All news with #russia nexus tag

🛡️ Researchers from WithSecure uncovered a Russian-aligned group dubbed Greyvibe that extensively leverages large language models across its campaigns targeting private, government, and military organizations in Ukraine. The group uses spear phishing, fake websites, malicious archives, and ClickFix-style CAPTCHAs to deliver custom malware such as PhantomRelay, LegionRelay, and Android spyware FallSpy. Observed tooling and infrastructure indicate systematic use of generative AI for lure creation, code development, and backend setup, blurring lines between state-aligned activity and cybercrime ecosystem actors.

📘 The 2026 FIFA World Cup spans 39 days across 16 host cities in three nations, creating a vast temporary tournament network layered on existing stadium and municipal infrastructure. This assessment warns of high likelihoods for disruptive intrusions, large-scale fraud and politically motivated DDoS and hack-and-leak operations. Key drivers include Iran-nexus disruptive campaigns, pro-Russian hacktivist DDoS activity and financially motivated cybercrime targeting fans and the hospitality ecosystem.

📄 ESET summarizes notable APT activity observed between October 2025 and March 2026, highlighting China-, Iran-, North Korea-, and Russia-aligned operations alongside unattributed clusters. The report illustrates geopolitical drivers behind campaigns, describes new tooling and supply-chain compromises such as a trojanized axios package, and notes destructive incidents impacting critical infrastructure. ESET confirms protections by its products and notes the report reflects a subset of its Threat Intelligence.

🛡️ CrowdStrike, together with Google and the Shadowserver Foundation, announced the simultaneous disruption of all command-and-control channels used by GlassWorm, a persistent campaign that has targeted software developers since early 2025. The operators trojanized VS Code extensions and poisoned npm and Python packages to deliver a data-theft framework capable of credential harvesting and system profiling. Multiple resilient C2 resolution layers were used — Solana memo fields, BitTorrent DHT, Google Calendar events, and commercial VPS hosts — all of which were neutralized in the coordinated action. CrowdStrike attributes the activity to likely Russia-based cybercriminals and warns about the severe risk posed by supply chain compromises to developer ecosystems.

🛡️ Dutch authorities arrested two co-owners of related hosting companies and seized over 800 servers on May 18, alleging they operated infrastructure used by Russia for cyberattacks and influence operations targeting the EU. The arrests follow investigative reporting that linked MIRhosting and WorkTitans to Stark Industries, an ISP sanctioned by the EU for facilitating DDoS, proxy, and anonymity services tied to Russia-backed actors. Officials searched businesses and data centers and charged the suspects with violating sanctions law by making economic resources available to sanctioned entities. Both suspects deny wrongdoing and one company says it has paused services to the implicated client pending internal review.

🔎 Financial crime investigators in the Netherlands (FIOD) arrested two men and seized 800 servers linked to a web hosting company accused of enabling cyberattacks, interference operations, and disinformation campaigns. Authorities say the suspects provided resources indirectly to Russian and Belarusian entities sanctioned by the EU, and that infrastructure was moved to a front company after sanctions. Raids recovered servers, laptops, phones, and records across multiple Dutch data centers.

📡 Microsoft reports that Russian-linked actor Secret Blizzard has turned the long-running Kazuar backdoor into a modular peer-to-peer botnet built for persistence, stealth, and data theft. The malware now runs three modules—Kernel, Bridge, and Worker—with an elected Kernel leader to minimize external C2 traffic and improve stealth. Internal IPC, AES encryption, and Protobuf serialization protect communications, while 150+ configuration options and AMSI/ETW/WLDP bypasses increase evasion.

🐍 Microsoft and CISA report that Russian state-linked Turla has evolved its Kazuar .NET backdoor into a modular, peer-to-peer botnet engineered for stealth and persistence. The architecture now separates into Kernel, Bridge, and Worker modules to minimize footprint and enable flexible tasking. Deployments use droppers such as Pelmeni and ShadowLoader to decrypt and load modules across compromised hosts. The design centralizes staging in a dedicated working directory to maintain state and streamline exfiltration.

🔍 Kazuar, attributed to the Russian state actor Secret Blizzard, has progressed from a traditional backdoor into a modular peer-to-peer botnet engineered for espionage and persistent access. Its architecture separates functionality into Kernel, Bridge, and Worker modules, enabling leader election and SILENT-mode behavior to minimize external visibility. Delivery methods include the Pelmeni dropper and .NET loaders that bind payloads to targeted hosts. The malware uses named pipes, mailslots, and window messaging with AES-encrypted IPC and multiple C2 transports for resilience and stealth.

🧊 ESET telemetry details newly observed operations by the FrostyNeighbor actor, targeting governmental, military and key sectors in Ukraine and neighbouring Eastern European countries. The March 2026 campaign begins with spearphishing PDFs that link to RAR archives containing a JavaScript dropper; the script deploys a JavaScript variant of PicassoLoader which fetches and executes a Cobalt Strike beacon. Operators use server-side validation of IP and user agent to restrict final payload delivery and often host infrastructure behind Cloudflare. The group also employs diverse lure formats and exploit chains to evade detection.

