Targeted Sectors

·         Finance and accounting organizations

·         Treasury and payments teams

·         Procurement, legal, and HR/payroll departments

·         Executive assistants

·         Small and medium-sized enterprises using Russian-language workflows

Countries

Primarily targeting users with payment-confirmation themed lures in Russia, though the malware itself is a general information stealer

BLUF

A spear-phishing campaign using malicious ISO images to deploy the Phantom Stealer malware, which exfiltrates credentials, crypto wallet info, and keylogs.

Date of First Reported Activity

December 14, 2025

Date of Last Reported Activity Update

December 15, 2025

APT Names

·         This activity does not appear to be associated with an APT group

Associated Criminal Organization Names

·         Unknown at this time

IOCs

Delivery Mechanism

Malicious .zip archive containing a .iso image.

Exfiltration Channels

·         Telegram bots

·         Discord webhooks

·         FTP servers

·         Port 443

File Names

Initial malicious ZIP archive file

Filename

Bank transfer confirmation.zip

·         Подтверждение банковского перевода.zip

·         Подтверждение банковского перевода.iso

Network Indicators

Specific static IP addresses or unique domains have not been published in public reports, as the malware uses various channels for data exfiltration:

·         Communication Endpoints: Outbound connections to Telegram bot APIs, Discord webhooks, or FTP servers.

·         Anomalous Traffic: Monitor for unusual outbound network traffic or unexpected DNS requests, particularly to known malicious domains or infrastructure not typically accessed by the organization.

Host-Based Indicators

·         Process Activity: Suspicious processes running on endpoints, especially HvNC.exe or the loading of an unusual DLL file (e.g., CreativeAI.dll) in memory.

·         File Modifications: Presence of temporary or hidden files associated with the malware's execution and data staging before exfiltration.

·         System Behavior: Keylogging activity or unauthorized changes to system configurations or the registry.

·         Email Content: Phishing emails with specific Russian language lures about "Bank transfer confirmation" and containing ZIP attachments with ISO files inside.

Tools Used in Campaign

·         Phantom Stealer malware

·         Living off the land binaries (LOLBINs) for execution

TTPs

·         TA0001: Initial Access (Spear-phishing attachment)

·         T1566.001: Phishing: Spearphishing Attachment

·         T1204.002: User Execution: Malicious File

·         T1559.002: Shared Modules: DLL Side-loading

·         TA0010: Exfiltration (via C2 channels)

Malware Names

·         Phantom Stealer

Malware Sample

Bank transfer confirmation.zip

Filename

Подтверждение банковского перевода.zip

·         4b16604768565571f692d3fa84bda41ad8e244f95fbe6ab37b62291c5f9b3599

URL to sample

·         hxxps://www.virustotal.com/gui/file/4b16604768565571f692d3fa84bda41ad8e244f95fbe6ab37b62291c5f9b3599

Malicious ISO file contained within the ZIP

Filename

Подтверждение банковского перевода.iso

·         60994115258335b1e380002c7efcbb47682f644cb6a41585a1737b136e7544f9

URL to sample

·         hxxps://www.virustotal.com/gui/file/60994115258335b1e380002c7efcbb47682f644cb6a41585a1737b136e7544f9

The executable file inside the ISO image that deploys the stealer

Filename

HvNC.exe or a similar name

·         78826700c53185405a0a3897848ca8474920804a01172f987a18bd3ef9a4fc77

URL to sample

·         hxxps://www.virustotal.com/gui/file/78826700c53185405a0a3897848ca8474920804a01172f987a18bd3ef9a4fc77

CVEs and CVSS Vectors

·         None reported

o   The attack leverages social engineering and file format abuse.

Suggested Rules / potential hunts

These are indicator rules, likely to be noisy.

For best results a data model would likely be useful.

Suggested Suricata Rules

alert tcp $EXTERNAL_NET any -> $HOME_NET any (msg:"ET INFO Detected access to known malware exfiltration channel (Discord/Telegram webhook/FTP)"; flow:established,to_server; dst_port:443, 21; content:"api.telegram.org" || "discord.com" || "ftp://"; classtype:trojan-activity; sid:1234568; rev:1;)

Suggested SentinelOne Rules

Behavioral rules to detect the mounting of ISO files followed by unusual process execution, DLL side-loading activity, and attempts to access browser credential databases and crypto wallets).

Suggested Splunk Hunts

Hunt for specific hashes if available

index=* sourcetype=WinEventLog:Microsoft-Windows-PowerShell/Operational EventCode=4104 "*New-PSDrive -Name ISO*" (Detecting ISO mounting via PowerShell)

index=* (file_name="*.iso" OR file_name="*.zip") file_hash=*

Monitor for the DLL side-loading target/final payload

index=* (process_name="ctfmon.exe" OR process_name="phantomstealer.exe"

Delivery Method

Spear-phishing emails containing a malicious ZIP file with an embedded ISO image that, when mounted and executed, drops the malware payload.

Email Samples

Subject Line (Russian)

Подтверждение банковского перевода

Subject Line (English Translation)

"Confirmation of Bank Transfer"

Sender

The emails came from compromised or spoofed domains

(e.g., achepeleva@iskra-svarka[.]ru on behalf of agrariy@agroterminal[.]c), often impersonating a legitimate financial/trading company like "TorFX Currency Broker" in the footer.

Recipient Address

The emails were addressed generically (e.g., "Sir" in the English translation, or generally to departmental mailboxes) to target finance and accounting staff.

Attachment

A ZIP archive was attached, typically named Подтверждение банковского перевода.zip ("Bank transfer confirmation.zip").

Example Email Body (Translated from Russian)

While the exact full body text of the email is not explicitly detailed line-for-line in public reports, the content was brief, formal, and aimed at creating urgency. The message content was generally as follows:

[Salutation (e.g., "Sir," or a generic formal greeting)],

We are sending this file to you for review.

Please find attached the confirmation of a recent bank transfer. Review the attached document for details.

[Optional closing/signature block impersonating a real employee or finance entity, e.g., "Anton Vladimirovich Demyanenko" or "TorFX Currency Broker"]

References

Malware News

·         hxxps://malware.news/t/operation-moneymount-iso-deploying-phantom-stealer-via-iso-mounted-executables/102540

Threat Radar

·         hxxps://radar.offseq.com/threat/operation-moneymount-iso-deploying-phantom-stealer-3ba40aea

Seqrite

·         hxxps://www.seqrite.com/blog/operation-moneymount-iso-deploying-phantom-stealer-via-iso-mounted-executables/

VirusTotal

·         hxxps://www.virustotal.com/gui/file/4b16604768565571f692d3fa84bda41ad8e244f95fbe6ab37b62291c5f9b3599

·         hxxps://www.virustotal.com/gui/file/60994115258335b1e380002c7efcbb47682f644cb6a41585a1737b136e7544f9

·         hxxps://www.virustotal.com/gui/file/78826700c53185405a0a3897848ca8474920804a01172f987a18bd3ef9a4fc77