Full Report
Cybersecurity researchers have disclosed details of an active phishing campaign that's targeting a wide range of sectors in Russia with phishing emails that deliver Phantom Stealer via malicious ISO optical disc images. The activity, codenamed Operation MoneyMount-ISO by Seqrite Labs, has primarily singled out finance and accounting entities, with those in the procurement, legal, payroll
Analysis Summary
# Incident Report: Operation MoneyMount-ISO Phantom Stealer Campaign
## Executive Summary
A widespread, active phishing campaign, codenamed Operation MoneyMount-ISO by Seqrite Labs, is targeting Russian organizations, primarily in the finance and accounting sectors, using malicious ISO optical disc images delivered via spear-phishing emails. The campaign successfully deploys the Phantom Stealer malware, which is designed to exfiltrate sensitive data, including cryptocurrency credentials and browser information. Detection and response details specific to this campaign are not fully disclosed, but the threat hinges on user interaction with the mounted ISO file.
## Incident Details
- **Discovery Date:** Disclosed by researchers after activity began (Date of analysis/disclosure not explicitly stated, but related activity noted as ongoing).
- **Incident Date:** Active campaign, details disclosed by Seqrite Labs as ongoing activity.
- **Affected Organization:** Not disclosed (Targets the finance, accounting, procurement, legal, and payroll sectors in Russia).
- **Sector:** Finance, Accounting, Procurement, Legal, Payroll.
- **Geography:** Russia.
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing activity period up to disclosure date (Dec 15, 2025).
- **Vector:** Spear-phishing email exploiting user trust.
- **Details:** Email masquerades as a legitimate "bank transfer confirmation," containing a lure attachment.
### Attack Progression (Infection Chain)
1. **Attachment:** Recipient receives a ZIP archive attachment.
2. **Container:** ZIP archive contains a malicious ISO file (e.g., "Подтверждение банковского перевода.iso").
3. **Execution:** When opened, the ISO mounts as a virtual CD drive.
4. **Malware Delivery:** The mounted ISO executes an embedded DLL ("CreativeAI.dll") which deploys Phantom Stealer.
### Lateral Movement
- Details on lateral movement following initial stealth infection are not explicitly provided in the summary, but Phantom Stealer typically focuses on local credential and financial data harvesting.
### Data Exfiltration/Impact
- Phantom Stealer begins data collection immediately upon execution.
- Data stolen includes: browser passwords, cookies, credit card details, files, Discord tokens, and credentials from crypto wallets (browser extensions and desktop apps).
### Detection & Response
- **Detection:** Disclosed by cybersecurity researchers (Seqrite Labs).
- **Response actions taken:** Not detailed for specific victims; the context implies defensive measures based on the public disclosure of the operation.
## Attack Methodology
- **Initial Access:** Phishing email utilizing a fake payment confirmation lure.
- **Persistence:** Not explicitly detailed for Phantom Stealer in this context.
- **Privilege Escalation:** Not explicitly detailed.
- **Defense Evasion:** Execution via an ISO file mounted as a virtual CD drive is a form of payload obfuscation, sometimes bypassing simple file-type monitoring. The malware also checks for sandboxes/VMs and aborts if detected.
- **Credential Access:** Targeting Chromium-based browser extensions and desktop cryptocurrency wallets.
- **Discovery:** Implicit reconnaissance to locate sensitive financial and user data.
- **Lateral Movement:** Not detailed.
- **Collection:** Harvesting passwords, cookies, credit card data, and crypto wallet information.
- **Exfiltration:** Via Telegram bot, Discord webhook, or FTP server upload.
- **Impact:** Information theft and potential financial loss due to credential compromise.
## Impact Assessment
- **Financial:** High potential for direct financial loss due to cryptocurrency theft and access to payment information.
- **Data Breach:** Theft of PII, financial credentials, and sensitive user session data.
- **Operational:** Potential for disruption if internal account credentials are stolen, though the primary goal appears to be data harvesting.
- **Reputational:** Risk to targeted entities if data breach becomes public.
## Indicators of Compromise
- **Network indicators (Defanged):** Communication to specific Telegram bots, Discord webhooks, or unknown FTP termination points.
- **File indicators:** `CreativeAI.dll`, ISO files matching lure names (e.g., "Подтверждение банковского перевода.iso").
- **Behavioral indicators:** Launching execution from a mounted ISO/virtual drive, monitoring clipboard content, keylogging activity, and attempts to access browser credential stores.
## Response Actions
*As specific organizational response actions were not detailed in the provided text, this section is based on standard incident response for malware deployment:*
- **Containment:** Immediate network segmentation of identified compromised hosts. Blocking outbound connections associated with identified C2 infrastructure (Telegram/Discord/FTP).
- **Eradication:** Full forensic analysis to confirm persistence mechanisms, removal of Phantom Stealer components, and credential rotation for all potentially compromised accounts identified on the host.
- **Recovery:** Restoring affected systems from clean backups, monitoring network traffic closely for secondary beacon activity, and re-enabling services.
## Lessons Learned
- **Lure Effectiveness:** Deceptive use of ISO files, which are often trusted more than direct executable attachments, remains a highly effective social engineering technique in this region.
- **Targeting Focus:** Attackers are prioritizing high-value financial entities (finance/accounting) using industry-specific lures (payment confirmations).
- **Payload Diversity:** The threat landscape for Russian organizations remains complex, with simultaneous targeting by campaigns deploying Phantom Stealer, DUPERUNNER/AdaptixC2, and Cobalt Strike.
## Recommendations
- **Implement ISO/Archive Scanning:** Enhance email gateway scanning to specifically inspect and sandbox contents of ISO files for embedded executables or DLLs before delivery.
- **User Education Update:** Conduct targeted training for finance, accounting, and payroll staff specifically warning against ISO attachments claiming to be document or payment confirmations.
- **Endpoint Hardening:** Ensure endpoint protection systems are configured to monitor for suspicious DLL loading or child process execution originating from mounted drive activities.
- **Zero Trust Principles:** Implement strict application control policies to prevent unapproved executables or DLLs from running, mitigating execution even if the file is successfully delivered.