Find notable cyber news and cases, enriched with sources, timelines, and signals.

Operation MoneyMount-ISO Phantom Stealer phishing campaign targeting Russian finance entities

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

The Operation MoneyMount-ISO phishing campaign is actively targeting organizations in Russia, and it matters because the emails deliver Phantom Stealer through malicious ISO optical disc images. The main targets are finance and accounting entities, with procurement, legal, and payroll groups also in scope. The lure uses a fake bank transfer confirmation and a ZIP-to-ISO attachment chain to launch the stealer. The malware can steal wallet, browser, and credential data and exfiltrate it through Telegram, Discord, or FTP.

Related Happenings

SideCopy Operation XENOFISCAL spear-phishing campaign targeting Afghan finance entities

Campaign
H score25 First: 02.06.2026 12:05 Last: 02.06.2026 12:05 Sources 1

About this happening: The **SideCopy**-linked **Operation XENOFISCAL** spear-phishing campaign is targeting **Afghanistan's Ministry of Finance** and related provincial finance offices with **Xeno RAT*...

Operation Dragon Weave cyber-espionage campaign

Campaign
H score37 First: 01.06.2026 14:54 Last: 01.06.2026 14:54 Sources 1

About this happening: The **Operation Dragon Weave** campaign is actively targeting **officials and citizens in the Czech Republic and Taiwan** with **spear-phishing ZIP attachments**. The infection ch...

Phantom Stealer phishing delivery and exfiltration activity

Malware Activity
H score30 First: 15.12.2025 18:00 Last: 15.12.2025 18:00 Sources 1

About this happening: **Phantom Stealer** is being delivered through a **phishing campaign** that uses a **ZIP-to-ISO attachment chain** to bypass mail defenses, exposing **Russian-speaking organizatio...

Ukrainian government impersonation SVG phishing campaign

Campaign
H score37 First: 26.09.2025 19:40 Last: 26.09.2025 19:40 Sources 1

About this happening: A **phishing campaign** impersonating **Ukrainian government agencies** is delivering **CountLoader**, raising the risk of **stealer** and **cryptominer** infections for targeted...

Timeline

  1. 15.12.2025 11:24 2 articles · 6mo ago

    Operation MoneyMount-ISO phishing campaign disclosure

    Initial Disclosure

    Researchers disclosed Operation MoneyMount-ISO, an active phishing campaign targeting finance and accounting entities in Russia, with procurement, legal, and payroll groups also in scope. The emails use a fake bank transfer confirmation lure and a ZIP-to-ISO attachment chain that mounts a malicious ISO image and launches Phantom Stealer through an embedded DLL, enabling theft of wallet-extension data, browser passwords, cookies, credit card details, Discord tokens, clipboard content, and keystrokes, with exfiltration via Telegram, Discord, or FTP.

    Show sources