editorially independent. We may make money when you click on links
to our partners.
Learn More
Security researchers have uncovered a new phishing-driven malware campaign that weaponizes ISO files to deliver the Phantom information-stealing malware to Windows systems, bypassing common email and endpoint defenses.
The operation, dubbed Operation MoneyMount-ISO, relies on financial social engineering to trick users into executing malicious payloads that quietly siphon credentials, payment data, and sensitive system information.
The attack can lead to “… credential theft, invoice/payment fraud, unauthorized transfers, and lateral movement to IT systems,” said Seqrite researchers.
Finance Teams in the Crosshairs
The campaign primarily targets finance, accounting, treasury, and payment departments, with secondary targeting observed across procurement, legal, HR/payroll teams, executive assistants, and Russian-speaking small and medium-sized enterprises.
Because these roles routinely process invoices and payment confirmations, they are especially vulnerable to financial-themed phishing lures that appear operationally legitimate.
According to Seqrite’s research, the campaign is actively delivering Phantom Stealer through compromised domains using Russian-language phishing emails impersonating trusted financial entities.
Phantom Stealer Infection Chain
The infection begins with a phishing email titled “Подтверждение банковского перевода” (Confirmation of Bank Transfer) that includes a ZIP file attachment.
Inside the ZIP archive is a malicious ISO file disguised as a bank transfer confirmation document. When opened, the ISO file automatically mounts as a virtual CD drive on Windows systems, exposing an executable that appears benign to the victim.
Once executed, the file initiates a multi-stage, memory-resident attack sequence. Additional payloads are loaded directly into memory, including an encrypted DLL named CreativeAI.dll.
This DLL decrypts itself at runtime and injects the final Phantom Stealer malware into the system, reducing its on-disk footprint and limiting detection opportunities.
The malware incorporates anti-analysis techniques designed to detect virtual machines, debugging tools, and security software. If analysis is detected, Phantom Stealer may terminate execution or self-delete, complicating incident response and forensic investigations.
How Attackers Use ISO Files to Evade Detection
Abusing ISO files allows attackers to exploit a gap in many email security and endpoint protection strategies. ISO images are often treated as low-risk archival files and benefit from Windows’ built-in auto-mounting functionality.
This enables attackers to deliver executables without relying on macros or overtly suspicious file types, increasing the likelihood of successful execution in real-world environments.
Once active, Phantom Stealer demonstrates extensive data theft capabilities. The malware harvests credentials, browser-stored passwords, credit card information, and cryptocurrency wallet data from both browser extensions and desktop applications.
It also extracts Discord authentication tokens, validates them through Discord’s API, and collects associated account metadata.
Additional features include a continuous clipboard monitor that captures copied content every second, a global keystroke logger using low-level Windows hooks, and targeted file collection based on predefined attacker criteria.
Stolen data is compressed into ZIP archives containing system metadata and public IP information.
Essential Controls for Email-Borne Threats
Organizations should adopt a layered approach that combines prevention, detection, and containment across email, endpoint, identity, and network security.
- Harden email security to inspect, sandbox, or block containerized attachments such as ISO and ZIP files.
- Restrict execution from mounted or removable media by disabling automatic ISO mounting and enforcing application control and attack surface reduction rules.
- Deploy EDR with behavioral, memory, and process-chain analysis to detect in-memory payloads, credential theft, and abnormal scripting activity.
- Monitor and control outbound network traffic by blocking newly registered domains, limiting access to nonessential services, and inspecting suspicious encrypted connections.
- Reduce blast radius through least-privilege access, network segmentation, device compliance checks, and phishing-resistant multi-factor authentication.
- Strengthen preparedness with targeted user awareness training, finance-specific phishing simulations, and tested incident response plans.
When applied together, these controls help organizations reduce blast radius and build cyber resilience.
The Rise of Living-Off-the-Land Techniques
Operation MoneyMount-ISO reflects a broader shift in threat actor behavior toward abusing trusted file formats and living-off-the-land techniques to evade traditional security controls.
By leveraging ISO containers and native operating system functionality, attackers reduce reliance on obvious malware, blend into legitimate user activity, and bypass perimeter defenses that are optimized for known malicious file types.
This evolution underscores the need for detection strategies that focus on behavior and execution context rather than file reputation alone.
As attackers evade perimeter defenses by blending into legitimate activity, organizations must replace implicit trust with zero-trust models that assume compromise and continuously verify users, devices, and behavior.
