All news with #russia nexus tag

🔒 Security researchers say hackers linked to Russia’s GRU used known vulnerabilities in end-of-life routers to mass-harvest Microsoft Office authentication tokens. The actor, tracked as Forest Blizzard (aka APT28/Fancy Bear), altered DNS settings on mostly Mikrotik and TP-Link SOHO devices to route traffic through attacker-controlled DNS servers and perform adversary-in-the-middle (AiTM) interception of OAuth tokens and TLS sessions. Microsoft identified more than 200 affected organizations and about 5,000 consumer devices, while Black Lotus Labs observed the campaign touching over 18,000 routers at its December 2025 peak.

🔐 Lumen's Black Lotus Labs and Microsoft linked a campaign named FrostArmada to APT28 (aka Forest Blizzard), which compromised insecure MikroTik and TP‑Link SOHO routers to change DNS settings and route traffic to attacker-controlled resolvers. The actors used DNS hijacking to perform passive reconnaissance and attacker-in-the-middle (AitM) operations to harvest passwords, OAuth tokens, and other credentials without user interaction. The malicious infrastructure has been disrupted in a multi‑agency operation led by the U.S. Department of Justice and FBI with international partners.

🔒 An international law enforcement operation, supported by private researchers, disrupted FrostArmada, an APT28 campaign that hijacked DNS settings on compromised MikroTik and TP-Link routers to intercept Microsoft 365 authentication. The attackers redirected DNS to attacker-controlled VPS nodes acting as AitM proxies and captured logins and OAuth tokens. Microsoft, Lumen Black Lotus Labs, the FBI, the DOJ, and Polish authorities took the malicious infrastructure offline and published indicators and mitigations.

🔒 The UK’s National Cyber Security Centre (NCSC) warns that Russian-linked APT28 has been compromising vulnerable SOHO routers to redirect DNS traffic through attacker-controlled servers and harvest credentials. The actor has modified a list of VPS-hosted DNS servers since 2024 and exploited models including TP-Link (notably the WR841N via CVE-2023-50224) and MikroTik. The campaigns use DHCP DNS tampering and adversary-in-the-middle techniques; the NCSC and Microsoft advise firmware updates, multifactor authentication and network hardening.

🔒 Since at least August 2025, Microsoft Threat Intelligence reports that the Russian military-linked actor Forest Blizzard (and sub-group Storm-2754) has been exploiting insecure SOHO routers to reroute DNS queries to actor-controlled resolvers. The actor appears to use the legitimate dnsmasq service on thousands of devices to capture DNS traffic and, selectively, perform TLS adversary-in-the-middle (AiTM) attacks against Microsoft Outlook on the web and targeted government services. Microsoft identified over 200 affected organizations and more than 5,000 consumer devices and published mitigation, detection, and hunting guidance.

🔒 Die Linke, a German democratic socialist party, has confirmed that the Russian-speaking ransomware group Qilin stole data from its network and is threatening to leak it. The party stated its membership database was not impacted, but attackers sought sensitive internal documents and employee personal information. Die Linke notified German authorities, filed a criminal complaint, and retained independent IT experts to restore affected systems. Qilin added the party to its leak site on April 1 but had not published any data samples.

🔔 The UK's National Cyber Security Centre (NCSC) has warned of an increase in targeted attacks against users of messaging apps including WhatsApp, Facebook Messenger and Signal, attributing activity to Russia-based actors and noting similar prior activity by APT31 and IRGC-linked hackers. Attackers use malicious links, QR codes, account takeovers, group infiltration and impersonation to steal credentials or deliver malware. The NCSC advises high-risk users to enable multi-factor authentication, avoid sharing verification codes, regularly review linked devices and use corporately managed messaging services for work.

🛡️ Censys researchers uncovered a Russian-origin remote access toolkit called CTRL that is distributed via weaponized Windows shortcut (LNK) files disguised as private key folders. The multi-stage PowerShell dropper decodes and loads payloads in memory, modifies firewall rules, creates scheduled tasks and backdoor local users, and establishes FRP reverse tunnels for RDP access. Components include a .NET loader, a WPF credential-phishing UI that mimics the Windows PIN prompt, a persistent keylogger, and FRP/RDP wrapper binaries that enable an operator to interact with victims over tunneled RDP while minimizing visible network beaconing.

🔒 Proofpoint disclosed a targeted email campaign by Russia-linked TA446 that leverages the leaked DarkSword iOS exploit kit to target iPhones. The group used spoofed "discussion invitation" messages impersonating the Atlantic Council to deliver the GHOSTBLADE dataminer and, in some instances, the MAYBEROBOT backdoor via password-protected ZIPs. Proofpoint noted sharply increased message volume and server-side filtering that routes only iPhone browsers to the exploit chain. Apple has issued lock-screen warnings urging immediate updates to block the threat.

🔐 Die Linke says it was hit by a serious cyberattack that it attributes to the hacker group Qilin, possibly Russian‑speaking, and has taken parts of its IT infrastructure offline. Party federal secretary Janis Ehling said attackers appear to be seeking sensitive internal and employee data; the membership database was not compromised. Authorities warned the party as the intrusion was detected, and a criminal complaint has been filed as the party coordinates with security services.

