@industrialcyber.co
//
A Russian state-sponsored cyber espionage campaign, attributed to the GRU's APT28 (also known as Fancy Bear or Forest Blizzard), has been actively targeting Western logistics entities and technology companies since 2022. This campaign focuses on organizations involved in the coordination, transport, and delivery of foreign assistance to Ukraine. The goal is to gain access to sensitive information and disrupt operations, presenting a serious risk to these targeted organizations and sectors across more than a dozen countries.
These Russian cyber actors have been using a mix of previously disclosed tactics, techniques, and procedures (TTPs), including credential brute force attacks, spear-phishing using multilingual lures, and malware delivery via malicious archives exploiting vulnerabilities. They've also been observed hacking into IP cameras at Ukrainian border crossings to monitor and track aid shipments. The GRU unit, known as military unit 26165, has been linked to compromising a wide array of entities, spanning air, sea, and rail transportation modes.
To defend against these threats, organizations are urged to familiarize themselves with the identified TTPs and indicators of compromise (IOCs), increase monitoring and threat hunting, and strengthen their network defenses. The attacks have targeted companies and government organizations in numerous countries, including Bulgaria, the Czech Republic, France, Germany, Greece, Italy, Moldova, the Netherlands, Poland, Romania, Slovakia, Ukraine, and the United States. The advisory is co-signed by over 20 agencies from multiple countries, underscoring the global nature of this threat.
Recommended read:
References :
- Metacurity: This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies.
- NCSC News Feed: UK and allies expose Russian intelligence campaign targeting western logistics and technology organisations
- CyberInsider: Russian GRU Cyber Campaign Targets Western Logistics and Tech Firms
- securityonline.info: Russian GRU’s APT28 Targets Global Logistics Supporting Ukraine Defense
- securityonline.info: Russian GRU Targets Global Logistics Supporting Ukraine Defense
- www.cybersecuritydive.com: Russian stepping up attacks on firms aiding Ukraine, Western nations warn
- cyberinsider.com: Russian GRU Cyber Campaign Targets Western Logistics and Tech Firms
- BleepingComputer: A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
- BleepingComputer: A Russian state-sponsored cyberespionage campaign attributed to APT28 (Fancy Bear/Forest Blizzard) hackers has been targeting and compromising international organizations since 2022 to disrupt aid efforts to Ukraine.
- securityaffairs.com: Russia-linked APT28 targets western logistics entities and technology firms
- Threats | CyberScoop: Multi-national warning issued over Russia’s targeting of logistics, tech firms
- socprime.com: russian GRU Unit 26156 Targets Western Logistics and Technology Companies Coordinating Aid to Ukraine in a Two-Year Hacking Campaign
- Blog: Russian APT28 targets Western firms supporting Ukraine
- SOC Prime Blog: Detect APT28 Attacks: russian GRU Unit 26156 Targets Western Logistics and Technology Companies Coordinating Aid to Ukraine in a Two-Year Hacking Campaign
- Metacurity: Russia's APT28 accused of infiltrating Western logistics, technology firms
- Resources-2: Russian APT28 (aka Fancy Bear/Unit 26165) targets Western logistics and tech firms in Ukraine aid tracking operation
- Virus Bulletin: Details a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies involved in the coordination, transport and delivery of foreign assistance to Ukraine.
- DataBreaches.Net: Western intelligence agencies unite to expose Russian hacking campaign against logistics and tech firms
- www.scworld.com: CISA warns Russia-linked group APT28 is targeting Western logistics and tech firms aiding Ukraine, posing an elevated threat to supply chains
- eSecurity Planet: Russian Hackers Target Western Firms Aiding Ukraine, Spy on Shipments
- www.esecurityplanet.com: Russian military hackers are targeting Western firms aiding Ukraine, using cyberespionage to infiltrate logistics networks and spy on arms shipments.
- cyberscoop.com: Multi-national warning issued over Russia’s targeting of logistics, tech firms
- industrialcyber.co: Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains
- www.csoonline.com: Russian APT28 compromised Western logistics and IT firms to track aid to Ukraine
- Industrial Cyber: Russian GRU’s Unit 26165 conducts two-year cyber espionage on logistics, tech firms using IP cameras, supply chains
Field Effect@Blog
//
A Russia-aligned espionage operation, dubbed Operation RoundPress, has been discovered by ESET researchers. The operation targets webmail software to steal secrets from email accounts, primarily those belonging to governmental organizations in Ukraine and defense contractors in the EU. The Sednit group, also known as APT28 and Fancy Bear, is suspected to be behind the attacks, leveraging spear-phishing emails that exploit XSS vulnerabilities to inject malicious JavaScript code into targeted webmail pages.
