< ciso
brief />
Tag Banner

All news with #russia nexus tag

113 articles · page 2 of 6

Netherlands seizes servers tied to hosting firm

🔎 Financial crime investigators in the Netherlands (FIOD) arrested two men and seized 800 servers linked to a web hosting company accused of enabling cyberattacks, interference operations, and disinformation campaigns. Authorities say the suspects provided resources indirectly to Russian and Belarusian entities sanctioned by the EU, and that infrastructure was moved to a front company after sanctions. Raids recovered servers, laptops, phones, and records across multiple Dutch data centers.
read more →

Kazuar Evolves into Modular P2P Botnet by Secret Blizzard

📡 Microsoft reports that Russian-linked actor Secret Blizzard has turned the long-running Kazuar backdoor into a modular peer-to-peer botnet built for persistence, stealth, and data theft. The malware now runs three modules—Kernel, Bridge, and Worker—with an elected Kernel leader to minimize external C2 traffic and improve stealth. Internal IPC, AES encryption, and Protobuf serialization protect communications, while 150+ configuration options and AMSI/ETW/WLDP bypasses increase evasion.
read more →

Turla Converts Kazuar Into Modular P2P Botnet for Stealth

🐍 Microsoft and CISA report that Russian state-linked Turla has evolved its Kazuar .NET backdoor into a modular, peer-to-peer botnet engineered for stealth and persistence. The architecture now separates into Kernel, Bridge, and Worker modules to minimize footprint and enable flexible tasking. Deployments use droppers such as Pelmeni and ShadowLoader to decrypt and load modules across compromised hosts. The design centralizes staging in a dedicated working directory to maintain state and streamline exfiltration.
read more →

Kazuar: Anatomy of a Nation-State P2P Botnet Operations

🔍 Kazuar, attributed to the Russian state actor Secret Blizzard, has progressed from a traditional backdoor into a modular peer-to-peer botnet engineered for espionage and persistent access. Its architecture separates functionality into Kernel, Bridge, and Worker modules, enabling leader election and SILENT-mode behavior to minimize external visibility. Delivery methods include the Pelmeni dropper and .NET loaders that bind payloads to targeted hosts. The malware uses named pipes, mailslots, and window messaging with AES-encrypted IPC and multiple C2 transports for resilience and stealth.
read more →

FrostyNeighbor targets Ukrainian government with new loader

🧊 ESET telemetry details newly observed operations by the FrostyNeighbor actor, targeting governmental, military and key sectors in Ukraine and neighbouring Eastern European countries. The March 2026 campaign begins with spearphishing PDFs that link to RAR archives containing a JavaScript dropper; the script deploys a JavaScript variant of PicassoLoader which fetches and executes a Cobalt Strike beacon. Operators use server-side validation of IP and user agent to restrict final payload delivery and often host infrastructure behind Cloudflare. The group also employs diverse lure formats and exploit chains to evade detection.
read more →

Inside Department 4: Russia's Secret Hacker School

🔍 A joint investigation uncovered a covert faculty at Bauman Moscow State Technical University, known as Department 4, that appears to funnel students into GRU-linked hacking units. Leaked documents show the GRU controls admissions, curricula, and graduate postings, teaching malware development, penetration testing, and physical surveillance. The report highlights a state-run pipeline producing highly trained cyber operators.
read more →

Russian GRU Used Router Flaws to Steal Office Tokens

🔒 Security researchers say hackers linked to Russia’s GRU used known vulnerabilities in end-of-life routers to mass-harvest Microsoft Office authentication tokens. The actor, tracked as Forest Blizzard (aka APT28/Fancy Bear), altered DNS settings on mostly Mikrotik and TP-Link SOHO devices to route traffic through attacker-controlled DNS servers and perform adversary-in-the-middle (AiTM) interception of OAuth tokens and TLS sessions. Microsoft identified more than 200 affected organizations and about 5,000 consumer devices, while Black Lotus Labs observed the campaign touching over 18,000 routers at its December 2025 peak.
read more →

