Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: russia (12 articles)Clear

FBI warns Russian hackers now steal Signal backup recovery keys to hijack accounts

The FBI and CISA have updated an earlier warning about Russian intelligence targeting Signal accounts, noting the operators have added a step: tricking targets into handing over their Signal backup recovery key. With that key, an attacker can restore the account's backup, read its private and group message history, and take over the account, and the key keeps working afterward. The campaign uses social engineering against high-value targets such as government officials, military personnel, and journalists. It reflects a broader shift toward stealing the recovery and session secrets that sit behind multi-factor authentication rather than attacking the login directly.

Check
High-risk users should review who could have prompted them to share a Signal backup or recovery key, and check Signal for unexpected linked devices or signs their account history was restored elsewhere.
Affected
Signal users targeted by Russian intelligence, especially officials, military personnel, journalists, and activists; a stolen backup recovery key exposes full message history and grants lasting account takeover.
Fix
Never share your Signal backup or recovery key, store it offline, regenerate it if you suspect exposure, verify linked devices, and distrust anyone guiding you through backup steps.

Lithuania investigates theft of 600,000 state registry records; opposition leader alleges Russian intelligence; Centre of Registers chief resigns

Lithuanian authorities are investigating the theft of around 600,000 records from the country's Centre of Registers, which holds state registry data. The breach was detected in early April and disclosed publicly only after weeks of internal investigation. Centre of Registers chief Adrijus Jusas resigned Monday, citing years of underinvestment that would need ~€60 million to address. The leader of Lithuania's conservative opposition alleges 'hallmarks of a Russian intelligence operation' and warns the data (including residential addresses linked to sensitive government personnel) could enable surveillance, phishing, and sabotage planning. Lithuanian prosecutors have neither confirmed nor denied Russian involvement.

Check
If your organization has Lithuanian operations or staff with state registry records, treat residential addresses and personal identifiers as compromised. Monitor for targeted phishing and impersonation.
Affected
Lithuanian citizens and residents whose data is held by the Centre of Registers. Sensitive government personnel are at heightened risk per the opposition leader's warning about surveillance use.
Fix
Lithuanian operations: update access credentials per government guidance. Watch for spear-phishing using residential-address pretexts. NATO/EU defenders: assume similar Eastern European registries are next given the precedent.

Netherlands seizes 800 servers of Stark Industries successor WorkTitans/THE.Hosting - links to NoName057(16) Russian hacktivists

The Dutch Financial Crime Investigation Service (FIOD) has arrested two men and seized 800 servers during raids on data centers in Dronten and Schiphol-Rijk that hosted infrastructure for cyberattacks, disinformation, and influence operations tied to sanctioned Russian and Belarusian entities. The 57-year-old company director and a 39-year-old connectivity provider face charges of indirectly providing economic resources to EU-sanctioned parties. The web hosting company Stark Industries was sanctioned by the EU last May; investigators say its infrastructure was simply transferred to a newly created Dutch company called WorkTitans B.V., trading under THE.Hosting. Mirhosting, which provided physical colocation and connectivity, denies knowingly supporting illegal operations.

Check
Search egress logs for connections to Stark Industries or THE.Hosting / WorkTitans IP ranges since 2022. Cross-reference with NoName057(16) DDoS infrastructure published by national CERTs.
Affected
Targets of pro-Russian disinformation, DDoS, and influence operations - particularly EU government, banking, and critical-infrastructure sectors. NoName057(16) frequently targets Ukrainian allies.
Fix
Block known Stark Industries / WorkTitans / Mirhosting IP ranges at the perimeter where there is no legitimate business need. Refresh DDoS protection runbooks for NoName057(16) campaigns.

Russian FSB actor Turla rebuilds Kazuar backdoor as a modular peer-to-peer botnet

Microsoft Threat Intelligence detailed how Turla, the Russian state actor attributed by CISA to the FSB's Center 16, has transformed its .NET Kazuar backdoor from a monolithic implant into a modular peer-to-peer botnet ecosystem. The new architecture splits responsibilities across three component types - Kernel, Bridge, and Worker - and uses a leader-election mechanism so only one infected host actually talks to the external C2 server, dramatically reducing observable network noise. Turla (also tracked as Secret Blizzard, Snake, Venomous Bear, Uroburos, WRAITH) has been targeting government, diplomatic, and defense organizations across Europe, Central Asia, and Ukraine since 2017; recent operations also leverage Gamaredon for initial access before deploying Kazuar v3.

Check
Hunt for .NET assemblies sideloaded as COM objects with small loader stubs, look for Kazuar Worker behaviors (Outlook data, USB metadata, network shares enumeration), and review east-west traffic for low-volume peering between internal hosts.
Affected
Government, diplomatic, defense, and defense-adjacent organizations in Europe, Central Asia, and Ukraine. Historic FSB target patterns include foreign ministries, embassies, and defense contractors; Gamaredon initial-access activity widens the candidate set across Eastern European industry.
Fix
Block known Kazuar v3 hashes and infrastructure from Microsoft's report, deploy detections for the Kernel-Bridge-Worker P2P pattern (single external talker per cluster), and tighten Outlook PST and USB-history access with EDR rules.