The attackers initially targeted Roundcube, but later expanded their reach to include other webmail software such as Horde, MDaemon, and Zimbra. The operation exploits security holes in webmail software to target Ukrainian governmental entities and defense companies in Eastern Europe. Some attacks have even circumvented two-factor authentication, demonstrating the sophistication of the operation and the challenges it poses to threat detection and response mechanisms.
While most of the victims are currently based overseas, security experts suggest that North American entities, particularly those in government, defense, and critical infrastructure sectors, could also be targeted. The group's ability to exploit both known and zero-day vulnerabilities across multiple platforms, coupled with the ability to adapt payloads to specific targets, underscores the need for organizations using vulnerable webmail platforms to remain vigilant. According to experts the hackers are able to steal credentials, emails and contacts without persistent malware installation.
Recommended read:
References :
- Virus Bulletin: ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers with spear-phishing emails leveraging an XSS vulnerability. Most of the victims are government entities and defence companies in Eastern Europe.
- www.scworld.com: While most of the victims are based overseas, security pros say it’s plausible the group will also target North America.
- WeLiveSecurity: Operation RoundPress targets webmail software to steal secrets from email accounts belonging mainly to governmental organizations in Ukraine and defense contractors in the EU
Field Effect@Blog
//
A cyber espionage campaign dubbed "Operation RoundPress" has been attributed to the Russian state-sponsored hacking group APT28, also known as Fancy Bear, among other aliases. Security researchers at ESET have uncovered that this operation, active since 2023, targets high-value webmail servers by exploiting cross-site scripting (XSS) vulnerabilities. The primary objective is to steal confidential data from specific email accounts. The attackers have been observed targeting several webmail platforms.
In 2024, the scope of Operation RoundPress expanded beyond Roundcube, including webmail software such as Horde, MDaemon, and Zimbra. Specifically, the group exploited a zero-day XSS vulnerability, CVE-2024-11182, in MDaemon before a patch was available. The vulnerability was reported to the developers on November 1st, 2024, and subsequently patched in version 24.5.1. The exploitation involves injecting malicious JavaScript code into the victim's webmail page via spearphishing emails.
The victims primarily consist of governmental entities and defense companies in Eastern Europe. However, governments in Africa, Europe, and South America have also been targeted. The injected JavaScript payloads, analyzed by ESET and named SpyPress, are designed to steal webmail credentials and exfiltrate contacts and email messages from the victim’s mailbox. In the case of MDaemon, the attackers were able to set up a bypass for two-factor authentication. ESET has made Indicators of Compromise (IOCs) available on their GitHub repository.
Recommended read:
References :
- Blog: Russian APT28 hackers leverage webmail zero-day
- ESET Research: publishes its investigation of Operation RoundPress, which uses XSS vulnerabilities to target high-value webmail servers. We attribute the operation to Sednit with medium confidence. In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra.
- www.welivesecurity.com: publishes its investigation of Operation RoundPress, which uses XSS vulnerabilities to target high-value webmail servers. We attribute the operation to Sednit with medium confidence. In 2023, Operation RoundPress only targeted Roundcube, but in 2024 it expanded to other webmail software including Horde, MDaemon, and Zimbra..
- The Hacker News: Russia-Linked APT28 Exploited MDaemon Zero-Day to Hack Government Webmail Servers
- The DefendOps Diaries: Government Webmail Hacked via XSS Bugs in Global Spy Campaign
- securityonline.info: Operation RoundPress: Sednit Weaponizes XSS to Breach Global Webmail Servers
- Virus Bulletin: ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers with spear-phishing emails leveraging an XSS vulnerability. Most of the victims are government entities and defence companies in Eastern Europe.
- WeLiveSecurity: Sednit abuses XSS flaws to hit gov't entities, defense companies
- WeLiveSecurity: ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers via XSS vulnerabilities
- www.scworld.com: Global government webmail servers targeted by Russian cyberespionage operation
- BleepingComputer: Hackers are running a worldwide cyberespionage campaign dubbed 'RoundPress,' leveraging zero-day and n-day flaws in webmail servers to steal email from high-value government organizations.
