Researchers say attackers are using ISO attachments to deploy credential-stealing malware through email.
According to The Hacker News, security researchers have reported an active phishing campaign delivering Phantom Stealer malware through emails that carry malicious ISO files disguised as payment confirmations. The activity, tracked as Operation MoneyMount ISO, has primarily targeted finance and accounting organizations in Russia, with procurement, payroll, and legal teams also affected. Victims receive messages requesting confirmation of a bank transfer, with a ZIP attachment that contains an ISO image which mounts as a virtual drive and launches the malware.
Once mounted, the ISO executes a dynamic link library that installs Phantom Stealer. The malware collects browser credentials, cookies, saved payment details, cryptocurrency wallet data, Discord tokens, and local files. It also captures keystrokes, monitors clipboard activity, and checks for virtual or sandboxed environments before running. Exfiltration is handled through Telegram bots, Discord webhooks, and FTP servers. Researchers also linked related phishing activity to a separate campaign, tracked as DupeHike, which used bonus and payroll-themed lures to deploy a previously undocumented implant called DUPERUNNER that ultimately loaded the Adaptix command and control framework into trusted Windows processes.
Researchers say the campaign relies on layered delivery techniques to bypass basic email security controls, including the use of ISO images and shortcut files that appear to be documents. Analysts noted that attackers are abusing compromised corporate mail servers to distribute phishing messages, increasing credibility among recipients. Separate reporting linked similar activity targeting aerospace and industrial entities in Russia to hacktivist aligned groups, with infrastructure overlaps across multiple intrusion clusters. Researchers warned that the continued use of familiar financial themes and internal policy lures increases the likelihood of user interaction.
According to GBHackers, Phantom Stealer poses a serious risk because of “the combination of automated data harvesting, multi-channel exfiltration, and advanced evasion,” which makes it “a formidable threat to individual and enterprise users.” The report warns that these capabilities allow the malware to quietly collect information and move it out through multiple channels while avoiding detection.
Security guidance cited in the report stresses the need to “deploy reputable endpoint protection solutions,” “maintain current operating system patches,” and practice strong cyber hygiene, including “verification of downloaded software authenticity.” Users are also advised to “remain vigilant when downloading files from unfamiliar sources” and to “consider utilizing sandbox environments for suspicious executables prior to execution on production systems.”
ISO images can contain executable content while appearing as archive or document files, and they often bypass attachment scanning controls.
It targets browser stored credentials, cookies, payment data, cryptocurrency wallets, authentication tokens, and locally stored files.
These roles routinely handle invoices, payments, and internal financial documents, which makes payment-themed emails appear credible.
It checks for virtual environments, uses trusted system processes, and relies on user execution rather than exploiting software flaws.
Organizations can block ISO attachments, restrict shortcut execution, apply least privilege access, and reinforce training around payment-related email lures.