Stop ISO Phishing: AI Detection for Stealer Malware

Most email security stacks still treat attachments like a file-type problem. Block macros, scan PDFs, detonate EXEs, call it a day.

Operation MoneyMount-ISO shows why that mindset fails. Attackers are using ISO disk images (yes, “virtual CDs”) to slide an executable chain past habits, filters, and rushed humans—then dropping Phantom Stealer, a credential-and-wallet thief that knows how to hide, how to abort in sandboxes, and how to exfiltrate quietly via places defenders often under-monitor (Telegram and Discord).

This post is part of our AI in Cybersecurity series, and I’m going to be blunt: manual review and rules-only controls can’t keep up with multi-stage phishing chains like this—especially in finance, where one stolen session token can become a same-day wire fraud attempt.

What the Phantom Stealer ISO campaign gets right (for attackers)

The key idea is simple: make the malicious step look like a normal work step. And in finance/accounting, “review this payment confirmation” is as routine as it gets.

Researchers describe a chain that typically looks like this:

1. A phishing email impersonates legitimate financial communication and pushes urgency (“confirm a bank transfer”).
2. The attachment is a ZIP, which many orgs allow because it’s common for invoices and batch documents.
3. Inside the ZIP is an ISO file. When opened, Windows mounts it as a virtual drive—often without the “this is an app” mental alarm.
4. The mounted ISO contains an executable path that triggers a loader using an embedded DLL (reported as CreativeAI.dll) to launch Phantom Stealer.

Why ISO works so well in corporate email

ISO attachments aren’t new, but they remain effective because they sit in an awkward zone:

• Users don’t think of them as programs. They think “image” or “archive.”
• Some security controls treat mounted content differently than email-delivered content.
• The real execution point is delayed (open ZIP → open ISO → click inside mounted drive). That delay breaks simplistic correlation.

Attackers are also picking departments that are built for throughput—finance, accounting, procurement, legal, payroll—where speed beats skepticism during end-of-year close, bonus cycles, and vendor reconciliation (December is basically the “perfect storm” month for this).

What Phantom Stealer actually steals—and why finance teams are prime targets

Phantom Stealer is positioned as an information stealer, but the practical impact is broader than “passwords got taken.” It reportedly targets:

• Browser passwords, cookies, and saved credit card details
• Discord authentication tokens
• Clipboard content (classic for crypto address swapping and opportunistic data capture)
• Keystrokes (credential capture even when autofill is disabled)
• Cryptocurrency wallet data from Chromium-based extensions and desktop wallet apps
• Files (selective theft is often more damaging than bulk theft)

Exfiltration paths matter here. The campaign uses:

• Telegram bots
• Discord webhooks
• FTP servers for file transfer

That mix is a defender’s headache because it blends “obviously suspicious” (FTP from a workstation) with “often ignored” (outbound to consumer comms platforms in environments where developers, marketing, or customer support may legitimately use them).

The stealth feature many teams underestimate: anti-analysis checks

Stealers increasingly ship with sandbox/VM detection. Phantom Stealer reportedly checks for virtualized or analysis environments and stops if it thinks it’s being watched.

That matters because many organizations still rely on:

• “Send attachment to sandbox, wait for verdict”
• “Detonate in a VM and look for IOCs”

If malware can recognize those environments, you get a clean verdict on a sample that’s absolutely malicious in the real world.

Where AI-driven email security wins: behavior beats file types

Here’s the stance I’ll defend: the best detection for ISO phishing isn’t “block ISO.” Blocking helps, sure, but attackers will rotate to IMG/VHD, OneDrive links, HTML smuggling, or LNK chains.

AI-driven detection systems are strongest when they treat the email as an event in a storyline, not a single object to classify.

1) Email metadata anomalies AI can score in seconds

Rules can check SPF/DKIM/DMARC. AI can go further by modeling what “normal” looks like for your org and your vendors.

Useful signals include:

• Sender/domain similarity and relationship history (first-time sender claiming to be a frequent vendor)
• Reply-to mismatches and display-name impersonation patterns
• Time-of-day sending compared to prior communication patterns
• Attachment novelty (ZIP+ISO is rare in most invoice workflows)
• Language/phrase patterns that don’t match previous threads from that sender identity

The difference: AI doesn’t need the attacker to reuse a known bad domain. It can flag “this is weird for your environment” even when it’s technically valid email.

2) Attachment-chain intelligence (ZIP → ISO → DLL) instead of single-file scanning

A traditional gateway might scan the ZIP, see an ISO, and pass it if ISO isn’t explicitly blocked.