- securityonline.info: Researchers expose a covert cyberespionage campaign, dubbed Operation RoundPress, believed to be orchestrated by the Russia-aligned Sednit APT group.
- www.techradar.com: Global Russian hacking campaign steals data from government agencies
- www.scworld.com: Sednit group's 'Operation RoundPress' targets webmail servers globally
- hackread.com: ESET reports on RoundPress, a cyber espionage campaign by Russia’s Fancy Bear (Sednit) targeting Ukraine-related organizations via webmail…
- Thomas Roccia :verified:: ESET researchers uncover a Russia-aligned espionage operation targeting webmail servers via XSS vulnerabilities
- ciso2ciso.com: Russian APT Exploiting Mail Servers Against Government, Defense Organizations – Source: www.securityweek.com
Pierluigi Paganini@Security Affairs
//
A hacker has successfully breached TeleMessage, an Israeli company that provides modified versions of secure messaging apps such as Signal, WhatsApp and Telegram to the U.S. government. The breach resulted in the exfiltration of sensitive data, including archived messages from these modified apps. TeleMessage has suspended all services and is currently investigating the incident. The breach highlights the vulnerabilities associated with modifying secure messaging applications, especially concerning the preservation of end-to-end encryption.
The compromised data includes the contents of direct messages and group chats, as well as contact information for government officials. 404 Media reported that the hack exposed data related to U.S. Customs and Border Protection (CBP), the cryptocurrency exchange Coinbase, and several other financial institutions. The hacker claimed the entire process of accessing TeleMessage’s systems took only 15-20 minutes, underscoring the ease with which the security was circumvented. Despite the breach, there are reports that messages from top US government officials and cabinet members were not compromised.
TeleMessage, which was recently in the spotlight after former U.S. National Security Advisor Mike Waltz was seen using their modified version of Signal, offers archiving services for messages. However, the hack revealed that the archived chat logs were not end-to-end encrypted between the modified app and the ultimate archive destination controlled by the TeleMessage customer. Smarsh, the parent company of TeleMessage, has engaged an external cybersecurity firm to support the investigation and has temporarily suspended all TeleMessage services as a precaution. A Coinbase spokesperson stated that the company is closely monitoring the situation, but has not found any evidence of sensitive customer information being accessed or accounts being at risk.
Recommended read:
References :
- securityaffairs.com: SecurityAffairs: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov
- Talkback Resources: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov [app]
- www.techradar.com: TeleMessage, the Signal-esque app used by the Trump administration, has been hacked
- www.metacurity.com: A hacker stole content from the Telemessage system used by the US government
- TechCrunch: TeleMessage, a modified Signal clone used by US govt. officials, has been hacked
- The DefendOps Diaries: TeleMessage Breach: Unveiling the Risks of Modified Secure Messaging Apps
- techcrunch.com: TeleMessage, a modified Signal clone used by US government officials, has been hacked
- Risky Business Media: Trump admin’s Signal clone gets hacked, messages exposed
- The Register - Security: Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess
- siliconangle.com: The security of U.S. government officials’ communications has come under the spotlight again after a modified Signal app used to archive data from third-party messaging apps was hacked in less than 30 minutes.
- WIRED: Signal Clone Used by Mike Waltz Pauses Service After Reports It Got Hacked
- CyberInsider: Signal Clone App Used by Trump Officials Breached in Minutes
- Metacurity: Criminal scam network run by Darcula exposed by journalists, DragonForce takes credit for Co-op attack, NoName attacked Romanian gov't websites on election day, US indicts Black Kingdom ransomware dev, Trump wants to slash nearly $500m from CISA, Qilin claims Cobb Co. attack, much more
- arstechnica.com: TeleMessage, a company that provides modified versions of Signal for message archiving, has suspended its services after a reported hack, exposing communications from U.S. government officials.
- hackread.com: TM SGNL, a chat app by US-Israeli firm TeleMessage used by Trump officials, halts operations after a breach…
- www.404media.co: A hacker has exploited a vulnerability in TeleMessage, a company that provides modified versions of encrypted messaging apps, to extract archived messages and data related to U.S. government officials and companies that used the service, according to a report by 404 Media.
