Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Phantom Stealer Spread by ISO Phishing Emails Hitting Russian Finance Sector

The Hacker News by The Hacker News
December 15, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Dec 15, 2025Ravie LakshmananMalware / Cybercrime

Cybersecurity researchers have disclosed details of an active phishing campaign that’s targeting a wide range of sectors in Russia with phishing emails that deliver Phantom Stealer via malicious ISO optical disc images.

The activity, codenamed Operation MoneyMount-ISO by Seqrite Labs, has primarily singled out finance and accounting entities, with those in the procurement, legal, payroll verticals emerging as secondary targets.

“This campaign employs a fake payment confirmation lure to deliver the Phantom information-stealing malware through a multi-stage attachment chain,” the cybersecurity company said.

Cybersecurity

The infection chain begins with a phishing email that masquerades as legitimate financial communications, urging recipients to confirm a recent bank transfer. Attached to the email is a ZIP archive that claims to contain additional details, but, instead, contains an ISO file that, when launched, mounts on the system as a virtual CD drive.

The ISO image (“Подтверждение банковского перевода.iso” or “Bank transfer confirmation.iso”) serves as an executable that’s designed to launch Phantom Stealer by means of an embedded DLL (“CreativeAI.dll”).

Phantom Stealer is capable of extracting data from cryptocurrency wallet browser extensions installed in Chromium-based browsers and desktop wallet apps, as well as grab files, Discord authentication tokens, and browser-related passwords, cookies, and credit card details.

It also monitors clipboard content, logs keystrokes, and runs a series of checks to detect virtualized, sandboxed, or analysis environments, and if so, aborts its execution. Data exfiltration is achieved via a Telegram bot or to an attacker-controlled Discord webhook. On top of that, the stealer enables file transfer to an FTP server.

In recent months, Russian organizations, mainly human resources and payroll departments, have also been targeted by phishing emails that employ lures related to bonuses or internal financial policies to deploy a previously undocumented implant named DUPERUNNER that loads AdaptixC2, an open-source command-and-control (C2) framework.

Dubbed DupeHike, the campaign has been attributed to a threat cluster named UNG0902.

“The ZIP has been used as a preliminary source of spear-phishing-based infection containing decoys with PDF and LNK extension, which downloads the implant DUPERUNNER, which finally executes the Adaptix C2 Beacon,” Seqrite said.

The LNK file (“Документ_1_О_размере_годовой_премии.pdf.lnk” or “Document_1_On_the_amount_of_the_annual_bonus.pdf.lnk”), in turn, proceeds to download DUPERUNNER from an external server using “powershell.exe.” The primary responsibility of the implant is to retrieve and display a decoy PDF and launch AdaptixC2 by injecting it into a legitimate Windows process like “explorer.exe,” “notepad.exe,” and “msedge.exe.”

Other phishing campaigns have taken aim at finance, legal, and aerospace sectors in Russia to distribute Cobalt Strike and malicious tools like Formbook, DarkWatchman, and PhantomRemote that are capable of data theft and hands-on keyboard control. The email servers of compromised Russian companies are used to send the spear-phishing messages.

Cybersecurity

French cybersecurity company Intrinsec has attributed the intrusion set targeting the Russian aerospace industry to hacktivists aligned with Ukrainian interests. The activity, detected between June and September 2025, shares overlaps with Hive0117, Operation CargoTalon, and Rainbow Hyena (aka Fairy Trickster, Head Mare, and PhantomCore).

Some of these efforts have also been found to redirect users to phishing login pages hosted on the InterPlanetary File System (IPFS) and Vercel, designed to steal credentials associated with Microsoft Outlook and Bureau 1440, a Russian aerospace company.

“The campaigns observed between June and September 2025 […] aimed at compromising entities actively cooperating with Russia’s army amidst the current conflict with Ukraine, largely assessed by the Western sanctions imposed on them,” Intrinsec said.



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
Best performance and fastest memory with the new Amazon EC2 R8i and R8i-flex instances

Best performance and fastest memory with the new Amazon EC2 R8i and R8i-flex instances

Recommended.

SentinelOne Uncovers Chinese Espionage Campaign Targeting Its Infrastructure and Clients

SentinelOne Uncovers Chinese Espionage Campaign Targeting Its Infrastructure and Clients

April 29, 2025
Top AI Code Generation Tools of 2025 Revealed in Info-Tech Research Group’s Emotional Footprint Report

Top AI Code Generation Tools of 2025 Revealed in Info-Tech Research Group’s Emotional Footprint Report

September 4, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio