Phantom Stealer Malware
Security analysts have uncovered an active and well-coordinated phishing campaign aimed at organizations across multiple industries in Russia. The operation, tracked as Operation MoneyMount-ISO, relies on carefully crafted phishing emails that distribute the Phantom Stealer malware through malicious ISO disk image attachments. The campaign highlights a continued shift toward less common attachment formats to bypass traditional email security controls.
Table of Contents
Primary Targets and Sector Focus
The attackers have demonstrated a clear preference for organizations that routinely handle financial transactions and sensitive documentation. Finance and accounting departments appear to be the main focus, while procurement, legal, and payroll teams have also been repeatedly targeted. These roles are particularly attractive to threat actors due to their access to payment workflows, credentials, and confidential financial data.
Deceptive Email Lures and Initial Delivery
The infection process starts with phishing messages designed to resemble legitimate financial correspondence. Victims are prompted to verify or confirm a recent bank transfer, creating a sense of urgency and credibility. Each message includes a ZIP archive presented as supporting documentation. Rather than containing harmless files, the archive hides a malicious ISO image that mounts itself as a virtual CD drive when opened.
Abuse of ISO Images for Malware Execution
The mounted ISO file, titled 'Подтверждение банковского перевода.iso' or 'Bank transfer confirmation.iso,' acts as the main execution vehicle. Inside the image is a malicious dynamic link library named CreativeAI.dll, which is automatically invoked to launch Phantom Stealer. This technique allows the attackers to execute malware while reducing reliance on traditional executable files that are more likely to be blocked.
Capabilities of the Phantom Stealer Malware
Once deployed, Phantom Stealer focuses on harvesting a broad range of sensitive information from infected systems. Its functionality includes:
Extracting data from cryptocurrency wallet browser extensions in Chromium-based browsers and from standalone desktop wallet applications, along with stealing browser passwords, cookies, stored credit card data, Discord authentication tokens, and selected local files.
Monitoring clipboard activity, logging keystrokes, and performing environment checks to detect virtual machines, sandboxes, or analysis tools, terminating itself if such conditions are identified.
Exfiltration and Command Channels
Stolen data is transmitted through multiple attacker-controlled channels to ensure reliability and flexibility. Phantom Stealer is configured to exfiltrate information via a Telegram bot or a Discord webhook under the attackers' control. In addition, the malware supports direct file transfers to an external FTP server, enabling bulk data theft and follow-up operations.