- www.csoonline.com: The Israeli company behind the obscure messaging app former US national security advisor Mike Waltz was photographed using on his iPhone last week was recently hacked, it has been alleged.
- Metacurity: You ask yourself how the Trump administration's insane messing around with the Signal app and its clones could get any worse, and then the universe tells you how. The Signal Clone the Trump Admin Uses Was Hacked
- Dropsafe: US Gov’t Signal-clone with backdoor for message retention, hacked, messages leaked | …I really hope #Ofcom are watching re: the impact of proposed client side scanning
- BleepingComputer: Unofficial Signal app used by Trump officials investigates hack
- arstechnica.com: Signal clone used by Trump official stops operations after report it was hacked
- securityaffairs.com: A hacker stole data from TeleMessage, the firm that sells modified versions of Signal to the U.S. gov
- go.theregister.com: Signal chat app clone used by Signalgate's Waltz was apparently an insecure mess
- iHLS: Israeli Encrypted Messaging Archiving Platform Used by U.S. Officials Compromised in Cyberattack
- www.insicurezzadigitale.com: Clonazione di Signal: sospesa dopo hacking un’app utilizzata da un ex funzionario dell’amministrazione Trump
- bsky.app: TeleMessage, the Signal clone used by US government officials, suffers hack
- Privacy ? Graham Cluley: TeleMessage, the Signal clone used by US government officials, suffers hack
- WIRED: The Signal clone Mike Waltz Was Caught Using Has Direct Access to User Chats
- www.wired.com: Signal Clone Used by Mike Waltz Pauses Service After Reports It Got Hacked
- WIRED: Customs and Border Protection Confirms Its Use of Hacked Signal Clone TeleMessage
- Metacurity: TeleMessage suspends service following reported hack
@slashnext.com
//
A new AI platform called Xanthorox AI has emerged in the cybercrime landscape, advertised as a full-spectrum hacking assistant and is circulating within cybercrime communities on darknet forums and encrypted channels. First spotted in late Q1 2025, this tool is marketed as the "killer of WormGPT and all EvilGPT variants," suggesting its creators intend to supplant earlier malicious AI models. Unlike previous malicious AI tools, Xanthorox AI boasts an independent, multi-model framework, operating on private servers and avoiding reliance on public cloud infrastructure or APIs, making it more difficult to trace and shut down.
Xanthorox AI provides a modular GenAI platform for offensive cyberattacks, offering a one-stop shop for developing a range of cybercriminal operations. This darknet-exclusive tool uses five custom models to launch advanced, autonomous cyberattacks, marking a new era in AI-driven threats. The toolkit includes Xanthorox Coder for automating code creation, script development, malware generation, and vulnerability exploitation. Xanthorox Vision adds visual intelligence by analyzing uploaded images or screenshots to extract data, while Reasoner Advanced mimics human logic to generate convincing social engineering outputs.
Furthermore, Xanthorox AI supports voice-based interaction through real-time calls and asynchronous messaging, enabling hands-free command and control. The platform emphasizes data containment and operates offline, ensuring users can avoid third-party AI telemetry risks. SlashNext refers to it as “the next evolution of black-hat AI” because Xanthorox is not based on existing AI platforms like GPT. Instead, it uses five separate AI models, and everything runs on private servers controlled by the creators, meaning it has few ways for defenders to track or shut it down.
Recommended read:
References :
- cybersecuritynews.com: New Black-Hat Automated Hacking Tool Xanthorox AI Advertised in Hacker Forums
- hackread.com: Xanthorox AI Surfaces on Dark Web as Full Spectrum Hacking Assistant
- slashnext.com: Xanthorox AI – The Next Generation of Malicious AI Threats Emerges
- www.esecurityplanet.com: Xanthorox AI, a darknet-exclusive tool, uses five custom models to launch advanced, autonomous cyberattacks, ushering in a new AI threat era.