APT28 Turns Insecure Routers into DNS Hijack Nodes

🔐 Lumen's Black Lotus Labs and Microsoft linked a campaign named FrostArmada to APT28 (aka Forest Blizzard), which compromised insecure MikroTik and TP‑Link SOHO routers to change DNS settings and route traffic to attacker-controlled resolvers. The actors used DNS hijacking to perform passive reconnaissance and attacker-in-the-middle (AitM) operations to harvest passwords, OAuth tokens, and other credentials without user interaction. The malicious infrastructure has been disrupted in a multi‑agency operation led by the U.S. Department of Justice and FBI with international partners.
read more →

Authorities Disrupt Router DNS Hijacks Targeting Microsoft

🔒 An international law enforcement operation, supported by private researchers, disrupted FrostArmada, an APT28 campaign that hijacked DNS settings on compromised MikroTik and TP-Link routers to intercept Microsoft 365 authentication. The attackers redirected DNS to attacker-controlled VPS nodes acting as AitM proxies and captured logins and OAuth tokens. Microsoft, Lumen Black Lotus Labs, the FBI, the DOJ, and Polish authorities took the malicious infrastructure offline and published indicators and mitigations.
read more →

UK NCSC: APT28 Hijacks Routers to Steal Credentials Globally

🔒 The UK’s National Cyber Security Centre (NCSC) warns that Russian-linked APT28 has been compromising vulnerable SOHO routers to redirect DNS traffic through attacker-controlled servers and harvest credentials. The actor has modified a list of VPS-hosted DNS servers since 2024 and exploited models including TP-Link (notably the WR841N via CVE-2023-50224) and MikroTik. The campaigns use DHCP DNS tampering and adversary-in-the-middle techniques; the NCSC and Microsoft advise firmware updates, multifactor authentication and network hardening.
read more →

SOHO Router Compromise Drives DNS Hijacking and AiTM

🔒 Since at least August 2025, Microsoft Threat Intelligence reports that the Russian military-linked actor Forest Blizzard (and sub-group Storm-2754) has been exploiting insecure SOHO routers to reroute DNS queries to actor-controlled resolvers. The actor appears to use the legitimate dnsmasq service on thousands of devices to capture DNS traffic and, selectively, perform TLS adversary-in-the-middle (AiTM) attacks against Microsoft Outlook on the web and targeted government services. Microsoft identified over 200 affected organizations and more than 5,000 consumer devices and published mitigation, detection, and hunting guidance.
read more →

Die Linke Confirms Data Stolen by Qilin Ransomware

🔒 Die Linke, a German democratic socialist party, has confirmed that the Russian-speaking ransomware group Qilin stole data from its network and is threatening to leak it. The party stated its membership database was not impacted, but attackers sought sensitive internal documents and employee personal information. Die Linke notified German authorities, filed a criminal complaint, and retained independent IT experts to restore affected systems. Qilin added the party to its leak site on April 1 but had not published any data samples.
read more →

NCSC Warns of Targeted Attacks on WhatsApp, Signal Users

🔔 The UK's National Cyber Security Centre (NCSC) has warned of an increase in targeted attacks against users of messaging apps including WhatsApp, Facebook Messenger and Signal, attributing activity to Russia-based actors and noting similar prior activity by APT31 and IRGC-linked hackers. Attackers use malicious links, QR codes, account takeovers, group infiltration and impersonation to steal credentials or deliver malware. The NCSC advises high-risk users to enable multi-factor authentication, avoid sharing verification codes, regularly review linked devices and use corporately managed messaging services for work.
read more →

