Phantom Stealer Targets Russian Finance with ISO Phishing, Deploying Keyloggers and Crypto-Wallet Theft
Ddos 
A sophisticated new phishing campaign is targeting the heart of Russia’s financial infrastructure, disguising a potent information-stealing malware as a routine bank transfer confirmation. Dubbed Operation MoneyMount-ISO by researchers at Seqrite Labs, the campaign specifically zeros in on finance, accounting, and treasury departments, using high-quality social engineering to bypass perimeter defenses.
The attack begins with a carefully crafted email that appears to be a legitimate financial correspondence. The subject line, “Подтверждение банковского перевода” (Confirmation of Bank Transfer), is designed to trigger an immediate, routine response from finance professionals.
According to the report, “The attack initiates with a social engineering email masquerading as a legitimate financial correspondence, claiming to confirm a payment transaction”. The email purports to be from TorFX Currency Broker, a legitimate financial services company, but the sender address (achepeleva@iskra-svarka[.]ru) reveals the deception. The message urges the recipient to review an attached document for details, noting that “our director instructed us to transfer a certain amount to your bank account”.
To evade email security filters, the attackers employ a multi-stage infection chain. The email contains a ZIP archive, which holds a malicious ISO file named “Подтверждение банковского перевода.iso”.
ISO files are disk images typically used for software installation. However, in this campaign, they serve a more sinister purpose. “Executing the ISO caused it to auto-mount, revealing a mounted drive containing the executable displayed in the screenshot”.
Once the victim clicks the executable inside the mounted drive, the Phantom Stealer malware is deployed. This is not a simple virus; it is a comprehensive surveillance tool designed to strip a system of its most valuable secrets.
Technical analysis reveals that Phantom Stealer is equipped with aggressive data-harvesting modules:
- Crypto-Wallet Theft: The malware targets both browser extensions and desktop wallets. It “defines known install locations… and registry keys for many wallet apps,” attempting to copy wallet data for theft.
- Discord & Telegram Hijacking: It scans for authentication tokens in Discord and Telegram directories, validating them by sending requests to the platform’s API to retrieve user information.
- Browser Data: It extracts passwords, cookies, and credit card details from Chromium-based browsers by parsing their internal SQLite databases.
- Keylogging: Perhaps most dangerously, it installs a global keyboard hook to capture every keystroke, writing the logs to a timestamped file once a word count threshold is reached.
Phantom Stealer is built to survive. It includes an AntiAnalysis class that acts as a “defensive gatekeeper,” running checks to see if it is being observed by security researchers. It looks for suspicious usernames, machine names, and common analysis tools. If detected, it calls a “SelfDestruct” function to erase itself and hide its tracks.
Seqrite Labs warns that this operation highlights a “strategic shift toward ISO-based initial access to evade perimeter controls,” posing a critical risk of credential theft and unauthorized financial transfers for targeted organizations.
Donate