🔍 A joint investigation uncovered a covert faculty at Bauman Moscow State Technical University, known as Department 4, that appears to funnel students into GRU-linked hacking units. Leaked documents show the GRU controls admissions, curricula, and graduate postings, teaching malware development, penetration testing, and physical surveillance. The report highlights a state-run pipeline producing highly trained cyber operators.

🔒 Security researchers say hackers linked to Russia’s GRU used known vulnerabilities in end-of-life routers to mass-harvest Microsoft Office authentication tokens. The actor, tracked as Forest Blizzard (aka APT28/Fancy Bear), altered DNS settings on mostly Mikrotik and TP-Link SOHO devices to route traffic through attacker-controlled DNS servers and perform adversary-in-the-middle (AiTM) interception of OAuth tokens and TLS sessions. Microsoft identified more than 200 affected organizations and about 5,000 consumer devices, while Black Lotus Labs observed the campaign touching over 18,000 routers at its December 2025 peak.

🔐 Lumen's Black Lotus Labs and Microsoft linked a campaign named FrostArmada to APT28 (aka Forest Blizzard), which compromised insecure MikroTik and TP‑Link SOHO routers to change DNS settings and route traffic to attacker-controlled resolvers. The actors used DNS hijacking to perform passive reconnaissance and attacker-in-the-middle (AitM) operations to harvest passwords, OAuth tokens, and other credentials without user interaction. The malicious infrastructure has been disrupted in a multi‑agency operation led by the U.S. Department of Justice and FBI with international partners.

🔒 An international law enforcement operation, supported by private researchers, disrupted FrostArmada, an APT28 campaign that hijacked DNS settings on compromised MikroTik and TP-Link routers to intercept Microsoft 365 authentication. The attackers redirected DNS to attacker-controlled VPS nodes acting as AitM proxies and captured logins and OAuth tokens. Microsoft, Lumen Black Lotus Labs, the FBI, the DOJ, and Polish authorities took the malicious infrastructure offline and published indicators and mitigations.

🔒 The UK’s National Cyber Security Centre (NCSC) warns that Russian-linked APT28 has been compromising vulnerable SOHO routers to redirect DNS traffic through attacker-controlled servers and harvest credentials. The actor has modified a list of VPS-hosted DNS servers since 2024 and exploited models including TP-Link (notably the WR841N via CVE-2023-50224) and MikroTik. The campaigns use DHCP DNS tampering and adversary-in-the-middle techniques; the NCSC and Microsoft advise firmware updates, multifactor authentication and network hardening.

🔒 Since at least August 2025, Microsoft Threat Intelligence reports that the Russian military-linked actor Forest Blizzard (and sub-group Storm-2754) has been exploiting insecure SOHO routers to reroute DNS queries to actor-controlled resolvers. The actor appears to use the legitimate dnsmasq service on thousands of devices to capture DNS traffic and, selectively, perform TLS adversary-in-the-middle (AiTM) attacks against Microsoft Outlook on the web and targeted government services. Microsoft identified over 200 affected organizations and more than 5,000 consumer devices and published mitigation, detection, and hunting guidance.

🔒 Die Linke, a German democratic socialist party, has confirmed that the Russian-speaking ransomware group Qilin stole data from its network and is threatening to leak it. The party stated its membership database was not impacted, but attackers sought sensitive internal documents and employee personal information. Die Linke notified German authorities, filed a criminal complaint, and retained independent IT experts to restore affected systems. Qilin added the party to its leak site on April 1 but had not published any data samples.

🔔 The UK's National Cyber Security Centre (NCSC) has warned of an increase in targeted attacks against users of messaging apps including WhatsApp, Facebook Messenger and Signal, attributing activity to Russia-based actors and noting similar prior activity by APT31 and IRGC-linked hackers. Attackers use malicious links, QR codes, account takeovers, group infiltration and impersonation to steal credentials or deliver malware. The NCSC advises high-risk users to enable multi-factor authentication, avoid sharing verification codes, regularly review linked devices and use corporately managed messaging services for work.

🛡️ Censys researchers uncovered a Russian-origin remote access toolkit called CTRL that is distributed via weaponized Windows shortcut (LNK) files disguised as private key folders. The multi-stage PowerShell dropper decodes and loads payloads in memory, modifies firewall rules, creates scheduled tasks and backdoor local users, and establishes FRP reverse tunnels for RDP access. Components include a .NET loader, a WPF credential-phishing UI that mimics the Windows PIN prompt, a persistent keylogger, and FRP/RDP wrapper binaries that enable an operator to interact with victims over tunneled RDP while minimizing visible network beaconing.

🔒 Proofpoint disclosed a targeted email campaign by Russia-linked TA446 that leverages the leaked DarkSword iOS exploit kit to target iPhones. The group used spoofed "discussion invitation" messages impersonating the Atlantic Council to deliver the GHOSTBLADE dataminer and, in some instances, the MAYBEROBOT backdoor via password-protected ZIPs. Proofpoint noted sharply increased message volume and server-side filtering that routes only iPhone browsers to the exploit chain. Apple has issued lock-screen warnings urging immediate updates to block the threat.