- A phishing campaign named Operation MoneyMount-ISO targets Russian finance and accounting sectors using emails with malicious ISO attachments.
- The Phantom Stealer Malware in the ISO files steals cryptocurrency wallet data, credentials, and monitors user activity, sending stolen data via Telegram or Discord.
- Another campaign called DupeHike uses phishing emails to deliver DUPERUNNER implant and AdaptixC2 framework to Russian human resources and payroll departments.
- Multiple phishing operations also exploit Russian finance, legal, and aerospace sectors to deploy Hacking tools like Cobalt Strike, Formbook, and PhantomRemote using compromised company email servers.
- French Cybersecurity firm attributes cyberattacks on the Russian aerospace industry to Ukrainian-aligned hacktivists using phishing pages hosted on IPFS and Vercel to steal credentials.
Cybersecurity researchers have uncovered ongoing phishing campaigns targeting diverse sectors within Russia, notably finance, accounting, human resources, and aerospace. The campaign known as Operation MoneyMount-ISO, identified by Seqrite Labs, employs phishing emails disguised as payment confirmations. These emails include ZIP attachments containing ISO files, which mount as virtual drives and launch the Phantom Stealer malware. This malware collects sensitive information from cryptocurrency wallets, authentication tokens, passwords, cookies, credit card data, and logs keystrokes. It transmits stolen data via Telegram bots or Discord webhooks, with capabilities to transfer files to FTP servers. Details are available on the Seqrite blog here.
Another phishing operation, called DupeHike and linked to a threat group UNG0902, targets Russian human resources and payroll units. It uses emails involving bonus payments to deliver a ZIP file containing decoys and an LNK shortcut file. The LNK downloads the DUPERUNNER implant, which executes the open-source AdaptixC2 command-and-control framework by injecting it into legitimate Windows processes. More information on DupeHike is available from Seqrite here.
Additional spear-phishing campaigns have focused on Russian finance, legal, and aerospace sectors. These deliver malicious tools such as Cobalt Strike, Formbook, DarkWatchman, and PhantomRemote that enable data theft and remote control. The attackers operate by using the email servers of compromised Russian companies to send phishing messages. Further details on these operations can be found at Seqrite here.
A French cybersecurity company, Intrinsec, has linked recent cyberattacks on the Russian aerospace industry to Ukrainian-aligned hacktivists. Detected between June and September 2025, the attacks overlap with known clusters such as Hive0117 and Rainbow Hyena. They use phishing login pages hosted on the InterPlanetary File System (IPFS) and Vercel to steal Microsoft Outlook and company credentials. According to Intrinsec, the efforts target entities collaborating with Russia’s military during ongoing conflict and Western sanctions. More details are provided on Intrinsec’s website here.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Shiba Inu Faces Big Losses, 2026 Outlook Mixed with Risks
- Peter Brandt Warns Bitcoin Rally Slowing, Sees Risk of $25K Drop
- UK to Regulate Crypto Firms Under Financial Rules by 2027
- Nvidia to Boost H200 Chip Production Amid Strong China Demand
- Justin Bons Calls Solana “Bitcoin 3.0,” Urges Investors to Switch
