Seqrite Labs has identified a Russian-origin phishing campaign aimed primarily at financial sectors, particularly finance, accounting, and treasury roles. The attack uses a fake payment confirmation email that tricks recipients into downloading a malicious ZIP file. This file contains an ISO that, when opened, mounts a virtual drive displaying an executable file disguised as a legitimate payment confirmation. Executing this file installs the Phantom information-stealing malware. The email's sender, using a spoofed identity, claims to represent a financial institution, further enhancing its credibility. The ZIP file, titled “Подтверждение банковского перевода.zip” (Bank transfer confirmation), is designed to appear like legitimate business correspondence, targeting finance personnel. The malware's infection chain involves multiple stages: the ISO file leads to an executable that injects the Phantom stealer, which is capable of extracting sensitive data, including credentials, cryptocurrency wallet information, and Discord tokens. The Phantom stealer employs sophisticated techniques to evade detection, including an anti-analysis feature that destroys itself if it detects a virtual environment. It systematically extracts data from cryptocurrency wallets in Chromium-based browsers and collects passwords, cookies, and credit card information from various browsers. The malware maintains a continuous clipboard monitoring feature to capture sensitive information copied by the user. This multi-layered approach makes it a significant threat to the targeted sectors, with potential risks including credential theft and unauthorized financial transactions.