Operation MoneyMount-ISO — Deploying Phantom Stealer via ISO-Mounted Executables

Executive Summary: Seqrite Labs detected a Russian-language phishing campaign targeting finance and related roles that distributes Phantom stealer through a ZIP attachment containing a malicious ISO which auto-mounts and executes a staged payload chain. The analysis documents payload delivery (ZIP→ISO→exe→DLL→in-memory Phantom), anti-analysis techniques, extensive data-harvesting modules (browser passwords, cookies, Discord tokens, crypto wallets, keylogger, clipboard monitor, file grabber), multiple exfiltration channels (Telegram, Discord webhooks, FTP), IOCs, and MITRE ATT&CK mappings, and recommends hardened mail/workflow controls and container/behavioral defenses.