< ciso
brief />
Tag Banner

All news with #russia nexus tag

113 articles

Google Gemini CLI abused to operate malware botnet

🔍 A Russian-speaking actor called "bandcampro" leveraged Google's open-source Gemini CLI as an AI hacking agent and to run a small botnet targeting at least eight systems in a dental clinic. Over 200 sessions between May and April, the AI executed migration, troubleshooting, and operational improvements, storing credentials and following a built-in C2 playbook. Trend Micro found the setup tiny and unsophisticated, with Python HTTP and PowerShell agents and persistence via scheduled tasks, WMI, and registry changes.
read more →

Governments urge enterprises to improve router security

🔒 A multinational cybersecurity advisory warns that Russian government-sponsored actors are exploiting poorly configured routers and legacy protocols to steal device configurations and credentials. Attackers scan for devices using SNMPv1/v2, default community strings, and vulnerable Cisco features like Smart Install, then exfiltrate config files to attacker-controlled servers. Agencies recommend migrating to SNMPv3, disabling legacy protocols and Cisco Smart Install, enforcing strong passwords and MFA, blocking SNMP at firewalls, updating software, and retiring EOL devices.
read more →

EU and UK announce joint cyber sanctions on Russia

🛡️ The EU and the UK issued coordinated sanctions targeting Russian individuals, entities, and intelligence units accused of orchestrating cyberattacks across Europe. Designations include GRU and FSB-linked officers, cybercriminals, and private firms alleged to recruit hackers and run malware operations. Officials cite sustained campaigns against government and critical infrastructure since 2010 and recent disruptive attempts in Poland. The measures follow broader EU proposals to strengthen cybersecurity and precede additional sanctions on foreign companies tied to attacks.
read more →

FSB Centre 16 Targets Routers Using Weak SNMP

🔒 Cyber agencies from 12 countries warn that Russian FSB Centre 16 (aka Berserk Bear/Static Tundra) is scanning the internet for routers using default or weak SNMP credentials and occasionally exploiting known CVEs in Cisco devices. Sectors such as communications, defence, energy, finance, government and healthcare are urged to adopt SNMPv3, patch affected systems and disable vulnerable features like Smart Install when patching is not possible. The advisory links Centre 16’s tactics to broader disruptive campaigns and coincides with UK/EU attribution of late 2025 attacks on Poland’s energy grid to the group.
read more →

US and Allies Share Guidance on Russian Router Attacks

🔒 Cybersecurity agencies from the US and eight partner nations issued a joint advisory warning that Russian state-linked hackers (FSB Centre 16) are exploiting poorly configured routers and default SNMP credentials to breach critical infrastructure networks. The advisory attributes scanning and exfiltration activity to groups tracked as Berserk Bear and others, and highlights exploitation of Cisco Smart Install (CVE-2018-0171). Agencies urged mitigation steps including upgrading to SNMPv3, disabling Cisco Smart Install, enforcing strong passwords, blocking TFTP/SNMP at the perimeter, and updating firmware to protect energy, communications, healthcare, finance, and government sectors.
read more →

Spain arrests suspected member of pro‑Russian hacktivists

🛡️ Spain's National Police arrested a man suspected of active roles in the pro‑Russian hacktivist groups CyberArmy of Russia Reborn and Z‑Pentest. Authorities say he provided logistical and operational support to a CARR-linked Ukrainian hacker and attempted to facilitate the hacker’s escape to Russia. Investigators seized computers and cryptocurrency devices during a March 2026 raid and froze wallets tied to stolen data sales. The suspect is under investigation for alleged links to terrorist group membership, glorification of terrorism, and computer damage.
read more →

US offers $10M for info on hackers targeting Signal and WhatsApp

🔔 The U.S. Department of State is offering up to $10 million through its Rewards for Justice program for information identifying members of UNC5792 and UNC4221, two groups tied to Russian intelligence and military services. The bounty follows FBI and CISA updates that these groups conducted phishing campaigns targeting Signal and WhatsApp users, including attempts to steal Signal Backup Recovery Keys by impersonating support agents. Targets included U.S. and NATO officials, journalists, NGOs, and researchers.
read more →

Evolution of the Pro‑Russia Influence Ecosystem

🛡️ Four years into Russia’s invasion of Ukraine, the pro‑Russia influence ecosystem has shifted from wartime tools back toward a global strategic asset. GTIG observes expansion of covert information operations, revived hacktivism, and increasing use of generative AI across planning and content creation. The ecosystem blends state, state‑aligned, and independent actors, targeting the West, Russia’s near abroad, the Middle East, Africa, and domestic audiences while exploiting media mimicry, cyber‑enabled IO, and direct dissemination.
read more →

Gamaredon expands malware and exfiltration tactics

🛡️ ESET observed 35 spear-phishing campaigns by the Russian APT group Gamaredon across 2025, primarily targeting Ukrainian government and military entities. Campaigns used HTML smuggling, archive attachments and a patched WinRAR flaw (CVE-2025-8088) to deploy HTA downloaders that drop payloads like PteroSand. The group enhanced persistence and lateral movement via PteroLNK, PteroPaste and PteroSetup while increasingly abusing tunnel and serverless services to hide infrastructure.
read more →

Suspected Russian Involvement in JLR Cyberattack

🛡️ Security experts have reacted to a New York Times report linking Russian hackers to the Jaguar Land Rover breach, which reportedly cost the British economy £1.9bn. Microsoft flagged the activity, and specialists pointed to the lack of a ransom demand, timing before a vehicle rollout, and novel ransomware as indicators of state involvement. Former JLR security leaders and industry analysts suggest the attack resembled sabotage more than typical cybercrime.
read more →