- Cyber Security News: New Black-Hat Automated Hacking Tool Xanthorox AI Advertised in Hacker Forums
- SlashNext: Xanthorox AI – The Next Generation of Malicious AI Threats Emerges
- eSecurity Planet: Xanthorox AI: A New Breed of Malicious AI Threat Hits the Darknet
- www.scworld.com: AI tool claims advanced capabilities for criminals without jailbreaks
@World - CBSNews.com
//
The U.S. Justice Department has indicted 12 Chinese nationals for their alleged involvement in state-linked cyber operations. The individuals include employees of the Chinese technology firm i-Soon, members of the APT27 group (also known as Emissary Panda, TG-3390, Bronze Union, and Lucky Mouse), and two officers from China's Ministry of Public Security. These indictments shed light on the hacking tools and methods allegedly employed in a global hacking scandal. The Justice Department stated that the Ministry of State Security (MSS) and Ministry of Public Security (MPS) utilized an extensive network of private companies, including i-Soon, to conduct unauthorized computer intrusions in the U.S. and elsewhere.
The U.S. DoJ charges these individuals with data theft and suppressing dissent worldwide. i-Soon, identified as one of the private companies involved, allegedly provided tools and methods to customers and hacked for the PRC (People's Republic of China). These actions highlight a significant cybersecurity concern involving state-sponsored actors and their use of private firms to conduct cyber espionage.
Recommended read:
References :
- bsky.app: US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
- CyberInsider: U.S. Charges 12 Chinese Nationals Over Decade-Long Cyber Espionage Campaign
- The Cyber Express: The United States Department of Justice (DOJ) has taken action against a major cyber threat, opening indictments against 12 Chinese nationals, including two officers from China’s Ministry of Public Security (MPS) and several employees of the Chinese technology firm i-Soon.
- bsky.app: USA accuses China's State of operating network of "hackers for hire". Accused 12 individuals, 2 officers of the PRC Ministry of Public Security (MPS), employees of a private company, Anxun Information Technology Co. Ltd, and members of APT27.
- The Hacker News: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
- securityaffairs.com: US DOJ charges 12 Chinese nationals for state-linked cyber operations
- The Register - Security: Xi's freelance infosec warriors apparently paid up to $75K to crack a single American inbox US government agencies announced Wednesday criminal charges against alleged members of China's Silk Typhoon gang, plus internet domain seizures linked to a long-term Chinese espionage campaign that saw Beijing hire miscreants to compromise US government agencies and other major orgs.…
- DataBreaches.Net: U.S. Charges 12 Chinese Contract Hackers and Law Enforcement Officers in Global Computer Intrusion Campaigns
- bsky.app: The US Justice Department has charged Chinese state security officers and APT27 and i-Soon Chinese hackers linked to network breaches and cyberattacks targeting victims worldwide since 2011.
- cyble.com: U.S. Indictments Shed Light on i-Soon Hacking Tools, Methods
- Metacurity: US indicts twelve prolific Chinese hackers, including eight i-Soon staffers
- Carly Page: The Department of Justice has announced criminal charges against 12 Chinese government-linked hackers who are accused of hacking over 100 American organizations, including the U.S. Treasury, over the course of a decade
- Threats | CyberScoop: US indicts 12 Chinese nationals for vast espionage attack spree
- BleepingComputer: The U.S. Justice Department has charged Chinese state security officers along with APT27 and i-Soon hackers for network breaches and cyberattacks that have targeted victims globally since 2011.
- hackread.com: US Charges 12 in Chinese Hacker-for-Hire Network, Offers $10M Reward
- Risky Business Media: US indicts the i-Soon and APT27 hackers, the BADBOX botnet gets disrupted again,authorities seize the Garantex crypto exchange, and the FBI arrests hackers who stole Taylor Swift concert tickets.
- Security | TechRepublic: The article discusses the charges against Chinese hackers for their role in a global cyberespionage campaign.
- techxplore.com: US indicts 12 Chinese nationals in hacking
- : US Charges Members of Chinese Hacker-for-Hire Group i-Soon
- Matthias Schulze: U.S. Charges 12 Chinese Nationals in State-Backed Hacking Operations
- WIRED: US Charges 12 Alleged Spies in China’s Freewheeling Hacker-for-Hire Ecosystem
- Blog: FieldEffect blog post about U.S. indicts 12 Chinese nationals for cyber espionage.
- blog.knowbe4.com: U.S. Justice Department Charges China’s Hackers-for-Hire Working IT Contractor i-Soon
- Talkback Resources: The article details the indictment of 12 Chinese individuals for hacking activities.
- Schneier on Security: The article discusses the indictment of Chinese hackers for their involvement in global hacking activities.
|
|
FlagThis - #hacking