Phantom Stealer delivered via ISO-based phishing chain
📧 Seqrite Labs has uncovered a Russian-origin phishing campaign, tracked as Operation MoneyMount-ISO, that delivers the Phantom information stealer through a multi-stage attachment chain. Attackers distribute a ZIP containing an ISO that auto-mounts and displays a disguised executable; running it triggers a loader that decrypts a malicious DLL and injects the stealer into memory while performing extensive anti-analysis checks. The campaign targets Russian-speaking finance, procurement and HR roles, harvesting passwords, cookies, crypto wallets, keystrokes and Discord tokens, then exfiltrating data via Telegram bots, Discord webhooks and FTP.
