Operation MoneyMount-ISO Phantom Stealer phishing campaign targeting Russian finance entities
Campaign
Summary
Hide ▲
Show ▼
The Operation MoneyMount-ISO phishing campaign is actively targeting organizations in Russia, and it matters because the emails deliver Phantom Stealer through malicious ISO optical disc images. The main targets are finance and accounting entities, with procurement, legal, and payroll groups also in scope. The lure uses a fake bank transfer confirmation and a ZIP-to-ISO attachment chain to launch the stealer. The malware can steal wallet, browser, and credential data and exfiltrate it through Telegram, Discord, or FTP.
Related Happenings
Phantom Stealer phishing delivery and exfiltration activity
Malware Activity
First: 15.12.2025 18:00
Last: 15.12.2025 18:00
Sources 1
About this happening:
**Phantom Stealer** is being delivered through a **phishing campaign** that uses a **ZIP-to-ISO attachment chain** to bypass mail defenses, exposing **Russian-speaking organizatio...
Phantom Stealer phishing delivery and exfiltration activity
Malware ActivityAbout this happening: **Phantom Stealer** is being delivered through a **phishing campaign** that uses a **ZIP-to-ISO attachment chain** to bypass mail defenses, exposing **Russian-speaking organizatio...
Ukrainian government impersonation SVG phishing campaign
Campaign
First: 26.09.2025 19:40
Last: 26.09.2025 19:40
Sources 1
About this happening:
A **phishing campaign** impersonating **Ukrainian government agencies** is delivering **CountLoader**, raising the risk of **stealer** and **cryptominer** infections for targeted...
Ukrainian government impersonation SVG phishing campaign
CampaignAbout this happening: A **phishing campaign** impersonating **Ukrainian government agencies** is delivering **CountLoader**, raising the risk of **stealer** and **cryptominer** infections for targeted...
Timeline
-
15.12.2025 11:24 2 articles · 5mo ago
Operation MoneyMount-ISO phishing campaign disclosure
Initial DisclosureResearchers disclosed Operation MoneyMount-ISO, an active phishing campaign targeting finance and accounting entities in Russia, with procurement, legal, and payroll groups also in scope. The emails use a fake bank transfer confirmation lure and a ZIP-to-ISO attachment chain that mounts a malicious ISO image and launches Phantom Stealer through an embedded DLL, enabling theft of wallet-extension data, browser passwords, cookies, credit card details, Discord tokens, clipboard content, and keystrokes, with exfiltration via Telegram, Discord, or FTP.
Show sources
- Phantom Stealer Spread by ISO Phishing Emails Hitting Russian Finance Sector — thehackernews.com — 15.12.2025 11:24
- Phantom Stealer Spread by ISO Phishing Emails Hitting Russian Finance Sector — thehackernews.com — 15.12.2025 11:24