< ciso
brief />
Tag Banner

All news with #russia nexus tag

113 articles · page 5 of 6

Russian Phishing Campaign Creates 4,300 Fake Travel Sites

💳 A Russian-speaking threat actor has registered more than 4,300 domains since early 2025 to host convincing fake travel and hotel booking pages that harvest payment card data. According to Netcraft researcher Andrew Brandt, the campaign—active since February—uses a customizable phishing kit that serves branded pages for platforms like Booking, Expedia, and Airbnb and supports 43 languages. The kit requires a unique AD_CODE in the URL to render targeted branding (otherwise visitors see a blank page), employs fake Cloudflare-style CAPTCHA, and persists state in a cookie so subsequent pages maintain consistent impersonation. Victims are prompted to pay a deposit; entered card numbers, expiry and CVV are processed in the background while a bogus support chat guides users through a sham 3D Secure step to complete the theft.
read more →

Who, Where and How: APT Attacks Q2–Q3 2025 Report Overview

🔍 The ESET research team released its APT Activity Report covering April–September 2025, summarizing operations by state-aligned hacking groups. The report details espionage, disruptive attacks and monetized campaigns targeting government and corporate networks across multiple regions. Notably, the Russia-aligned group Sandworm deployed several data wipers against Ukraine's grain sector, an apparent attempt to harm economic resilience. ESET Chief Security Evangelist Tony Anscombe outlines key findings in an accompanying video and encourages readers to consult the full report for technical specifics.
read more →

Sandworm Deploys New Wiper Malware in Ukraine Q2–Q3 2025

🛡️ ESET's APT Activity Report covering Q2–Q3 2025 reports that Russian-aligned Sandworm deployed new data wipers, identified as Zerolot and Sting, against Ukrainian targets including government bodies and critical sectors such as energy, logistics and grain. The firm assessed the activity as likely intended to weaken Ukraine's economy. The findings, published on 6 November 2025, also note increased espionage and tool-sharing among other Russia-aligned groups.
read more →

Russian APT Uses Hyper‑V VMs for Stealth and Persistence

🛡️ Bitdefender researchers describe how the Russia-aligned APT group Curly COMrades enabled Windows Hyper-V to deploy a minimal Alpine Linux VM on compromised Windows 10 hosts, creating a hidden execution environment. The compact VM (≈120MB disk, 256MB RAM) hosted two libcurl-based implants, CurlyShell (reverse shell) and CurlCat (HTTP-to-SSH proxy), enabling C2 and tunneling that evaded many host EDRs. Attackers used DISM and PowerShell to enable and run the VM under the deceptive name "WSL," and also employed PowerShell and Group Policy for credential operations and Kerberos ticket injection. Bitdefender warns that VM isolation can bypass EDR and recommends layered defenses including host network inspection and proactive hardening.
read more →

Russian Hackers Hide Malware in Hyper‑V Alpine Linux VMs

🛡️The Russian-linked threat group Curly COMrades abused Microsoft Hyper-V on Windows hosts to deploy a hidden, minimal Alpine Linux VM that hosted custom implants: CurlyShell (reverse shell) and CurlCat (reverse proxy). By using the Hyper-V Default Switch and naming the VM "WSL," outbound C2 traffic appeared to originate from the legitimate host IP, enabling evasion of host-based EDRs. The campaign — active since mid-2024 and observed by Bitdefender with help from the Georgian CERT — also employed PowerShell scripts for LSASS Kerberos ticket injection and Group Policy-based account creation, leaving few forensic traces. Organizations are advised to monitor unexpected Hyper-V activation, abnormal LSASS access or tampering, PowerShell GPO deployments, and to implement network-level inspection and layered defenses.
read more →

Russian Police Arrest Suspected Meduza Stealer Operators

🔒 Russian authorities have arrested three individuals in Moscow accused of creating and operating the Meduza information‑stealing malware. Announced on Telegram by police general Irina Volk, investigators say the group developed and distributed Meduza via hacker forums around two years ago and offered it as a subscription-based service. The tool steals browser-stored credentials and cryptocurrency data and, since December 2023, can resurrect expired Chrome authentication cookies to facilitate account takeover. Authorities opened a criminal case after operators targeted an Astrakhan institution and seized confidential server data.
read more →

