A new phishing campaign delivering the Phantom information-stealing malware through a multi-stage attachment chain has been identified by cybersecurity researchers.
The activity, observed by Seqrite Labs, reportedly originates from Russia and relies on a fake payment confirmation email to entice recipients to open a malicious archive.
The campaign is tracked as Operation MoneyMount-ISO and marks a continued shift toward ISO-based initial access techniques designed to bypass email security controls.
Instead of a direct executable, the attackers use a ZIP archive containing an ISO file that mounts as a virtual drive when opened. Inside is a disguised executable that ultimately deploys Phantom Stealer in memory.
Seqrite Labs researchers observed the operation actively targeting Russian-speaking organizations, with a clear focus on roles that routinely handle financial documents. The lure imitates routine business correspondence to increase the likelihood of interaction in busy finance environments.
How the Attack Works
The observed phishing email was written in formal Russian business language and carried the subject line “Подтверждение банковского перевода” or “Confirmation of Bank Transfer.”
It urged the recipient to review an attached document for transaction details. Although the message referenced a currency broker, the sender domains were unrelated.
Once the ZIP archive of roughly 1 MB was opened, the embedded ISO file auto-mounted and displayed an executable masquerading as a payment confirmation.
Executing this file triggered a staged payload chain. An initial loader decrypted a malicious DLL, which then injected Phantom Stealer into the system while employing extensive anti-analysis checks to evade sandboxes and virtual machines.
Read more on phishing campaigns: 752,000 Browser Phishing Attacks Mark 140% Increase YoY
The final payload was capable of harvesting a wide range of sensitive information. It extracted browser-stored passwords, cookies and credit-card data, stole cryptocurrency wallets from browsers and desktop applications, logged keystrokes and clipboard contents, and collected Discord authentication tokens.
Stolen data was packaged into archives and exfiltrated through multiple channels, including Telegram bots, Discord webhooks and FTP servers.
Targeted sectors included:
-
Finance, accounting, treasury and payments teams in Russia
-
Procurement, legal and HR or payroll functions
-
Executive assistants and small or medium-sized enterprises using Russian-language workflows
“The operation reflects the increasing sophistication of commodity stealers and the strategic shift toward ISO-based initial access to evade perimeter controls,” Seqrite Labs explained.
“Continuous filtering of containerized attachments, memory-behaviour monitoring and hardening of finance-facing mail workflows remain essential mitigation measures.”