Operation MoneyMount, ISO Deploying Phantom Stealer

Dec. 21, 2025, 7:01 p.m.

Description

A Russian phishing campaign targeting finance and accounting sectors uses fake payment confirmation emails to deliver Phantom stealer malware. The attack chain involves a ZIP file containing an ISO, which when mounted reveals an executable that loads the stealer. The malware employs anti-analysis techniques, extracts crypto wallets, browser data, and Discord tokens. It also includes keylogging and clipboard monitoring capabilities. The stolen data is exfiltrated via Telegram, Discord webhooks, or FTP. The operation showcases the increasing sophistication of commodity stealers and the strategic use of ISO files for initial access to evade security controls.

External References

https://www.seqrite.com/blog/operation-moneymount-iso-deploying-phantom-stealer-via-iso-mounted-executables/
https://otx.alienvault.com/pulse/693bd610390a13cd797a1df9
Tags
phishing
russia
exfiltration
steganography
credential theft
finance
multi-stage attack
phantom stealer
2025-12-12
iso

Date

  • Created: Dec. 12, 2025, 8:45 a.m.
  • Published: Dec. 12, 2025, 8:45 a.m.
  • Modified: Dec. 21, 2025, 7:01 p.m.

Indicators

  • 4b16604768565571f692d3fa84bda41ad8e244f95fbe6ab37b62291c5f9b3599
  • 60994115258335b1e380002c7efcbb47682f644cb6a41585a1737b136e7544f9
  • 27bc3c4eed4e70ff5a438815b1694f83150c36d351ae1095c2811c962591e1bf
  • 78826700c53185405a0a3897848ca8474920804a01172f987a18bd3ef9a4fc77
Download all indicators here!

Attack Patterns

  • Phantom Stealer

Additional Informations

  • Finance
  • Russian Federation