Russian Ransomware Gangs Adopt Open-Source AdaptixC2

🔒 AdaptixC2, an open-source command-and-control framework, has been adopted by multiple threat actors, including groups tied to Russian ransomware operations, prompting warnings about its dual-use nature. The tool offers encrypted communications, credential and screenshot managers, remote terminal capabilities, a Golang server, and a cross-platform C++ QT GUI client. Security firms Palo Alto Networks Unit 42 and Silent Push have analyzed its modular capabilities and traced marketing activity to a developer using the handle RalfHacker. Observed abuse includes fake Microsoft Teams help-desk scams and an AI-generated PowerShell loader used to deliver post-exploitation payloads.
read more →

Defense Contractor Pleads Guilty to Selling Zero-Days

🛡️ The former general manager of L3Harris cyber-division Trenchant, Australian national Peter Williams, pleaded guilty in a US district court to stealing and selling zero-day exploit components to a Russian cyber broker. Prosecutors allege he exfiltrated at least eight exploit components via encrypted channels in exchange for millions in cryptocurrency and follow-on support payments. Authorities say the code could be worth tens of millions and that the broker’s clients include the Russian government, creating a national security threat. Williams faces up to 20 years in prison and significant fines.
read more →

Russian-Origin Threat Actors Target Ukrainian Organizations

🔴 Symantec and Carbon Black reported a Russian-origin campaign that targeted a large business services firm and a local government entity in Ukraine, relying on web shells and living-off-the-land techniques to reduce detection. Early activity began on June 27, 2025 with deployment of the LocalOlive web shell, PowerShell exclusions, scheduled memory dumps and credential-theft attempts. Operators used dual-use tools (OpenSSH, RDP changes, winbox64.exe), PowerShell backdoors and native Windows utilities to maintain persistence while minimizing custom malware use. Researchers noted strong Windows tradecraft but could not conclusively attribute the intrusions to a named Russian group.
read more →

Russian ColdRiver Hackers Use Fake CAPTCHA to Deploy Malware

⚠️ Google Cloud’s Threat Intelligence Group attributes a new campaign to Russian state-linked ColdRiver actors who are using fake “I am not a robot” CAPTCHA pages to deliver espionage malware, including NOROBOT, YESROBOT, and MAYBEROBOT. The attackers use a ClickFix social-engineering chain and multi-stage, encrypted payloads with split cryptographic keys to evade detection and rebuild tooling rapidly after exposure. Organizations are urged to emphasize behavioral monitoring, EDR/NDR telemetry, and simulated interactive-phishing tests to detect these user-assisted intrusions.
read more →

Russian Star Blizzard shifts to 'Robot' malware families

🔐 The Russian state-backed Star Blizzard group (aka ColdRiver/UNC4057) has shifted to modular, evolving malware families — NOROBOT, YESROBOT, and MAYBEROBOT — delivered through deceptive ClickFix pages that coerce victims into executing a fake "I am not a robot" CAPTCHA. NOROBOT is a malicious DLL executed via rundll32 that establishes persistence through registry changes and scheduled tasks, stages components (including a Windows Python 3.8 install), and, after iteration, primarily delivers a PowerShell backdoor. Google Threat Intelligence Group and Zscaler observed the transition from May through September and reported that ColdRiver abandoned the previously exposed LostKeys tooling shortly after disclosure. GTIG has published IoCs and YARA rules to help defenders detect these campaigns.
read more →

Coldriver Deploys New 'NoRobot' Malware Suite, 2025

🛡️ Google Threat Intelligence Group (GTIG) has observed the Russian-linked Coldriver group deploying a new, staged malware ecosystem tracked as NoRobot, YesRobot and MaybeRobot. GTIG's October 20, 2025 report shows the campaign replaces the previously disclosed LostKeys strain and begins with a 'ClickFix-style' ColdCopy phishing lure that tricks victims into running a malicious DLL via rundll32.exe. NoRobot functions as a downloader using split-key cryptography and staged payloads; operators briefly used a Python-based backdoor (YesRobot) before switching to a more flexible PowerShell backdoor (MaybeRobot) to reduce detection.
read more →

Google: Three New COLDRIVER Malware Families Identified

🔍 Google Threat Intelligence Group (GTIG) reports three new malware families — NOROBOT, YESROBOT, and MAYBEROBOT — linked to the Russia-attributed COLDRIVER group following public disclosure of LOSTKEYS. The attacks use ClickFix-style HTML lures and fake CAPTCHA prompts to trick users into running malicious PowerShell via the Windows Run dialog. NOROBOT functions as a loader invoked by rundll32.exe, while YESROBOT acted as a brief HTTPS-based Python backdoor and MAYBEROBOT is a more extensible PowerShell implant targeting high-value victims.
read more →