Two pro-Ukraine hacker groups appear to be teaming up to attack Russian companies - sharing servers and tools across phishing and espionage operations

Update on the Head Mare campaign we covered April 28: Kaspersky now reports that BO Team (also known as Black Owl) and Head Mare appear to be coordinating cyber operations against Russian organizations, sharing command-and-control infrastructure on the same compromised hosts. The likely division of labor: Head Mare phishes for initial access, then BO Team takes over for malware deployment. BO Team has shifted from destructive attacks to covert espionage, and in Q1 2026 hit 20 Russian organizations across manufacturing, telecoms, and oil and gas. The group uses BrockenDoor and Remcos backdoors. Earlier BO Team campaigns hit a Russian drone supplier and the federal digital signature authority.

Check
If your organization operates in Russia or has Russian subsidiaries, search proxy logs for BrockenDoor or Remcos C2 infrastructure since January. Hunt phishing emails referencing manufacturing, telecom, or oil and gas subjects with malicious documents.
Affected
Russian organizations across manufacturing, telecoms, and oil and gas - BO Team's Q1 2026 target list. By extension, Russian subsidiaries of Western multinationals operating in these sectors. The pattern of pro-Ukraine hacktivists coordinating with state-aligned operations means defenders cannot treat hacktivist incidents as opportunistic - they may be one stage of a longer espionage operation.
Fix
Block known BrockenDoor and Remcos C2 indicators per Kaspersky's published IoCs. Monitor for the phishing→malware deployment handoff pattern: phishing email landing followed within days by C2 traffic from a different actor. For organizations not in Russia: this is a template for how hacktivist groups in other regional conflicts may coordinate; expect the same pattern in Middle East and APAC tensions.

Chinese hackers slipped a backdoor into the official DAEMON Tools installer for a month - thousands of computers in 100+ countries running tainted software signed with the real developer certificate

Kaspersky disclosed yesterday that the official DAEMON Tools installer - a popular Windows disk-image utility - has been distributing a backdoor since April 8. The trojanized versions (12.5.0.2421 through 12.5.0.2434) are downloaded from the legitimate vendor website and signed with valid AVB Disc Soft certificates. Thousands of infections recorded across 100+ countries, but follow-on payloads went to about a dozen targets in retail, scientific, government, and manufacturing sectors in Russia, Belarus, and Thailand. Kaspersky attributes the attack to Chinese-speaking actors and says it remains active. Detection took roughly a month - similar timeline to the 2023 3CX supply-chain attack.

Check
Search Windows endpoints for DAEMON Tools versions 12.5.0.2421-12.5.0.2434, and verify file hashes of DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe. Search proxy logs for env-check.daemontools.cc since April 8.
Affected
Windows endpoints with DAEMON Tools versions 12.5.0.2421 through 12.5.0.2434 installed since April 8, 2026. Compromised binaries are DTHelper.exe, DiscSoftBusServiceLite.exe, and DTShellHlp.exe in the DAEMON Tools install directory. Acute risk for organizations in Russia, Belarus, and Thailand and in retail, scientific, government, or manufacturing sectors - Kaspersky observed targeted second-stage payloads only on these.
Fix
Uninstall trojanized DAEMON Tools versions and reinstall from a verified clean release. Block env-check.daemontools.cc at the DNS resolver. Treat machines that ran trojanized versions as compromised: rotate credentials, hunt for QUIC RAT, and reimage if any second-stage payload is found. Apply application allowlisting to prevent vendor-signed but compromised binaries from running.

China-linked group is sending 1,600 fake tax-audit emails to Indian and Russian companies, then dropping a brand-new backdoor called ABCDoor

Kaspersky tracked a China-based group called Silver Fox running a tax-themed phishing campaign against organizations in India, Russia, Indonesia, Japan, and South Africa. Phishing emails impersonate the Indian Income Tax Department or Russian tax service with subjects about audits or 'lists of tax violations.' Inside the attached archive sits a modified Rust loader that pulls down a known backdoor called ValleyRAT, plus a brand-new Python-based backdoor called ABCDoor. ABCDoor handles screen recording, keystroke control, clipboard theft, and file operations. Kaspersky logged 1,600+ phishing emails between January and February 2026 across industrial, consulting, retail, and transportation sectors.

