Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Phantom Stealer phishing delivery and exfiltration activity

Malware Activity
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

Phantom Stealer is being delivered through a phishing campaign that uses a ZIP-to-ISO attachment chain to bypass mail defenses, exposing Russian-speaking organizations to credential theft and token theft. The lure is a fake bank transfer confirmation written in formal Russian business language. Once opened, the attachment chain mounts an ISO and launches a disguised executable that deploys the stealer in memory. The activity matters because it combines ISO-based initial access with broad browser, wallet, and token harvesting plus multi-channel exfiltration.

Related Happenings

Silent subject/null subject phishing campaign targeting executives and privileged users

Campaign
First: 22.04.2026 16:00 Last: 22.04.2026 16:00 Sources 1

About this happening: A **widespread silent subject/null subject phishing campaign** is sending subject-less emails to **high-value users**, raising the risk of **credential theft** and follow-on **lat...

Open Happening

Phantom Stealer Europe phishing campaign

Campaign
First: 31.03.2026 17:00 Last: 31.03.2026 17:00 Sources 1

About this happening: A **sustained phishing campaign** delivered **Phantom Stealer** to organizations in **logistics, manufacturing and technology** across **Europe**, creating a broad credential-thef...

Open Happening

Operation MoneyMount-ISO Phantom Stealer phishing campaign targeting Russian finance entities

Campaign
First: 15.12.2025 11:24 Last: 15.12.2025 11:24 Sources 1

About this happening: The **Operation MoneyMount-ISO** phishing campaign is actively targeting organizations in **Russia**, and it matters because the emails deliver **Phantom Stealer** through **malic...

Open Happening

Winos 4.0 and HoldingHands RAT malware activity expanding targeting to Japan and Malaysia

Malware Activity
First: 18.10.2025 09:51 Last: 18.10.2025 09:51 Sources 1

About this happening: The **Winos 4.0** malware operation has expanded its target footprint to **Japan** and **Malaysia** through **HoldingHands RAT**, increasing the reach of a multi-stage phishing de...

Open Happening

Noisy Bear Kazakhstan oil and gas phishing campaign

Campaign
First: 11.09.2025 15:00 Last: 11.09.2025 15:00 Sources 1

About this happening: The **Noisy Bear** operation is conducting **phishing-based intrusion activity** against **Kazakhstan's oil and gas sector**, creating espionage risk for **KazMunayGas** and relat...

Open Happening

Timeline

  1. 15.12.2025 18:00 2 articles · 5mo ago

    Operation MoneyMount-ISO delivers Phantom Stealer

    Initial Disclosure

    Seqrite Labs identified Operation MoneyMount-ISO, a Russia-origin phishing campaign that used a fake payment confirmation email and a ZIP-to-ISO attachment chain to deploy Phantom Stealer into Russian-speaking organizations, with a clear focus on finance, accounting, treasury and payments teams. The staged payload chain mounted an ISO, launched a disguised executable, decrypted a malicious DLL, injected the stealer in memory, and used anti-analysis checks to evade sandboxes and virtual machines before exfiltrating browser passwords, cookies, credit-card data, cryptocurrency wallets, keystrokes, clipboard contents, and Discord authentication tokens through Telegram bots, Discord webhooks and FTP servers.

    Show sources
    Open in new tab