Executive Summary
In late 2025, an active phishing campaign dubbed "Operation MoneyMount-ISO" began targeting the Russian financial sector and related industries, with threat actors distributing phishing emails containing malicious ISO disk image attachments. Once opened, these ISO files delivered the Phantom Stealer malware, enabling attackers to exfiltrate sensitive data from finance, accounting, procurement, legal, and payroll departments. The malware operated covertly, seeking credentials and financial information, leading to notable data exposure risks and potential regulatory disruptions for victim organizations.
This campaign highlights the increasing sophistication of phishing operations leveraging disk image formats for initial access and the persistent targeting of high-value sectors with advanced infostealer malware. Financial and critical infrastructure organizations face heightened pressure to improve detection and segmentation as threat actors continually refine their social engineering tactics.
Why This Matters Now
Disk image-based phishing attacks are on the rise, bypassing legacy email defenses and successfully targeting sensitive departments. With financial data at continuous risk and regulatory scrutiny intensifying, organizations must urgently strengthen controls for email security, lateral movement, and rapid infostealer detection to prevent major breaches.
Attack Path Analysis
The attack began with targeted phishing emails containing malicious ISO images delivering Phantom Stealer to finance sector victims, resulting in initial compromise. The malware established persistence and attempted to escalate privileges to access sensitive files and credentials. Once foothold was established, the attacker likely moved laterally to discover and access additional network resources. Command and control channels were opened to communicate with remote infrastructure, facilitating the delivery of commands and exfiltration tools. Phantom Stealer then exfiltrated collected data—such as credentials and financial records—over encrypted or covert channels. Finally, stolen data was monetized, and business impact was realized via information theft and potential disruption.
Kill Chain Progression
Initial Compromise
Description
Phishing emails with malicious ISO attachments were sent to targeted users, leading to execution of Phantom Stealer malware upon opening the image and infecting endpoints.
MITRE ATT&CK® Techniques
MITRE ATT&CK techniques selected for initial mapping; further enrichment with full STIX/TAXII is possible as more details emerge.
Phishing: Spearphishing Attachment
User Execution: Malicious File
Command and Scripting Interpreter
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Obfuscated Files or Information
Signed Binary Proxy Execution
Data from Local System
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Protect Systems and Networks from Malicious Software
Control ID: 5.4.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA ZTMM 2.0 – Continuous Authentication Validation
Control ID: Identity - 1.3
NIS2 Directive – Incident Handling Procedures
Control ID: Article 21(2)(e)
GLBA – Safeguards Rule: Implement Information Security Program
Control ID: 16 CFR Part 314.4
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Primary target of Phantom Stealer campaign via ISO phishing emails, facing critical infostealer threats to financial data and customer information systems.
Accounting
Directly targeted by Operation MoneyMount-ISO phishing campaign, vulnerable to credential theft and sensitive financial document exfiltration through malicious ISO images.
Legal Services
Identified as specific target sector in Russian phishing campaign, at risk of confidential client data theft through Phantom Stealer malware deployment.
Logistics/Procurement
Explicitly mentioned target of ISO-based phishing attacks, facing supply chain disruption risks from credential compromise and operational data theft.
Sources
- Phantom Stealer Spread by ISO Phishing Emails Hitting Russian Finance Sectorhttps://thehackernews.com/2025/12/phantom-stealer-spread-by-iso-phishing.htmlVerified
- Operation MoneyMount-ISO — Deploying Phantom Stealer via ISO-Mounted Executableshttps://www.seqrite.com/blog/operation-moneymount-iso-deploying-phantom-stealer-via-iso-mounted-executables/Verified
- Russian Phishing Campaign Delivers Phantom Stealer Via ISO Fileshttps://www.infosecurity-magazine.com/news/russian-phishing-phantom-stealer/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, egress policy enforcement, encrypted traffic controls, and integrated anomaly detection would have significantly limited the malware's propagation, controlled unauthorized access, detected malicious activity, and blocked outbound data theft across each attack stage.
Control: Threat Detection & Anomaly Response
Mitigation: Suspicious file transfer and user activity could trigger an alert for investigation.
Control: Zero Trust Segmentation
Mitigation: Least privilege policies prevent unnecessary privilege escalation within the network.
Control: East-West Traffic Security
Mitigation: Unauthorized internal traffic is denied or inspected, limiting malware spread.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound C2 attempts are blocked or logged based on enforced egress policies.
Control: Encrypted Traffic (HPE) & Inline IPS (Suricata)
Mitigation: Exfiltration over unapproved encrypted channels detected and prevented.
Rapid detection and policy enforcement mitigates business impact.
Impact at a Glance
Affected Business Functions
- Finance
- Accounting
- Treasury
- Payments
- Procurement
- Legal
- HR/Payroll
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive financial data, including bank account details, payment information, and personal employee data, leading to risks of fraud and identity theft.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce zero trust segmentation and least privilege principles throughout cloud workloads and users.
- • Deploy continuous anomaly detection and threat intelligence to alert on suspicious user and file activity.
- • Apply granular egress policies and FQDN filtering to block unauthorized outbound connections.
- • Implement east-west traffic monitoring and microsegmentation to restrict lateral movement.
- • Integrate inline encryption and multi-cloud visibility controls to enable secure, auditable data flows and rapid incident response.