An AI-enhanced pipeline can classify the chain:

• Compressed container with an uncommon disk-image payload
• Disk-image mount event after email open
• Execution from a newly mounted drive
• DLL side-loading or suspicious library load behavior

That combination is rare in legitimate business processes and should be treated as high risk even if each step alone seems explainable.

3) User behavior signals: catching the “last mile”

Most companies get this wrong: they focus on “keep it out of the inbox,” then stop.

But users will click. Someone always does. AI-driven security operations can reduce blast radius by watching for post-delivery behaviors that don’t fit a user’s baseline:

• A payroll employee suddenly mounting ISOs for the first time
• Execution from removable/virtual media paths
• New persistence-like behavior (scheduled task creation, registry run keys)
• A sudden burst of credential access attempts across browsers

When those behaviors happen minutes after a suspicious email interaction, automated containment (isolate endpoint, revoke sessions, force password reset, block outbound to exfil channels) is the difference between a nuisance and an incident.

4) Network anomaly detection: Telegram/Discord aren’t “noise” anymore

If your SOC still treats consumer messaging traffic as background chatter, stealers will keep winning.

AI can model “normal outbound” per department and per endpoint. The goal isn’t to ban every platform; it’s to detect new, rare, and correlated patterns:

• First-time outbound to Discord webhook infrastructure from a finance workstation
• Outbound to Telegram APIs immediately after an ISO mount and process spawn
• FTP egress from endpoints that never use FTP

Correlating these across email + endpoint + network telemetry is where AI security tools earn their budget.

Snippet-worthy rule: If you can’t correlate email events to endpoint behavior in under five minutes, ISO phishing will keep slipping through.

A practical defense plan for finance and accounting teams (no fantasy projects)

You don’t need a year-long transformation to reduce risk. You need a few concrete controls, properly wired together.

Hard controls (reduce the attack surface)

• Block or quarantine disk image attachments (.iso, .img, .vhd, .vhdx) at the email gateway, with an exception process for IT-approved use cases.
• Disable auto-mount behavior where feasible and restrict execution from mounted images using endpoint policy.
• Enforce least privilege for finance endpoints. Local admin on accounting machines is an open invitation.
• Turn on attack surface reduction rules (or equivalent) that limit:
  • process creation from email and web downloads
  • suspicious DLL loads
  • credential dumping behaviors

Detection and response (assume someone clicks)

• Alert on “email → mount → execute” sequences within a short window (e.g., 10–20 minutes).
• Monitor for token theft indicators (browser credential store access spikes, suspicious cookie database access).
• Egress controls with smart exceptions:
  • block known webhook patterns where possible
  • require proxy auth for high-risk destinations
  • alert on new outbound Telegram/Discord from non-approved departments

Human workflow (make the safe path the easy path)

Finance teams are targeted because their workflows are predictable. Use that predictability:

• Route payment confirmations to a ticketing workflow with structured fields, not ad-hoc attachments.
• Require out-of-band verification for bank detail changes and high-value transfers.
• Provide a one-click “report suspicious invoice email” button and measure:
  • time-to-report
  • time-to-triage
  • false positive rate

If you can’t measure it, you can’t improve it.

“People also ask” questions your SOC will get

Should we just block ISO attachments everywhere?

If your business doesn’t need them, yes—block them. If you do need them (certain IT or engineering workflows), quarantine by default and allow only through a controlled channel.

Why do stealers target Discord and Telegram?

Because defenders under-monitor them, they’re easy to automate, and they blend into normal outbound TLS traffic. It’s simple and effective.

What’s the fastest way to detect a multi-stage phishing chain?

Correlate signals across layers: email telemetry + endpoint events (mount and execute) + outbound network anomalies. AI helps because it can score those correlations in real time.

What this campaign says about the next year of phishing

Attackers aren’t betting on one attachment type. They’re betting on operational overload—quarter-end closes, year-end bonuses, vendor renewals, and a constant stream of “normal-looking” finance email.

Phantom Stealer delivered via ISO is a clean case study for the AI in Cybersecurity series: the winning approach is not a bigger blacklist; it’s faster, correlated detection that reacts to behavior.

If you’re evaluating AI-driven threat detection, start with this litmus test: can your tooling spot and stop “ZIP → ISO mount → suspicious execution → Telegram/Discord egress” as a single incident, automatically, before credentials are reused?

That’s the level of speed finance teams need now. What would your environment do if one payroll user clicked that “bank transfer confirmation” ISO today?