A new phishing campaign is actively targeting Windows environments using malicious ISO files as the primary delivery vector. The operation deploys Phantom Stealer, a highly capable information stealing malware designed for credential theft, financial fraud and silent persistence.
This activity is not random. The campaign is organized, intentional and operationally mature, with a clear focus on finance and accounting teams, where a single credential compromise can lead to large-scale monetary loss.
The Problem
Windows automatically mounts ISO files as virtual drives when opened.
That convenience is now an attack vector.
Because ISO files still appear trustworthy to many users and often bypass traditional attachment filters, attackers take advantage of this trust gap. Once a user double clicks the ISO, Windows loads it like a legitimate disk-removing friction, reducing suspicion and enabling execution without warnings.
Why This Campaign Exists
Finance teams work quickly.
They process payments daily.
They trust routine confirmations.
Attackers imitate real payment notifications, bank transfer acknowledgments and broker communications. By aligning with natural workflow patterns, they dramatically increase execution rates without needing advanced exploits. In this model, the human workflow is the attack surface.
How the Infection Works
- The attack begins with a phishing email written in Russian.
- The sender domain is compromised and impersonates a legitimate currency broker.
- A ZIP file is attached, containing a malicious ISO disguised as a payment document.
- When opened, the ISO automatically mounts as a virtual CD drive.
- A legitimate-looking executable is presented to the victim.
- That executable loads a DLL named CreativeAI.dll directly into memory.
- The DLL decrypts and injects the Phantom Stealer payload into a running process.
- No alerts.
No pop ups.
No obvious signs of compromise. - This is exactly how modern financial breaches begin.
Real World Impact
Once active, Phantom Stealer immediately begins data collection:
- Steals cryptocurrency wallets from browsers and desktop apps
- Extracts Discord authentication tokens
- Records clipboard content every second
- Captures keystrokes through low level Windows hooks
- Harvests stored passwords, credit card details and auto fill entries
- Searches for sensitive documents across the file system
- All stolen data is aggregated into a ZIP archive with system metadata and IP information.
Exfiltration uses redundant channels including: - Telegram bots
- Discord webhooks
- FTP servers with optional SSL
- Redundancy ensures that even if one method fails, the theft succeeds.
Why This Matters for Organizations
This campaign is designed for financial fraud, not broad infection.
- Stolen credentials enable invoice manipulation and payment redirection
- Clipboard monitoring captures sensitive data instantly
- Keylogging exposes long lived and privileged access paths
- ISO based delivery bypasses attachment filtering
- Memory based execution limits forensic visibility
- This is malware built for money.
Quiet execution.
Fast damage.
High return for attackers.
What Teams Must Do Now
Organizations should respond immediately:
- Block ISO and container based attachments at email gateways
- Apply stricter controls and approvals for finance teams
- Detect memory only injection behaviors across endpoints
- Flag auto mounted virtual drives that launch executables
- Train staff that payment confirmations should never contain executables
- Shift prevention earlier in the chain-before users run the file
- Legacy attachment rules are no longer sufficient.
Conclusion
The Phantom Stealer campaign illustrates how attackers continue to abuse trusted file formats to breach financial operations. ISO mounting, once a convenience, has become a silent and reliable entry point for threat actors. Finance teams remain prime targets because execution happens quietly and impact escalates quickly.
Modern organizations must adapt to these delivery techniques, strengthen controls around high risk workflows and prioritize early detection before execution-not after damage occurs.
About COE Security
COE Security supports industries including finance, healthcare, government, consulting, technology, real estate and SaaS.
We help organizations strengthen cybersecurity through:
- Email and phishing security
- Threat detection and response
- Cloud and network hardening
- Secure development practices
- Compliance advisory and readiness
- Risk assessments and reduction strategies
- Follow COE Security on LinkedIn to stay ahead of evolving threats.
Follow COE Security on LinkedIn for advanced insights on emerging threats.