Researchers have uncovered a sophisticated phishing campaign originating in Russia that deploys the Phantom information-stealing malware<\/a> via malicious ISO files. <\/p>\n The attack, dubbed \u201cOperation MoneyMount-ISO,\u201d targets finance and accounting departments explicitly using fake payment confirmation emails to trick victims into executing the payload.<\/p>\n The campaign primarily focuses on finance, accounting, treasury, and payment departments in Russia, with secondary targets including procurement, legal, HR\/payroll teams, executive assistants, and Russian-speaking small and medium enterprises. <\/p>\n The attack poses significant risks, including credential theft, invoice and payment fraud, unauthorized fund transfers, and lateral movement into IT systems.<\/p>\n The infection begins with a Russian-language phishing email titled \u201c\u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u0435 \u0431\u0430\u043d\u043a\u043e\u0432\u0441\u043a\u043e\u0433\u043e \u043f\u0435\u0440\u0435\u0432\u043e\u0434\u0430\u201d (Confirmation of Bank Transfer) sent from compromised domains. <\/p>\n The message impersonates TorFX Currency Broker and contains a ZIP attachment <\/a>approximately 1 MB in size. When victims open the ZIP file, they find a malicious ISO file disguised as a legitimate bank transfer confirmation document.<\/p>\n Upon execution, the ISO file auto-mounts as a virtual CD drive, revealing an executable file that appears legitimate. The executable loads additional payloads into memory, including a DLL named CreativeAI.dll containing encrypted code. <\/p>\n This DLL decrypts and injects the final version of the Phantom Stealer malware into the system.<\/p>\n Phantom Stealer is a comprehensive data theft tool with extensive capabilities. The malware features anti-analysis techniques that detect virtualized environments and security tools, automatically self-destructing if discovered. <\/p>\n According to Seqrite<\/a>, it harvests cryptocurrency wallet data from both browser extensions and desktop applications, targeting dozens of known crypto wallets.<\/p>\n The stealer extracts Discord authentication tokens from browser databases and native Discord installations, validates them through Discord\u2019s API, and collects user information, including usernames, emails, and Nitro subscription status. <\/p>\n It also deploys a continuous clipboard monitor that captures clipboard contents every second, logging timestamped entries for exfiltration.<\/p>\n Additional capabilities include a global keystroke logger using low-level Windows hooks, recovery of saved passwords and credit card <\/a>data from Chromium-based browsers via SQLite database parsing, and targeted file collection based on predefined criteria.<\/p>\n Once stolen data is collected, Phantom Stealer packages it into a ZIP archive that includes system metadata, public IP addresses, and configuration toggles. <\/p>\n The malware employs multiple exfiltration channels, including Telegram bot APIs, Discord webhooks, and FTP servers with optional SSL support, ensuring attackers receive the stolen information through redundant communication methods.<\/p>\n Organizations should implement continuous filtering of containerized attachments, deploy memory-behavior monitoring solutions, and harden email security workflows for finance-facing departments to defend against these evolving threats.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post New Phantom Stealer Campaign Hits Windows Machines Through ISO Mounting<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"Initial](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2025\/12\/image-85.png?ssl=1\")
![\"Infection](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2025\/12\/image-86.png?ssl=1\")
Phantom Stealer Capabilities<\/strong><\/h2>\n
![\"Analysis](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2025\/12\/image-87.png?ssl=1\")
![\"Analysis](\"https:\/\/i0.wp.com\/gbhackers.com\/wp-content\/uploads\/2025\/12\/image-88.png?ssl=1\")
IOCs<\/strong><\/h2>\n
\n\n
\n 27bc3c4eed4e70ff5a438815b1694f83150c36d351ae1095c2811c962591e1bf<\/td>\n Email<\/td>\n<\/tr>\n \n 4b16604768565571f692d3fa84bda41ad8e244f95fbe6ab37b62291c5f9b3599<\/td>\n \u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u0435 \u0431\u0430\u043d\u043a\u043e\u0432\u0441\u043a\u043e\u0433\u043e \u043f\u0435\u0440\u0435\u0432\u043e\u0434\u0430.zip<\/td>\n<\/tr>\n \n 60994115258335b1e380002c7efcbb47682f644cb6a41585a1737b136e7544f9<\/td>\n \u041f\u043e\u0434\u0442\u0432\u0435\u0440\u0436\u0434\u0435\u043d\u0438\u0435 \u0431\u0430\u043d\u043a\u043e\u0432\u0441\u043a\u043e\u0433\u043e \u043f\u0435\u0440\u0435\u0432\u043e\u0434\u0430.iso<\/td>\n<\/tr>\n \n 78826700c53185405a0a3897848ca8474920804a01172f987a18bd3ef9a4fc77<\/td>\n HvNC.exe<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n