Cybersecurity researchers have uncovered an active phishing campaign targeting a broad range of sectors in Russia, using malicious email attachments to deliver the Phantom Stealer malware. The operation, dubbed ‘Operation MoneyMount-ISO,’ by Seqrite Labs, mainly targets finance and accounting organizations, with procurement, legal, and payroll departments also affected.
The campaign uses fake payment confirmation emails that impersonate legitimate financial communications. Victims are prompted to review a supposed bank transfer by opening a ZIP attachment, which in reality contains a malicious ISO file. The ISO then executes Phantom Stealer via an embedded DLL file.
Phantom Stealer is capable of harvesting sensitive data from cryptocurrency wallets, browsers, and desktop applications, including passwords, cookies, credit card details, Discord tokens, and files. The malware also logs keystrokes, monitors clipboard activity, and performs checks to evade sandbox or virtualized environments. Stolen data is exfiltrated through Telegram bots, Discord webhooks, or FTP servers controlled by the attackers.
Seqrite Labs also reported related phishing activity targeting Russian human resources and payroll teams, delivering a previously undocumented implant called DUPERUNNER, which deploys the open-source AdaptixC2 framework. The campaign, known as DupeHike and attributed to the threat cluster UNG0902, uses deceptive ZIP and LNK files to download malware via PowerShell, inject it into legitimate Windows processes, and display decoy documents.
Earlier this year, French cybersecurity company Intrinsec reported that Russia’s aerospace sector was targeted by hacktivists aligned with Ukrainian interests targeted. The activity overlaps with known intrusion sets such as Hive0117, Operation CargoTalon, and Rainbow Hyena, and included phishing campaigns using IPFS- and Vercel-hosted pages to steal Microsoft Outlook and Bureau 1440 credentials. The campaigns focused on organizations cooperating with the Russian military amid the Ukraine war and Western sanctions.