{ "name": "Operation MoneyMount, ISO Deploying Phantom Stealer", "slug": "operation-moneymount-iso-deploying-phantom-stealer", "description": "A Russian phishing campaign targeting finance and accounting sectors uses fake payment confirmation emails to deliver Phantom stealer malware. The attack chain involves a ZIP file containing an ISO, which when mounted reveals an executable that loads the stealer. The malware employs anti-analysis techniques, extracts crypto wallets, browser data, and Discord tokens. It also includes keylogging and clipboard monitoring capabilities. The stolen data is exfiltrated via Telegram, Discord webhooks, or FTP. The operation showcases the increasing sophistication of commodity stealers and the strategic use of ISO files for initial access to evade security controls.", "published": "2025-12-12T07:45:04+00:00", "created_at": "2025-12-12T07:45:04+00:00", "modified_at": "2025-12-21T18:01:15+00:00", "created_at_opencti": "2025-12-12T07:45:04+00:00", "author": "", "confidence": null, "report_types": [], "labels": [], "tags": [ "2025-12-12", "credential-theft", "exfiltration", "finance", "iso", "multi-stage attack", "phantom stealer", "phishing", "russia", "steganography" ], "related_entities": { "observables": [ { "id": "", "name": "4b16604768565571f692d3fa84bda41ad8e244f95fbe6ab37b62291c5f9b3599" }, { "id": "", "name": "60994115258335b1e380002c7efcbb47682f644cb6a41585a1737b136e7544f9" }, { "id": "", "name": "27bc3c4eed4e70ff5a438815b1694f83150c36d351ae1095c2811c962591e1bf" }, { "id": "", "name": "78826700c53185405a0a3897848ca8474920804a01172f987a18bd3ef9a4fc77" } ], "malware": [ { "id": "legacy:malware:01ae7633e15fea3d", "name": "Phantom Stealer", "slug": "phantom-stealer" } ], "others": [ { "id": "", "name": "Russian Federation" }, { "id": "", "name": "Finance" } ] }, "external_refs": [ "https://www.seqrite.com/blog/operation-moneymount-iso-deploying-phantom-stealer-via-iso-mounted-executables/", "https://otx.alienvault.com/pulse/693bd610390a13cd797a1df9" ] }