Cybersecurity researchers have disclosed details of an active and ongoing phishing campaign targeting multiple sectors in Russia through malicious emails designed to deliver the Phantom Stealer information stealing malware. The activity has been observed using deceptive financial lures and multi stage attachment chains, raising concerns over the increasing sophistication of malware distribution techniques aimed at corporate environments.
According to findings published by Seqrite Labs, the campaign has been codenamed Operation MoneyMount ISO and primarily targets finance and accounting departments, with procurement, legal, and payroll functions also emerging as secondary victims. The attack begins with phishing emails crafted to appear as legitimate financial communications, prompting recipients to confirm a recent bank transfer. These messages contain ZIP file attachments that claim to include transaction details. Instead, the ZIP archives embed malicious ISO optical disc image files that, once opened, mount as virtual CD drives on the victim system. The ISO file, titled in Russian as Bank transfer confirmation, acts as an executable container that launches Phantom Stealer using an embedded dynamic link library named CreativeAI.dll. This delivery method allows the malware to bypass certain security checks by leveraging trusted system behaviors.
Phantom Stealer is a comprehensive information stealing tool with broad data harvesting capabilities. Seqrite Labs noted that the malware is capable of extracting sensitive information from cryptocurrency wallet browser extensions installed on Chromium based browsers, as well as from desktop wallet applications. Beyond financial data, the stealer collects browser stored passwords, cookies, credit card information, and authentication tokens for platforms such as Discord. It can also grab files from the infected system, monitor clipboard activity, and log keystrokes. To evade detection, Phantom Stealer performs multiple checks to identify virtualized or sandboxed environments and halts execution if analysis tools are detected. Exfiltrated data is transmitted using attacker controlled Telegram bots or Discord webhooks, and the malware also supports file uploads to remote FTP servers, giving threat actors flexible channels for data extraction.
In parallel with Operation MoneyMount ISO, Russian organizations have also faced another wave of phishing campaigns that focus on human resources and payroll departments. These attacks use lures related to bonuses or internal financial policies and distribute a previously undocumented implant known as DUPERUNNER. This activity, tracked under the name DupeHike, has been attributed to a threat cluster identified as UNG0902. Seqrite Labs explained that these campaigns rely on ZIP archives containing decoy files with PDF and LNK extensions. When opened, the LNK file initiates a PowerShell command that downloads the DUPERUNNER implant from an external server. The implant then displays a decoy document to maintain legitimacy while injecting the AdaptixC2 beacon into legitimate Windows processes such as explorer.exe, notepad.exe, or msedge.exe. AdaptixC2 is an open source command and control framework that enables attackers to remotely manage compromised systems.
Additional research from French cybersecurity firm Intrinsec has highlighted overlapping phishing and intrusion activity targeting Russian finance, legal, and aerospace sectors. These operations have delivered well known tools such as Cobalt Strike, Formbook, DarkWatchman, and PhantomRemote, allowing attackers to conduct data theft and interactive system control. Intrinsec attributed a subset of these intrusions targeting the Russian aerospace industry to hacktivist groups aligned with Ukrainian interests. Detected between June and September 2025, the activity shares technical overlaps with clusters tracked as Hive0117, Operation CargoTalon, and Rainbow Hyena, also referred to as Fairy Trickster, Head Mare, and PhantomCore. Some campaigns redirected victims to credential harvesting pages hosted on IPFS and Vercel infrastructure, aiming to steal login details associated with Microsoft Outlook and Bureau 1440. Intrinsec noted that compromised email servers belonging to Russian companies were leveraged to distribute spear phishing messages, increasing the credibility and reach of the attacks.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
