ISO Phishing Drops Phantom Stealer on Russian Finance

A new phishing wave in Russia is pushing Phantom Stealer via malicious ISO images, with finance and accounting teams most at risk. Seqrite Labs tracks the operation as "Operation MoneyMount-ISO," noting secondary targeting of procurement, legal, and payroll functions.

Key points:

• Lure: fake payment confirmations sent via email
• Payload delivery: ZIP attachments that mount ISO files as virtual CD drives
• Malware: Phantom Stealer executed via an embedded DLL ("CreativeAI.dll")
• Exfiltration: Telegram bot, Discord webhook, and FTP for file transfer

How the attack works:

• Victims receive emails posing as legitimate bank transfer notices, urging payment confirmation.
• The attached ZIP contains an ISO ("Подтверждение банковского перевода.iso" / "Bank transfer confirmation.iso").
• When mounted, the ISO executes and launches Phantom Stealer through the bundled DLL "CreativeAI.dll."

What Phantom Stealer steals:

• Data from cryptocurrency wallet browser extensions (Chromium-based) and desktop wallets
• Files, Discord authentication tokens
• Browser passwords, cookies, and credit card details
• Clipboard contents and keystrokes
• It also checks for virtualization, sandboxes, or analysis tools and halts execution if detected.

Related campaign: DupeHike (UNG0902)

• Target: Russian HR and payroll departments
• Lures: bonus awards and internal financial policy notices
• Tooling: a previously undocumented implant, DUPERUNNER, that loads the AdaptixC2 open-source C2 framework
• Delivery chain: spear-phishing ZIPs with PDF/LNK decoys (e.g., "Документ_1_О_размере_годовой_премии.pdf.lnk" / "Document_1_On_the_amount_of_the_annual_bonus.pdf.lnk")
• Execution: the LNK uses powershell.exe to fetch DUPERUNNER, which shows a decoy PDF and injects AdaptixC2 into legitimate processes like "explorer.exe," "notepad.exe," or "msedge.exe"

Wider Russian-targeted activity:

• Sectors hit: finance, legal, and aerospace
• Tools observed: Cobalt Strike, Formbook, DarkWatchman, PhantomRemote
• Tradecraft: compromised corporate email servers used to send spear-phishing messages

Aerospace intrusions and attribution:

• Intrinsec links a cluster targeting Russia’s aerospace industry to hacktivists aligned with Ukrainian interests (June–September 2025)
• Overlaps with Hive0117, Operation CargoTalon, and Rainbow Hyena (aka Fairy Trickster, Head Mare, PhantomCore)
• Some campaigns redirect victims to credential-harvesting pages on IPFS and Vercel, aiming at Microsoft Outlook and Bureau 1440 accounts
• Assessed goal: compromise entities collaborating with Russia’s military amid the ongoing conflict

Source: The Hacker News