New Russian COLDRIVER Malware: NOROBOT and ROBOTs Variants

🤖 Google Threat Intelligence Group (GTIG) attributes a rapid malware retooling to the Russia-aligned COLDRIVER group after the May 2025 LOSTKEYS disclosure. The campaign uses a COLDCOPY “ClickFix” lure that coerces users to run a malicious DLL via rundll32; the DLL family is tracked as NOROBOT. Early NOROBOT variants fetched a noisy Python backdoor named YESROBOT, which was quickly replaced by a lighter, extensible PowerShell backdoor called MAYBEROBOT. GTIG published IOCs, YARA rules, and protective measures including Safe Browsing coverage and targeted alerts.
read more →

Three Dutch Teens Linked to Russian-Associated Hackers

🧑‍💻 Three 17-year-olds in the Netherlands are suspected of providing services to a foreign power after one was found communicating with an unnamed Russian-government-affiliated hacking group. Prosecutors say the linked suspect directed the others to repeatedly map Wi‑Fi networks in The Hague and then sold the collected data to the client's contact for a fee. The investigation, opened after a report from the Military Intelligence and Security Service, led to two arrests on 22 September and seizure of devices from a third minor. An updated Criminal Code effective 15 May 2025 now criminalizes digital espionage, carrying up to eight years' imprisonment (or up to 12 years in the most serious cases).
read more →

Pro‑Russian DDoS Disrupts German Federal Procurement Portal

🛡️ The German federal procurement portal was rendered inaccessible for almost a week by a sustained DDoS campaign; the service was restored Tuesday afternoon. Security analysts attribute the disruption to the pro‑Russian hacker group NoName057(16), which has previously targeted critical infrastructure, authorities and companies in Western countries. The attacks, confirmed as DDoS by observers, overwhelmed servers with a flood of requests. The Federal Office for Information Security (BSI) said it was informed of the incident. The portal, dtvp.de, is a central nationwide platform for electronic Q&A and bid submissions in public tenders.
read more →

Russia-Aligned Hacktivist Fooled by Water Honeypot

💧Forescout disclosed that a Russia-aligned hacktivist group, TwoNet, was tricked into attacking a honeypot designed to look like a water treatment utility. The actor accessed the HMI with default credentials and created an account named BARLATI to carry out defacement, PLC manipulation, log suppression and process disruption. Forescout said this incident reflects a broader shift from DDoS and defacement toward OT/ICS targeting and provided mitigation guidance.
read more →

Qilin Ransomware Disrupts Mecklenburg County Schools

🔒 A Russian-linked ransomware group, Qilin, has claimed responsibility for a September 2, 2025 attack that disrupted Mecklenburg County Public Schools and said it exfiltrated 305 GB of data, including financial records, grant documents, budgets and children’s medical files. The attack forced teachers offline for about a week while internet systems were restored. Superintendent Scott Worner said the district does not currently intend to pay the ransom and is still assessing the scope, urging other districts to review cyber-insurance and preparedness.
read more →

Cavalry Werewolf Targets Russian Public Sector with RATs

🚨 BI.ZONE warns of a campaign dubbed Cavalry Werewolf that has targeted Russian state agencies and critical industrial sectors using FoalShell and StallionRAT. Attackers used spear-phishing with spoofed Kyrgyz government emails and RAR attachments to deploy lightweight reverse shells and a RAT that exfiltrates data via a Telegram bot. Observed tooling and Telegram commands indicate organized post-compromise operations and use of socks proxies for lateral movement. BI.ZONE links the activity to groups including Tomiris and YoroTrooper, suggesting possible Kazakhstan ties.
read more →

Dutch Teenagers Arrested Over Alleged Pro-Russian Spying

🔎 Two 17-year-olds in the Netherlands were arrested after allegedly being recruited via Telegram by pro‑Russian hackers to map Wi‑Fi networks near government targets. Reports say the youths walked areas of The Hague close to Europol, Eurojust and several embassies while using a Wi‑Fi sniffer; the Canadian embassy was reportedly targeted. The domestic intelligence service tipped off police, who carried out raids and seized evidence. One teenager remains in custody while the other has been electronically tagged and placed under house arrest as the probe continues.
read more →