Russian 'CTRL' RAT Distributed via Malicious LNK Files

🛡️ Censys researchers uncovered a Russian-origin remote access toolkit called CTRL that is distributed via weaponized Windows shortcut (LNK) files disguised as private key folders. The multi-stage PowerShell dropper decodes and loads payloads in memory, modifies firewall rules, creates scheduled tasks and backdoor local users, and establishes FRP reverse tunnels for RDP access. Components include a .NET loader, a WPF credential-phishing UI that mimics the Windows PIN prompt, a persistent keylogger, and FRP/RDP wrapper binaries that enable an operator to interact with victims over tunneled RDP while minimizing visible network beaconing.
read more →

TA446 Uses Leaked DarkSword iOS Exploit in Email Campaign

🔒 Proofpoint disclosed a targeted email campaign by Russia-linked TA446 that leverages the leaked DarkSword iOS exploit kit to target iPhones. The group used spoofed "discussion invitation" messages impersonating the Atlantic Council to deliver the GHOSTBLADE dataminer and, in some instances, the MAYBEROBOT backdoor via password-protected ZIPs. Proofpoint noted sharply increased message volume and server-side filtering that routes only iPhone browsers to the exploit chain. Apple has issued lock-screen warnings urging immediate updates to block the threat.
read more →

Severe Cyberattack on Die Linke; Qilin Likely Culprit

🔐 Die Linke says it was hit by a serious cyberattack that it attributes to the hacker group Qilin, possibly Russian‑speaking, and has taken parts of its IT infrastructure offline. Party federal secretary Janis Ehling said attackers appear to be seeking sensitive internal and employee data; the membership database was not compromised. Authorities warned the party as the intrusion was detected, and a criminal complaint has been filed as the party coordinates with security services.
read more →

U.S. Sentences Russian Hacker 6.75 Years for Ransomware Role

🔒 Aleksei Olegovich Volkov, a 26-year-old Russian national, was sentenced in the U.S. to 81 months in prison after pleading guilty to facilitating dozens of ransomware attacks as an initial access broker. Authorities say he helped breach networks and sell access to ransomware groups, resulting in over $9 million in actual losses and more than $24 million in intended losses. He was arrested in Italy in January 2024, extradited to the U.S., and agreed to pay restitution and forfeit tools used in the crimes.
read more →

FBI: Russian-Linked Phishing Targets Signal, WhatsApp

🔒 U.S. agencies warn that threat actors aligned with Russian intelligence are conducting targeted social-engineering phishing campaigns to compromise commercial messaging apps such as Signal and WhatsApp. The attacks have led to unauthorized access to thousands of accounts and involve impersonation of support personnel to request SMS codes, verification PINs, or to deliver malicious QR links. Victims who provide codes can lose account control, while those who scan attacker-controlled QR codes may have past and future messages exposed. Authorities advise never sharing verification codes and regularly reviewing linked devices in app settings.
read more →

FBI Links Signal Phishing to Russian Intelligence Services

🔔 The FBI has publicly attributed widespread phishing campaigns against encrypted messaging apps—primarily Signal and, to a lesser extent, WhatsApp—to actors linked to Russian intelligence services. The adversaries do not break end-to-end encryption; they hijack accounts via social engineering, commonly tricking victims into sharing verification codes or scanning malicious QR codes. Thousands of accounts worldwide have reportedly been compromised, often targeting individuals with sensitive access. Authorities urge users to refuse unsolicited device-linking requests and never share verification codes.
read more →

Russian Intelligence Targets Commercial Messaging Accounts

🔒 CISA and the Federal Bureau of Investigation issued a joint Public Service Announcement warning of ongoing phishing campaigns by cyber actors associated with Russian intelligence services targeting commercial messaging applications (CMAs). The campaigns seek to bypass encryption by compromising individual user accounts rather than breaking application cryptography. Evidence indicates thousands of CMA accounts have been accessed to view messages and contact lists, send messages, and conduct follow-on phishing. CISA and FBI urge users to review the PSA, adopt recommended cybersecurity practices, and remain vigilant for suspicious activity.
read more →