Cybersecurity researchers have revealed details of an active phishing campaign targeting a wide range of sectors in Russia with phishing emails delivering Phantom Stealer via malicious ISO optical disk images.
The operation, codenamed Operation MoneyMount-ISO by Seqrite Labs, primarily targets finance and accounting organizations, with organizations in the procurement, legal, and payroll sectors emerging as secondary targets.
“This campaign leverages fake payment verification lures to deliver phantom information-stealing malware through a multi-step attachment chain,” the cybersecurity firm said.
The infection chain begins with a phishing email disguised as a legitimate financial communication, prompting recipients to check their recent bank transfers. The email comes with a ZIP archive attached that claims to contain additional details, but instead contains an ISO file that is mounted on the system as a virtual CD drive upon startup.
The ISO image (“Подтверждение банковского перевода.iso” or “Bank Transfer Confirmation.iso”) acts as an executable file designed to launch Phantom Stealer with an embedded DLL (“CreativeAI.dll”).
Phantom Stealer can extract data from cryptocurrency wallet browser extensions installed on Chromium-based browsers and desktop wallet apps, as well as grab files, Discord authentication tokens, browser-related passwords, cookies, and credit card details.
It also monitors the contents of the clipboard, records keystrokes, and performs a series of checks to detect virtual, sandbox, or analysis environments, and aborts execution if one exists. Data exfiltration occurs via Telegram bots or attacker-controlled Discord webhooks. Additionally, Stealer allows file transfer to FTP servers.
In recent months, Russian organizations, primarily human resources and payroll departments, have also been targeted by phishing emails that use baits related to bonuses and internal financial policies to deploy a previously undocumented implant named DUPERUNNER that loads the open source command and control (C2) framework AdaptixC2.
The campaign, dubbed DupeHike, is believed to originate from a threat cluster named UNG0902.
“ZIP is used as a preliminary source for a spear phishing-based infection that includes a decoy with PDF and LNK extensions, downloads the implant DUPERUNNER, and ultimately executes the Adaptix C2 Beacon,” Seqrite said.
Then, the LNK file (‘Документ_1_О_размере_годовой_премии.pdf.lnk’ or ‘Document_1_On_the_amount_of_the_annual_bonus.pdf.lnk’) is downloaded to DUPERUNNER from an external server using ‘powershell.exe’. Download. The main role of the implant is to retrieve a decoy PDF, display it, and inject it into legitimate Windows processes such as ‘explorer.exe’, ‘notepad.exe’, and ‘msedge.exe’ to launch AdaptixC2.
Other phishing campaigns targeted Russia’s financial, legal, and aerospace sectors, distributing malicious tools such as Cobalt Strike and Formbook, DarkWatchman, and PhantomRemote, which can perform data theft and keyboard operations. A compromised Russian company’s email server is used to send spear-phishing messages.
French cybersecurity firm Intrinsec has blamed a series of intrusions targeting Russia’s aerospace industry on hacktivists aligned with Ukrainian interests. Detected between June and September 2025, this activity overlaps with Hive0117, Operation CargoTalon, and Rainbow Hyena (also known as Fairy Trickster, Head Mare, and PhantomCore).
Some of these efforts were also found to redirect users to phishing login pages hosted on InterPlanetary File System (IPFS) and Vercel aimed at stealing credentials associated with Microsoft Outlook and Russian aerospace company Bureau 1440.
“Campaigns observed from June to September 2025 […] “It is aimed at compromising entities actively collaborating with the Russian military during the current conflict with Ukraine, and is primarily assessed by sanctions imposed by Western countries,” Intrinsek said.
Source link
