Find notable cyber news and cases, enriched with sources, timelines, and signals.

Phantom Stealer phishing delivery and exfiltration activity

Malware Activity
First reported
Last updated
Happening score
H score 30
1 unique sources, 1 articles

Summary

Hide ▲

Phantom Stealer is being delivered through a phishing campaign that uses a ZIP-to-ISO attachment chain to bypass mail defenses, exposing Russian-speaking organizations to credential theft and token theft. The lure is a fake bank transfer confirmation written in formal Russian business language. Once opened, the attachment chain mounts an ISO and launches a disguised executable that deploys the stealer in memory. The activity matters because it combines ISO-based initial access with broad browser, wallet, and token harvesting plus multi-channel exfiltration.

Related Happenings

SideCopy Operation XENOFISCAL spear-phishing campaign targeting Afghan finance entities

Campaign
H score25 First: 02.06.2026 12:05 Last: 02.06.2026 12:05 Sources 1

About this happening: The **SideCopy**-linked **Operation XENOFISCAL** spear-phishing campaign is targeting **Afghanistan's Ministry of Finance** and related provincial finance offices with **Xeno RAT*...

Silent subject/null subject phishing campaign targeting executives and privileged users

Campaign
H score32 First: 22.04.2026 16:00 Last: 22.04.2026 16:00 Sources 1

About this happening: A **widespread silent subject/null subject phishing campaign** is sending subject-less emails to **high-value users**, raising the risk of **credential theft** and follow-on **lat...

Phantom Stealer Europe phishing campaign

Campaign
H score33 First: 31.03.2026 17:00 Last: 31.03.2026 17:00 Sources 1

About this happening: A **sustained phishing campaign** delivered **Phantom Stealer** to organizations in **logistics, manufacturing and technology** across **Europe**, creating a broad credential-thef...

Operation MoneyMount-ISO Phantom Stealer phishing campaign targeting Russian finance entities

Campaign
H score33 First: 15.12.2025 11:24 Last: 15.12.2025 11:24 Sources 1

About this happening: The **Operation MoneyMount-ISO** phishing campaign is actively targeting organizations in **Russia**, and it matters because the emails deliver **Phantom Stealer** through **malic...

Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia

Malware Activity
H score23 First: 18.10.2025 09:51 Last: 18.10.2025 09:51 Sources 1

About this happening: The **Winos 4.0** malware operation has expanded its target footprint to **Japan** and **Malaysia** through **HoldingHands RAT**, increasing the reach of a multi-stage phishing de...

Timeline

  1. 15.12.2025 18:00 2 articles · 6mo ago

    Operation MoneyMount-ISO delivers Phantom Stealer

    Initial Disclosure

    Seqrite Labs identified Operation MoneyMount-ISO, a Russia-origin phishing campaign that used a fake payment confirmation email and a ZIP-to-ISO attachment chain to deploy Phantom Stealer into Russian-speaking organizations, with a clear focus on finance, accounting, treasury and payments teams. The staged payload chain mounted an ISO, launched a disguised executable, decrypted a malicious DLL, injected the stealer in memory, and used anti-analysis checks to evade sandboxes and virtual machines before exfiltrating browser passwords, cookies, credit-card data, cryptocurrency wallets, keystrokes, clipboard contents, and Discord authentication tokens through Telegram bots, Discord webhooks and FTP servers.

    Show sources