The Ghost in the Machine: Operation MoneyMount-ISO Uses Fake Payment Lures to Unleash Phantom Stealer
While monitoring digital threat activity, researchers at Seqrite Labs uncovered a new targeted campaign dubbed Operation MoneyMount-ISO. The attack is designed to exfiltrate sensitive information through a multi-stage delivery chain that deploys the Phantom Stealer malware via ISO images masquerading as payment confirmations.
The campaign begins with a mass email distribution purporting to contain details of a completed bank transfer. The messages are written in formal, business-like language and include a ZIP archive labeled “Bank Transfer Confirmation.” Inside the archive is an ISO file which, when mounted as a virtual disk, presents an executable. Launching this file triggers the infection.
Primary targets include employees in finance, accounting, and payments teams, as well as staff in legal, human resources, and procurement departments. The emails are not personalized, underscoring the campaign’s broad, indiscriminate nature. The use of formal language lends the messages a veneer of legitimacy, particularly for recipients accustomed to handling payment-related documentation.
Technical analysis reveals that the ISO file contains an executable component that initiates the download of an additional library embedded with encrypted malicious code. Once decrypted, this code deploys the core payload—Phantom Stealer. The malware incorporates robust anti-analysis defenses: it checks its environment for virtual machines, debuggers, and analysis tools, and if any signs of inspection are detected, it terminates execution and deletes itself.
Phantom Stealer harvests an extensive array of data. It extracts information from browser-based cryptocurrency wallet extensions and desktop wallet applications, steals saved passwords, cookies, and payment card details, captures Discord tokens, monitors the clipboard, and logs keystrokes. All collected data is organized, stored, and compressed into an archive, augmented with system metadata such as the IP address, username, and antivirus protection status.
Exfiltration to the attackers is carried out through three distinct channels: a Telegram bot, Discord webhooks, and an FTP server. Communication relies on asynchronous methods and hard-coded connection parameters, ensuring reliable delivery of stolen information to external endpoints.
Operation MoneyMount-ISO highlights the growing sophistication of modern malware and its deliberate efforts to evade traditional defenses. Leveraging ISO files as the initial infection vector enables attackers to bypass many email security filters. Given the campaign’s focus on financial and payment infrastructure, organizations must implement controls to block such attachments, monitor in-memory process behavior, and strengthen email security to mitigate the risk.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
