Phantom Files: Russian Finance Pros Under Siege as Hackers Sneak Malware in Disguised ISO Attachments

It starts with a seemingly routine email - an official-looking payment confirmation, written in perfect business Russian, lands in the inbox of a finance professional. But behind the formality lurks a digital trap: a ZIP file containing an ISO disk image, and within it, a sophisticated payload designed to plunder sensitive information. This is the new face of cybercrime sweeping across Russia’s financial sector, as uncovered by Seqrite Labs’ latest investigation.

Inside the Attack: Anatomy of a Phantom Heist

The campaign, dubbed “Operation MoneyMount-ISO,” is not your average phishing scam. The emails, sent from compromised or spoofed business domains, mimic payment confirmations from reputable brokers. The real trick lies in the delivery: a ZIP file (about 1MB) conceals an ISO disk image - a format commonly used for software distribution, but here weaponized to bypass standard security filters.

When the unwitting recipient opens the ISO, their system mounts it as a virtual CD drive, exposing what appears to be a legitimate payment document. Instead, it’s an executable that quietly loads a DLL file (CreativeAI.dll), which decrypts and injects the final payload: Phantom Stealer.

Phantom Stealer is a notorious information thief. It scours the infected PC for browser credentials, cryptocurrency wallets, and sensitive files. To slip past antivirus solutions, the attackers employ steganography - hiding code within image files using obscure .NET objects. This level of obfuscation lets the malware slip under the radar, even in organizations with robust security tools.

Seqrite’s analysis points to a highly targeted operation: finance, accounting, and treasury departments are the primary marks, though legal, HR, procurement, and executive teams are also in the crosshairs. The choice of Russian-language lures and business spoofing signals a campaign tailored for maximum trust - and maximum damage.

Why This Matters: The Evolving Threat Landscape

This campaign is a stark reminder that cybercriminals are constantly refining their playbooks. By leveraging ISO files - an uncommon but increasingly popular malware delivery method - they’re sidestepping many email security gateways. The use of social engineering and advanced evasion techniques means even well-defended organizations are at risk.

Defending against such threats demands more than just technical barriers. User awareness, vigilant IT teams, and multi-layered defenses are essential to keep Phantom Stealer and its ilk at bay. In the escalating arms race between defenders and attackers, the only constant is change - and the stakes have never been higher for those handling sensitive financial data.