Operation MoneyMount-ISO is an active phishing campaign primarily targeting Russian finance, accounting, procurement, legal, and payroll sectors. It uses phishing emails that impersonate legitimate financial communications, urging recipients to confirm bank transfers. The emails contain ZIP archives with ISO files named to mimic bank transfer confirmations. When mounted, these ISO files act as virtual CD drives and execute embedded DLLs (notably CreativeAI.dll) that launch Phantom Stealer malware. Phantom Stealer is a sophisticated information stealer capable of extracting data from Chromium-based browser cryptocurrency wallet extensions, desktop wallet applications, browser passwords, cookies, credit card details, Discord authentication tokens, and clipboard content. It also logs keystrokes and performs environment checks to avoid execution in virtualized or sandboxed environments. Data exfiltration is conducted via Telegram bots, Discord webhooks, and FTP servers controlled by attackers. Parallel campaigns deploy implants like DUPERUNNER, which loads the AdaptixC2 command-and-control framework, using decoy PDFs and LNK files to download and execute payloads via PowerShell. Additional malware such as Cobalt Strike, Formbook, DarkWatchman, and PhantomRemote have been observed targeting Russian aerospace, finance, and legal sectors. These campaigns often leverage compromised Russian company email servers for spear-phishing distribution. Attribution links some attacks to Ukrainian-aligned hacktivists targeting entities cooperating with Russia’s military amidst ongoing geopolitical conflict and sanctions. The campaigns also use advanced phishing infrastructure including IPFS and Vercel-hosted credential phishing pages. Overall, the threat actors employ multi-stage infection chains, social engineering, and advanced evasion techniques to compromise high-value targets and exfiltrate sensitive financial and operational data.

For European organizations, especially those with business or operational ties to Russian entities or sectors under geopolitical scrutiny, this campaign poses significant risks. The theft of cryptocurrency wallets, browser credentials, and sensitive financial data could lead to financial losses, fraud, and unauthorized access to corporate systems. The use of ISO files as infection vectors complicates detection and user awareness, increasing the likelihood of successful compromise. Exfiltrated data could facilitate further attacks, espionage, or sabotage. Organizations in finance, legal, procurement, payroll, and aerospace sectors are at heightened risk due to the campaign’s targeting profile. The use of legitimate email servers for spear-phishing increases the chance of bypassing email security filters. Additionally, the geopolitical context involving Ukrainian-aligned hacktivists targeting Russian aerospace and military-related entities suggests potential spillover or targeting of European aerospace and defense contractors engaged with Russian partners. The campaign’s multi-stage infection and use of advanced C2 frameworks enable persistent access and lateral movement, potentially impacting confidentiality, integrity, and availability of critical systems.

European organizations should implement multi-layered defenses tailored to combat ISO-based phishing attacks. Specifically, email gateways must be configured to detect and block ISO attachments or quarantine emails containing such files, especially those originating from external or suspicious sources. User awareness training should emphasize the risks of opening ISO files and recognizing phishing lures related to financial transactions. Endpoint detection and response (EDR) solutions should be tuned to detect mounting of virtual drives from ISO files and monitor for execution of suspicious DLLs like CreativeAI.dll. Network monitoring should include detection of unusual outbound connections to Telegram bots, Discord webhooks, and FTP servers. Implement application whitelisting to prevent unauthorized execution of PowerShell scripts and LNK files from email attachments. Employ sandboxing solutions capable of analyzing ISO contents and multi-stage payloads. Regularly audit and secure email servers to prevent their compromise and misuse in spear-phishing campaigns. For organizations in aerospace and defense sectors, enhanced threat intelligence sharing and monitoring for indicators of compromise related to DUPERUNNER, AdaptixC2, and associated malware families is critical. Finally, enforce strict access controls and multi-factor authentication to limit damage from stolen credentials and tokens.