By rssfeeds-admin 
The operation, named Operation MoneyMount-ISO, is aimed primarily at finance, accounting, and treasury divisions across Russian-speaking organizations, with secondary targeting of procurement, HR/payroll, and legal departments.
The social engineering component relies on emails crafted in formal Russian business language to appear credible to financial staff.
The message, titled “Подтверждение банковского перевода” (Confirmation of Bank Transfer), impersonates the financial services brand TorFX Currency Broker to mislead recipients.
The email originates from the spoofed address achepeleva@iskra-svarka[.]ru and is sent on behalf of agrariy@agroterminal[.]c, both unrelated to the impersonated company.
It includes a malicious ZIP archive named “Подтверждение банковского перевода.zip” that contains an ISO image file posing as a legitimate payment document.
When the victim opens the ISO file, it mounts automatically as a virtual drive and displays an executable file disguised as a payment confirmation.
Launching this executable begins the malware infection chain that ultimately delivers Phantom Stealer to the compromised system.
Researchers observed that this technique enables attackers to bypass many email security systems that do not perform a deep inspection of ISO-formatted file systems.
The campaign’s infrastructure and spoofed domains indicate a financially motivated cluster focused on credential theft, cryptocurrency wallet compromise, and unauthorized fund transfers within enterprise financial workflows.
Technical Analysis and Exfiltration Capabilities
Seqrite’s analysis revealed that the ISO-mounted executable loads an encrypted DLL file named CreativeAI.dll, which decrypts and injects the Phantom stealer payload directly into memory.
The malware incorporates extensive anti-analysis mechanisms, including virtual machine detection, sandbox evasion, and self-destruction procedures triggered when a monitoring environment is detected.
Once active, Phantom Stealer executes several modules designed to extract sensitive data from infected systems.
The malware collects saved credentials, browser cookies, and credit card details from Chromium-based browsers, retrieves authentication tokens from Discord applications, and harvests both browser-based and desktop cryptocurrency wallets.
It further monitors clipboard activity and records keystrokes, logging captured information in timestamped text files.
All stolen data is packaged into ZIP archives and transmitted to attacker-controlled destinations through Telegram bot APIs, Discord webhooks, and FTP servers.
Seqrite designated the malware as Trojan_Phantom_Y10018 and confirmed associations with MITRE ATT&CK techniques, including Phishing Attachment (T1566.001), DLL Injection (T1055.001), and Exfiltration over Web Services (T1567.002).
The findings highlight a growing trend of ISO file abuse as a delivery vector for credential-theft malware.
Seqrite recommends enhanced attachment filtering, memory-behavior monitoring, and specific controls on finance-associated email accounts to mitigate such threats effectively.
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
The post Abuse of ISO Mounting to Deliver Phantom Stealer Malware on Windows Platforms appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.