Article

Operation MoneyMount-ISO, identified by Seqrite Labs, targets finance and accounting entities, with secondary focus on procurement, legal, and payroll sectors. The campaign uses a fake payment confirmation lure to deliver Phantom malware via a multi-stage attachment chain.

An ISO image titled 'Bank transfer confirmation.iso' executes Phantom Stealer through an embedded DLL. Additionally, Russian HR and payroll departments have been targeted with phishing emails related to bonuses, deploying a new implant named DUPERUNNER that loads AdaptixC2.

Dubbed DupeHike, this campaign is linked to threat cluster UNG0902. Phishing efforts have utilized ZIP files to distribute spear-phishing decoys that download DUPERUNNER, which in turn retrieves a decoy PDF and activates AdaptixC2 within legitimate Windows processes. French cybersecurity firm Intrinsec attributes related intrusions in the Russian aerospace sector to hacktivists supporting Ukrainian interests, detected between June and September 2025.