Check
Search proxy and DNS logs for connections to abc.haijing88.com since December 2025. Hunt endpoints for pythonw.exe processes initiating outbound HTTPS to unfamiliar destinations.
Affected
Organizations in India, Russia, Indonesia, Japan, and South Africa, particularly in industrial, consulting, retail, and transportation sectors. Finance and accounting staff who routinely receive tax correspondence are the highest-risk role. Multinationals with operations in any of these regions face the same risk through local subsidiaries.
Fix
Block abc.haijing88.com and related Silver Fox infrastructure at the DNS resolver. Train finance staff that real tax correspondence never arrives as a ZIP or RAR archive of 'violations' to download. Quarantine any host running pythonw.exe with unexpected outbound HTTPS, and remove FFmpeg installations not authorized by IT. Rotate credentials on suspected compromised hosts and reimage.

Cyber spies are quietly stealing engineering blueprints and GPS data from Russian aviation companies

Kaspersky disclosed a previously undocumented cyber-espionage group called HeartlessSoul that has been targeting Russian government agencies and aviation companies since at least September 2025 to steal geographic information system (GIS) data - the specialized files containing detailed maps of roads, engineering networks, terrain, and strategic facilities. The targeting suggests state-aligned interest in Russian infrastructure mapping rather than financial gain. Kaspersky did not name a likely sponsor but the targeting profile is consistent with a Ukraine-aligned or Western-aligned operator. The group uses tailored phishing, custom malware, and persistent network access.

Check
If your organization handles GIS data for any government or critical infrastructure customer, assume your sector is now an active target and tighten access controls on map data this week.
Affected
Russian government agencies and aviation companies are the named targets, but the technique is generic: any organization holding detailed GIS files for critical infrastructure (electric grid, telecoms, water, road, rail, military bases) is in the broader target pool. Engineering and architecture firms working on infrastructure projects are particularly exposed.
Fix
Treat GIS files as high-value data and apply DLP rules that flag bulk transfers of .shp, .gdb, .kml, .gpx, and .tif files. Restrict GIS server access to named users with logging on every download. For engineering firms: require two-person approval for downloading complete map sets. Western firms holding sensitive infrastructure maps face the same risk from China, Russia, and others.

Pro-Ukrainian hackers chain three TrueConf bugs to deploy web shells and create rogue admin accounts in Russian networks (CVE chain patched August 2025)

Russian security firm Positive Technologies attributed an ongoing intrusion campaign to PhantomCore, a pro-Ukrainian group also tracked as Head Mare, Rainbow Hyena, and UNG0901. The group is chaining three TrueConf video-conferencing vulnerabilities (patched by the vendor August 27, 2025) to bypass authentication and run commands on TrueConf servers in Russian organizations. After break-in, they drop a PHP web shell, create a rogue user named 'TrueConf2' with admin rights on the conferencing server, and pivot into the wider network using tools including Velociraptor, Memprocfs, DumpIt, and custom backdoors MacTunnelRAT and PhantomSscp. First attacks observed mid-September 2025.

Check
Check every TrueConf Server install in your environment is patched to August 27, 2025 or later, and audit user accounts for any named 'TrueConf2' or similar.
Affected
TrueConf Server installations unpatched since August 27, 2025 - any organization that delayed the August update is exposed. Critical infrastructure, defense, and government organizations using TrueConf for offline-capable conferencing are particularly exposed because TrueConf is heavily used in those sectors.
Fix
Update TrueConf Server to the August 27, 2025 release or later. Audit local TrueConf admin accounts for unfamiliar usernames - the rogue 'TrueConf2' account is a defining indicator. Hunt server logs for PHP web shell activity and TrueConf-server outbound connections to unfamiliar domains. PhantomCore typically pivots into the broader network within days.

Russia behind Signal phishing campaign that compromised Bundestag President Julia Klöckner - 300+ German officials affected

Der Spiegel reported on April 25 that German government sources now blame Russia for a large-scale Signal phishing campaign that compromised the account of Bundestag President Julia Klöckner. At least 300 Signal accounts of German political figures were targeted; investigators say attackers accessed chat histories, files, and phone numbers. Chancellor Friedrich Merz was in the same CDU group chat as Klöckner but his device showed no signs of compromise. The attack used pure social engineering - operators posed as Signal support and asked victims to share verification codes or PINs.

Check
Brief executives, board members, and political-staff who use Signal that anyone messaging them claiming to be 'Signal support' is hostile - Signal never asks for codes by message.
Affected
Signal users in any role attractive to a state intelligence service: politicians, military, diplomats, defense contractors, investigative journalists, NGOs working on Russia or Ukraine, and the executives and assistants of all of the above. The attack works by tricking users into sharing codes - it does not exploit a Signal flaw.
Fix
Train high-risk staff that Signal will never ask for verification codes via message. Enable Signal's Registration Lock PIN. Periodically check Linked Devices and remove anything unfamiliar. Add detection for Signal phishing pages on perimeter URL filters and add Signal account-takeover scenarios to your tabletop catalogue.