FBI warns of Russian targeting Signal backup keys

🔔 The FBI has issued a public service announcement warning that multiple clusters of Russian intelligence actors, including FSB officers and military hackers, are targeting high-risk users to steal Signal Backup Recovery Keys. The campaign uses phishing messages masquerading as messaging app support to elicit verification codes, account PINs, and recovery keys. Victims include government officials, military personnel, journalists and Ukrainian officials. Users are advised to only trust official support channels and to generate a new recovery key to invalidate older backups.
read more →

FBI warns Russian actors stealing Signal backup keys

🔐 The FBI and CISA warn that Russian-linked threat actors have shifted phishing tactics to steal Signal Backup Recovery Keys, enabling access to users' historical messages. The campaign, tracked as UNC5792 and UNC4221, targets high-value individuals including officials, journalists, and military personnel. Attackers impersonate Signal support, trick users into enabling backups and then request the recovery key to restore data to attacker-controlled devices. Authorities advise that official support never asks for codes or recovery keys and recommend reporting incidents to the FBI or CISA.
read more →

CISA Warns Fortinet Customers Amid FortiBleed Campaign

🔒 The U.S. Cybersecurity and Infrastructure Security Agency (CISA) urged Fortinet customers to secure FortiGate appliances after a large-scale campaign, dubbed FortiBleed, compromised 86,644 devices as of June 19, 2026. The campaign, attributed to Russian-speaking actors, used mass scanning and credential spraying against internet-facing VPN and firewall endpoints, leveraging leaked and reused credentials. Telecom, government, and education sectors were heavily affected, prompting guidance to reset passwords, enable MFA, and move to PBKDF2 hashing for admin credentials.
read more →

Analysis: The Gentlemen ransomware group's evolution

🔎 A new PRODAFT report traces The Gentlemen (aka Phantom Mantis) from an affiliate of multiple RaaS families to an independent, enterprise-focused extortion operation led by a Russian-speaking actor tracked as LARVA-368. Active since March 2025 and claiming 478 victims, the group uses AI, diverse tooling, multi-platform ransomware, and aggressive affiliate incentives while targeting VPNs, firewalls, VMware, and other internet-facing systems.
read more →

Investigation Identifies Alleged Administrator of The Gentlemen

🔍 Check Point and other cyber intelligence firms have been tracking The Gentlemen, a fast-growing RaaS operation that offers affiliates a 90/10 revenue split and has become the second most active ransomware group by victim count. Researchers link the group’s administrator to the handles Hastalamuerte and Zeta88, and trace forum registrations, email addresses, Telegram IDs, and phone numbers to a likely real-world identity in Izhevsk, Russia. Open-source and breach data suggest the suspect may be Alexander Yapaev, who lists employment at Uralenergo Udmurtia; he did not respond to requests for comment.
read more →

Greyvibe: Russian-linked group using AI in attacks

🛡️ Researchers from WithSecure uncovered a Russian-aligned group dubbed Greyvibe that extensively leverages large language models across its campaigns targeting private, government, and military organizations in Ukraine. The group uses spear phishing, fake websites, malicious archives, and ClickFix-style CAPTCHAs to deliver custom malware such as PhantomRelay, LegionRelay, and Android spyware FallSpy. Observed tooling and infrastructure indicate systematic use of generative AI for lure creation, code development, and backend setup, blurring lines between state-aligned activity and cybercrime ecosystem actors.
read more →

Attack Surface and Cyber Risks for FIFA 2026

📘 The 2026 FIFA World Cup spans 39 days across 16 host cities in three nations, creating a vast temporary tournament network layered on existing stadium and municipal infrastructure. This assessment warns of high likelihoods for disruptive intrusions, large-scale fraud and politically motivated DDoS and hack-and-leak operations. Key drivers include Iran-nexus disruptive campaigns, pro-Russian hacktivist DDoS activity and financially motivated cybercrime targeting fans and the hospitality ecosystem.
read more →

ESET APT Activity Report Q4 2025–Q1 2026

📄 ESET summarizes notable APT activity observed between October 2025 and March 2026, highlighting China-, Iran-, North Korea-, and Russia-aligned operations alongside unattributed clusters. The report illustrates geopolitical drivers behind campaigns, describes new tooling and supply-chain compromises such as a trojanized axios package, and notes destructive incidents impacting critical infrastructure. ESET confirms protections by its products and notes the report reflects a subset of its Threat Intelligence.
read more →

Coordinated Takedown Disrupts GlassWorm C2 Channels

🛡️ CrowdStrike, together with Google and the Shadowserver Foundation, announced the simultaneous disruption of all command-and-control channels used by GlassWorm, a persistent campaign that has targeted software developers since early 2025. The operators trojanized VS Code extensions and poisoned npm and Python packages to deliver a data-theft framework capable of credential harvesting and system profiling. Multiple resilient C2 resolution layers were used — Solana memo fields, BitTorrent DHT, Google Calendar events, and commercial VPS hosts — all of which were neutralized in the coordinated action. CrowdStrike attributes the activity to likely Russia-based cybercriminals and warns about the severe risk posed by supply chain compromises to developer ecosystems.
read more →

Dutch raid seizes servers, arrests hosting co-owners

🛡️ Dutch authorities arrested two co-owners of related hosting companies and seized over 800 servers on May 18, alleging they operated infrastructure used by Russia for cyberattacks and influence operations targeting the EU. The arrests follow investigative reporting that linked MIRhosting and WorkTitans to Stark Industries, an ISP sanctioned by the EU for facilitating DDoS, proxy, and anonymity services tied to Russia-backed actors. Officials searched businesses and data centers and charged the suspects with violating sanctions law by making economic resources available to sanctioned entities. Both suspects deny wrongdoing and one company says it has paused services to the implicated client pending internal review.
read more →