhook controlled by the attacker. The malware is also capable of uploading stolen files to an FTP server.
Additional Threat: DUPERUNNER and AdaptixC2
In parallel to Operation MoneyMount-ISO, other Russian organizations, particularly those in HR and payroll, have been targeted by a separate phishing campaign referred to as DupeHike. This campaign introduces a previously undocumented malware implant named DUPERUNNER, which eventually loads AdaptixC2, an open-source command-and-control (C2) framework.
The infection vector involves a ZIP file containing a decoy LNK file named “Document_1_On_the_amount_of_the_annual_bonus.pdf.lnk.” When executed, the LNK file uses PowerShell to download and execute DUPERUNNER from an external server. The implant’s main function is to display a decoy PDF to the user while injecting AdaptixC2 into legitimate Windows processes like explorer.exe, notepad.exe, or msedge.exe.
Continued Phishing Threats Across Sectors
In addition to the finance and HR sectors, cybercriminals have launched attacks on the legal and aerospace industries within Russia. These campaigns have deployed a mix of malware, including Cobalt Strike, Formbook, DarkWatchman, and PhantomRemote. These tools are typically used for data theft and hands-on keyboard control of compromised systems.
Many of these phishing emails are sent from compromised email servers belonging to Russian companies, boosting their credibility. The campaigns often contain links that redirect victims to phishing login pages hosted on decentralized platforms like InterPlanetary File System (IPFS) and Vercel. These pages are designed to steal login credentials for services such as Microsoft Outlook and Bureau 1440, a Russian aerospace firm.
Hacktivist Involvement in Aerospace Attacks
French cybersecurity firm Intrinsec has linked the attacks on Russia’s aerospace sector to pro-Ukrainian hacktivist groups. The activity, observed from June to September 2025, overlaps with other known campaigns such as Hive0117, Operation CargoTalon, and Rainbow Hyena (also known as Fairy Trickster, Head Mare, and PhantomCore).
Intrinsec reports that the targets were specifically chosen for their cooperation with the Russian military, particularly in light of the ongoing conflict with Ukraine and the resulting Western sanctions.
Growing Cybersecurity Concerns
The use of ISO files and open-source C2 tools like AdaptixC2 demonstrates the evolving tactics of cybercriminals. These methods allow attackers to bypass traditional security measures and maintain persistent access to compromised systems.
Cybersecurity professionals are advised to remain vigilant, especially in sectors handling sensitive financial or defense-related data. Organizations should implement strong email filtering, monitor for suspicious file types like ISO and LNK, and educate employees on phishing threats.
This article is inspired by content from Original Source. It has been rephrased for originality. Images are credited to the original source.