Seqrite Labs has uncovered an active Russian phishing campaign that delivers Phantom information-stealing malware through malicious ISO files embedded in fake payment confirmation emails.
The sophisticated attack primarily targets finance and accounting professionals in Russia, using social engineering tactics to deceive victims into executing malicious payloads that steal credentials, cryptocurrency wallets, browser data, and sensitive files.
The campaign primarily focuses on finance, accounting, treasury, and payment departments within Russian organizations.
Secondary targets include procurement teams, legal departments, HR and payroll staff, executive assistants, and small to medium-sized enterprises operating in Russian-speaking regions.
The attack poses significant risks, including credential theft, invoice fraud, unauthorized financial transfers, and potential lateral movement into broader IT systems.
Phishing Campaign Origins
Seqrite Researchers identified a Russian-language phishing email titled “Подтверждение банковского перевода” (Confirmation of Bank Transfer) originating from compromised email addresses.
The message impersonates TorFX Currency Broker and uses formal business language to appear legitimate to finance personnel.
The email contains a malicious ZIP archive approximately 1 megabyte in size that conceals an ISO file designed to bypass traditional security controls.
The sender domain “iskra-svarka.ru” and the spoofed “agroterminal.c” domain are unrelated to the purported organization, revealing clear signs of email spoofing and impersonation tactics designed to establish false credibility with potential victims.
When the victim opens the ZIP attachment and executes the ISO file, it auto-mounts as a virtual CD drive, revealing an executable disguised as a legitimate payment confirmation document.
The executable loads additional payloads into memory, beginning with a DLL file named CreativeAI.dll that contains encrypted code.
This DLL decrypts and injects the final version of the Phantom Stealer malware into the system.
The malware employs steganography techniques, hiding malicious code within the System.Drawing.Bitmap objects to evade detection.
This layered approach allows attackers to bypass security solutions that primarily scan for known malware signatures.
Operation MoneyMount-ISO represents an evolving trend where threat actors leverage ISO-mounted executables to deliver commodity stealers while evading perimeter security controls.
The campaign’s payment-confirmation social engineering lure combined with spoofed Russian business domains indicates highly targeted credential-theft activity explicitly designed for finance-related roles.
The increasing sophistication of stealer malware delivered via unconventional file formats demands a multi-layered defense approach that combines technical controls with user education.
IOCs:
| 27bc3c4eed4e70ff5a438815b1694f83150c36d351ae1095c2811c962591e1bf | |
| 4b16604768565571f692d3fa84bda41ad8e244f95fbe6ab37b62291c5f9b3599 | Подтверждение банковского перевода.zip |
| 60994115258335b1e380002c7efcbb47682f644cb6a41585a1737b136e7544f9 | Подтверждение банковского перевода.iso |
| 78826700c53185405a0a3897848ca8474920804a01172f987a18bd3ef9a4fc77 | HvNC.exe |
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.