Comprehensive Threat Exposure Management Platform
Hive Pro recognized in Gartner® Magic Quadrant™ for Exposure Assessment Platform, 2025 Watch platform in action
Operation MoneyMount-ISO represents an active phishing campaign originating from Russia that deploys Phantom information-stealing malware through sophisticated multi-stage attack chains targeting financial and business operations. The Phantom Stealer campaign utilizes fake payment confirmation lures delivered via email phishing attacks, containing malicious ZIP archives with embedded ISO files designed to bypass security controls. When victims open the ISO file, it automatically mounts as a virtual CD drive and presents an executable disguised as a legitimate bank transfer confirmation document. Execution triggers a sophisticated payload chain that ultimately deploys Phantom Stealer malware, a comprehensive credential theft and data exfiltration tool targeting financial assets, cryptocurrency wallets, browser credentials, and sensitive business communications. The Operation MoneyMount-ISO phishing campaign specifically targets Russian-speaking professionals in finance, accounting, treasury, procurement, legal, HR/payroll departments, executive assistants, and small-to-medium enterprises. Phantom Stealer malware includes extensive anti-analysis capabilities designed to evade detection by checking for virtual machines, sandboxes, suspicious usernames, security analysis tools, blacklisted IP ranges, and system identifiers. Once active on compromised Windows systems, Phantom Stealer focuses on large-scale data theft including browser-stored credentials, cookies, credit card data, cryptocurrency wallet extensions, desktop wallet applications, Discord authentication tokens, clipboard contents, and keystroke logging. Stolen data is systematically organized, archived, and exfiltrated through multiple channels including Telegram bots, Discord webhooks, and FTP servers, demonstrating the financially motivated nature of this Russian threat actor campaign.
An active phishing campaign linked to Russian threat activity leverages fake payment confirmation emails to deliver Phantom Stealer malware using familiar social engineering tactics. The Operation MoneyMount-ISO attack relies on presenting phishing messages as routine financial correspondence to lower recipient suspicion and increase click-through rates. By abusing multi-stage attachments and trusted-looking professional language, the Phantom Stealer campaign targets users likely to open financial documents quickly, particularly professionals in finance and accounting roles who regularly process payment confirmations.
The phishing email is written in Russian and carries the subject “Пoдтвepждeниe бaнкoвcкoгo пepeвoдa” (Confirmation of Bank Transfer), sent under the name “Anton Vladimirovich Demyanenko” from a domain unrelated to the organization it claims to represent. The message poses as correspondence from a legitimate currency broker, urging recipients to review an attached document related to a supposed bank transfer using formal and professional tone to appear credible. The generic salutation suggests Operation MoneyMount-ISO is mass-distributed rather than carefully personalized, indicating broad targeting across Russian business sectors.
Attached to the phishing email is a ZIP archive containing an ISO file, a format increasingly abused by threat actors to bypass email security controls and endpoint protection systems. When the ISO file is opened, it automatically mounts as a virtual drive on Windows systems and presents an executable masquerading as a payment confirmation document. Launching this Phantom Stealer executable triggers the infection chain, ultimately deploying the information stealer on the victim’s system. The mismatch between the sender’s domain and the impersonated company, combined with the unusual ISO attachment format, points to deliberate and well-crafted deception techniques employed by Operation MoneyMount-ISO operators.
Technical analysis reveals that the initial Phantom Stealer executable loads an encrypted payload embedded within a DLL file, which is decrypted in memory before injecting Phantom Stealer malware into system processes. The malware includes extensive anti-analysis capabilities designed to evade detection and frustrate security researchers. Phantom Stealer actively checks for virtual machines, sandboxes, suspicious usernames, analysis tools, blacklisted IP address ranges, and system identifiers such as the Windows MachineGuid. If these anti-analysis checks are triggered, Phantom Stealer terminates itself to avoid further security scrutiny and preserve operational security.
Once active on compromised systems, Phantom Stealer focuses on comprehensive large-scale data theft operations. The malware targets browser-stored credentials, authentication cookies, credit card data, cryptocurrency wallet extensions including MetaMask and other popular wallets, desktop cryptocurrency wallet applications, Discord authentication tokens for account takeover, clipboard contents for cryptocurrency address replacement, and keystroke logging for capturing passwords and sensitive information. Stolen data is systematically organized, compressed into archives, and exfiltrated through multiple command-and-control channels including Telegram bots, Discord webhooks, and FTP servers. Operation MoneyMount-ISO highlights how financially motivated Russian threat actors combine ISO-based delivery mechanisms, staged payload deployment, and robust evasion techniques to steal sensitive financial data efficiently from targeted organizations.
Organizations must treat payment-related emails with heightened caution, particularly messages claiming to confirm bank transfers, invoices, or urgent payment requests. Emails pressuring recipients to open attachments to “confirm” financial transactions should always be verified through trusted, separate communication channels. Implement secondary verification procedures requiring validation with the purported sender through phone calls or authenticated messaging before opening any financial attachments delivered via email.
Organizations should block risky attachment types at email gateway security controls, as ISO, IMG, and ZIP-based container files are increasingly abused to deliver information-stealing malware like Phantom Stealer. Where operationally possible, restrict or quarantine these attachment types in emails, especially those sent to finance, accounting, procurement, legal, and treasury teams who are primary targets of Operation MoneyMount-ISO phishing campaigns.
Implement comprehensive logging and monitoring of outbound connections to services commonly abused for data exfiltration, specifically Telegram APIs, Discord webhooks, and FTP servers. Establish clear incident response procedures ensuring suspected phishing infections can be quickly isolated from networks and thoroughly investigated. Deploy endpoint detection and response solutions capable of identifying Phantom Stealer behavior patterns including credential access, clipboard monitoring, and data archiving activities.
Organizations must deploy next-generation antivirus solutions and endpoint detection and response platforms to identify and block Phantom Stealer malware infections. Leverage behavioral analysis and machine learning-based detection capabilities to spot suspicious activities characteristic of information stealers, including memory injection, anti-analysis checks, credential harvesting, and unauthorized data exfiltration attempts associated with Operation MoneyMount-ISO campaigns.
SHA256 Hashes:
TA0001 – Initial Access
TA0002 – Execution
TA0005 – Defense Evasion
TA0006 – Credential Access
TA0007 – Discovery
TA0009 – Collection
TA0010 – Exfiltration
TA0011 – Command and Control
Get through updates and upcoming events, and more directly in your inbox