Russian Phishing Campaign Spreads Phantom Stealer Using Malicious ISO Attachments

 Russian Phishing Campaign Uses ISO Attachments to Deliver Phantom Stealer Malware

Cybersecurity researchers from Seqrite Labs have identified a new phishing campaign delivering the Phantom Stealer malware through a multi-stage attachment chain. The activity, tracked as Operation MoneyMount-ISO, reportedly originates from Russia and uses fake payment confirmation emails to trick recipients into opening malicious archives.

Unlike traditional attacks using direct executables, the campaign leverages a ZIP archive containing an ISO file. When mounted, the ISO presents a disguised executable that ultimately deploys Phantom Stealer in memory, bypassing email security controls and endpoint defenses.

Researchers observed the campaign targeting Russian-speaking organizations, with a strong focus on roles handling financial documents. The phishing emails are written in formal business Russian, often carrying the subject line “Подтверждение банковского перевода” (“Confirmation of Bank Transfer”), and reference purported payment transactions. The sender domains are unrelated to legitimate brokers, increasing the attack’s deceptive nature.

Upon opening the ZIP archive (1 MB), the embedded ISO mounts automatically and executes the malicious payload. The loader decrypts a DLL, which then injects Phantom Stealer into memory while performing anti-analysis checks to evade sandboxes and virtual machines.

The final malware is capable of stealing a wide range of sensitive information, including:

• Browser-stored passwords and cookies

• Credit card data

• Cryptocurrency wallets from browsers and desktop apps

• Keystrokes and clipboard contents

• Discord authentication tokens

Exfiltration of stolen data occurs via Telegram bots, Discord webhooks, and FTP servers.

Targeted sectors include:

• Finance, accounting, treasury, and payments teams in Russia

• Procurement, legal, and HR/payroll departments

• Executive assistants and SMEs using Russian-language workflows

Seqrite Labs noted that this campaign reflects the growing sophistication of commodity stealers and the strategic move toward ISO based initial access to evade traditional perimeter controls. They recommend mitigation measures such as filtering containerized attachments, monitoring memory behaviors, and hardening mail workflows for finance facing teams.