🔒 Aleksei Olegovich Volkov, a 26-year-old Russian national, was sentenced in the U.S. to 81 months in prison after pleading guilty to facilitating dozens of ransomware attacks as an initial access broker. Authorities say he helped breach networks and sell access to ransomware groups, resulting in over $9 million in actual losses and more than $24 million in intended losses. He was arrested in Italy in January 2024, extradited to the U.S., and agreed to pay restitution and forfeit tools used in the crimes.

🔒 U.S. agencies warn that threat actors aligned with Russian intelligence are conducting targeted social-engineering phishing campaigns to compromise commercial messaging apps such as Signal and WhatsApp. The attacks have led to unauthorized access to thousands of accounts and involve impersonation of support personnel to request SMS codes, verification PINs, or to deliver malicious QR links. Victims who provide codes can lose account control, while those who scan attacker-controlled QR codes may have past and future messages exposed. Authorities advise never sharing verification codes and regularly reviewing linked devices in app settings.

🔔 The FBI has publicly attributed widespread phishing campaigns against encrypted messaging apps—primarily Signal and, to a lesser extent, WhatsApp—to actors linked to Russian intelligence services. The adversaries do not break end-to-end encryption; they hijack accounts via social engineering, commonly tricking victims into sharing verification codes or scanning malicious QR codes. Thousands of accounts worldwide have reportedly been compromised, often targeting individuals with sensitive access. Authorities urge users to refuse unsolicited device-linking requests and never share verification codes.

🔒 CISA and the Federal Bureau of Investigation issued a joint Public Service Announcement warning of ongoing phishing campaigns by cyber actors associated with Russian intelligence services targeting commercial messaging applications (CMAs). The campaigns seek to bypass encryption by compromising individual user accounts rather than breaking application cryptography. Evidence indicates thousands of CMA accounts have been accessed to view messages and contact lists, send messages, and conduct follow-on phishing. CISA and FBI urge users to review the PSA, adopt recommended cybersecurity practices, and remain vigilant for suspicious activity.

🔍 Aryaka Threat Research Lab has identified a campaign that distributes resume-like attachments to target HR and recruiting staff, deploying a component named BlackSanta that attempts to disable endpoint detection and response. The multi-stage infection chain performs system reconnaissance, sandbox and VM checks, and geographic and language filtering before downloading further payloads. Attackers appear Russian-speaking and leverage routine hiring workflows to increase success, while encrypted communications and data exfiltration help maintain persistence.

🛡️ Researchers at Aryaka uncovered a Russian-speaking threat actor using targeted spear-phishing emails that delivered ISO attachments masquerading as resumes to deploy a new EDR-killing module named BlackSanta. The multi-stage infection leverages a malicious .LNK to launch a PowerShell script that extracts hidden code via steganography and runs payloads in memory. The chain also uses DLL sideloading with a legitimate SumatraPDF executable and a malicious DWrite.dll, and performs extensive fingerprinting and environment checks to evade sandboxes. BlackSanta disables and terminates security tooling, adjusts Microsoft Defender settings and suppresses notifications to minimize user alerts.

🛡️ X told British MPs it suspended 800 million accounts in 2024 for breaching rules on platform manipulation and spam. Company government affairs executive Wifredo Fernández said Russia was the most active state-backed manipulator, followed by Iran and China, and that efforts to influence elections and 'flood the zone' persist. Despite Elon Musk's prior pledge to purge bots, X acknowledges hundreds of millions of inauthentic accounts are removed annually, raising concerns about uncaught actors and moderation practices.

🔒 Dutch intelligence has uncovered a large-scale campaign by Russian state actors to hijack Signal and WhatsApp accounts belonging to military, government and other high-value individuals worldwide. The attackers impersonate support bots, request SMS verification codes or PINs, and exploit linked-device QR flows to add devices. Authorities warn these consumer apps, while end-to-end encrypted, are unsuitable for classified material and have issued guidance to detect and remediate account takeovers.

🐾 ClearSky reports a Russian-linked campaign targeting Ukrainian entities that deploys a .NET loader named BadPaw and a backdoor called MeowMeow. The attack begins with a phishing message that lures victims to download a ZIP archive containing an HTA decoy presenting a Ukrainian border-crossing appeal while executing hidden stages. The HTA extracts a VBScript and a PNG-embedded loader, establishes persistence via a scheduled task, and orchestrates retrieval of the MeowMeow backdoor from a remote C2 server. Researchers attribute the operation to APT28 with moderate confidence based on targeting, lures, and tradecraft overlaps.

🚨 Security researchers say an open-source, AI-native offensive platform called CyberStrikeAI was used to automate mass scanning and exploitation of Fortinet FortiGate appliances, contributing to compromises of more than 600 devices across 55 countries. Team Cymru traced activity to a Russian-speaking actor after analyzing an IP address and observed 21 unique IPs running the tool between January 20 and February 26, 2026. The tool's GitHub maintainer, known as Ed1s0nZ, has published a range of exploitation and AI-jailbreak utilities and shows interactions with organizations linked to Chinese state cyber capabilities.