Pierluigi Paganini@Security Affairs
//
The Russia-linked cyber espionage group Shuckworm, also known as Gamaredon or Armageddon, is actively targeting a Western country's military mission based in Ukraine. The campaign, which began in February 2025 and continued through March, involves the deployment of an updated, PowerShell-based version of its GammaSteel infostealer malware. This latest wave of activity underscores Shuckworm's persistent focus on Ukrainian targets, with the group believed to be operating on behalf of Russia's Federal Security Service (FSB). They have historically concentrated their efforts on government, military, and law enforcement targets in Ukraine.
The initial infection vector in this campaign appears to be infected removable drives. Evidence from the Windows Registry's UserAssist key suggests that the infection was triggered from such an external drive. The attack chain is multi-staged and designed to minimize detection. It involves the execution of obfuscated VBScript and PowerShell scripts stored in the registry. This shift towards PowerShell-based tools allows Shuckworm to improve obfuscation and store scripts directly within the Windows Registry, making file-based detection more challenging.
GammaSteel, the malware deployed in this campaign, now has enhanced reconnaissance features. It is capable of capturing screenshots, gathering system information, and enumerating desktop contents and user documents. The malware targets specific file types such as documents, spreadsheets, and PDFs. Shuckworm's exfiltration methods have also become more sophisticated, utilizing PowerShell web requests or cURL with Tor proxies to extract sensitive data stealthily. This campaign demonstrates an increase in sophistication for Shuckworm, with the group leveraging legitimate web services to lower the risk of detection.
Recommended read:
References :
- bsky.app: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been
targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives.
- cyberpress.org: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
- gbhackers.com: Shuckworm Group Leverages GammaSteel Malware in Targeted PowerShell Attacks
- The Hacker News: Shuckworm targets Western military mission
- Broadcom Software Blogs: Shuckworm Targets Foreign Military Mission Based in Ukraine
- gbhackers.com: The Russia-linked cyber-espionage group known as Shuckworm (also identified as Gamaredon or Armageddon) has been observed targeting a Western country’s military mission located within Ukraine, employing an updated, PowerShell-based version of its GammaSteel infostealer malware.
- securityonline.info: Russia-linked espionage group Shuckworm (also known as Gamaredon or Armageddon) has launched a renewed and more sophisticated cyber campaign targeting a foreign military mission based in Ukraine, according to a detailed report by the Symantec Threat Hunter Team. This latest wave of activity, which began in February 2025 and continued through March, underscores Shuckworm’s relentless […]
- BleepingComputer: The Russian state-backed hacking group Gamaredon (aka "Shuckworm") has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives. [...]
- securityonline.info: Shuckworm’s Sophisticated Cyber Campaign Targets Ukraine Military Mission
- Cyber Security News: Shuckworm Deploys PowerShell-Based GammaSteel Malware in Precision Attacks
- The Hacker News: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine
- www.bleepingcomputer.com: Russian hackers attack Western military mission using malicious drive
- www.csoonline.com: Russian Shuckworm APT is back with updated GammaSteel malware
- securityaffairs.com: Gamaredon targeted the military mission of a Western country based in Ukraine
- The DefendOps Diaries: Explore Gamaredon's evolving cyber tactics targeting Western military missions with advanced evasion techniques and PowerShell tools.
- www.sentinelone.com: Police arrest SmokeLoader malware customers, AkiraBot abuses AI to bypass CAPTCHAs, and Gamaredon delivers GammaSteel via infected drives.
- PCMag UK security: A suspected state-sponsored Russian group may have developed the 'GammaSteel' attack to help them spy on and steal data from a military mission in Ukraine. A malware-laden storage drive may have helped Russia spy on military activities in Ukraine.
- www.scworld.com: Infected removable drives were used to spread the malware.
- Metacurity: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
- www.metacurity.com: Cybersecurity industry is mum on SentinelOne EO, Comptroller of the Currency lacked MFA on hacked email account, Morocco confirms massive cyber attack, Gamaredon is targeting Western military mission in Ukraine, Ethical hacker stole $2.6m from Morpho Labs, Sex chatbots leak information, much more
- ciso2ciso.com: Gamaredon Uses Infected Removable Drives to Breach Western Military Mission in Ukraine – Source:thehackernews.com
- ciso2ciso.com: The group targeted the military mission of a Western country, per the report. Infected removable drives have been used by the group.
- Metacurity: Before you head out for a much-deserved weekend break after this insane week, check out today's Metacurity for the most critical infosec developments you should know, including --China acknowledged US cyberattacks at a secret meeting, report --Cybersecurity industry is mum on SentinelOne EO, --Comptroller of the Currency lacked MFA on hacked email account, --Morocco confirms massive cyber attack, --Gamaredon is targeting Western military mission in Ukraine, --Ethical hacker stole $2.6m from Morpho Labs, --Sex chatbots leak information, --much more
- Security Risk Advisors: 🚩Shuckworm Compromises Western Military Mission in Ukraine Using Updated PowerShell GammaSteel Malware
- Security Latest: For the past decade, this group of FSB hackers—including “traitorâ€Â Ukrainian intelligence officers—has used a grinding barrage of intrusion campaigns to make life hell for their former countrymen and cybersecurity defenders.
do son@securityonline.info
//
Russia-aligned cyber threat groups UAC-0050 and UAC-0006 are actively using bulletproof hosting infrastructures to conduct cyberattacks globally. These networks, often obscured by offshore shell companies, provide a shield for malicious activities including espionage, financial theft, and psychological operations. Intrinsec analysts have uncovered campaigns blending cyber espionage, financial theft, and psychological warfare, primarily targeting Ukraine and its allies with tactics like bomb threats and fake banking transactions.
These threat groups heavily rely on bulletproof hosting providers to evade detection. Entities like Global Connectivity Solutions LLP and Railnet LLC act as legal fronts, using offshore shell companies in jurisdictions like Seychelles to make attribution and legal action difficult. This infrastructure also supports ransomware groups like Black Basta and RansomHub and involves frequent IP migrations across autonomous systems, further complicating efforts to block malicious activities. UAC-0050 has also engaged in psychological operations, such as sending bomb threats to Ukrainian institutions under the guise of the "Fire Cells Group."
Recommended read:
References :
- securityonline.info: Bulletproof Hosting Fuels Russia-Linked Intrusion Sets’ Global Cyber Campaign
- Cyber Security News: Russian Hackers Use Bulletproof Network Infrastructure to Evade Detection
- gbhackers.com: Russian Hackers Leverage Bulletproof Hosting to Shift Network Infrastructure
Pierluigi Paganini@Security Affairs
//
A Russian zero-day broker known as Operation Zero is offering up to $4 million for zero-day exploits targeting the Telegram messaging app. This broker exclusively sells vulnerabilities to Russian government and private organizations, suggesting a significant interest from these entities in exploiting Telegram's security flaws. The high bounty offered indicates the immense value of potential targets to these organizations and their willingness to invest heavily in acquiring such exploits.
Operation Zero has released multiple bounty tiers for security vulnerabilities targeting Telegram, with the price depending on the user interaction required. Remote code execution vulnerabilities needing one user interaction fetch $500,000, while a zero-click RCE vulnerability is valued at $1.5 million. A complete exploit chain capable of compromising the entire system may command up to $4 million. This highlights the potential for targeted attacks on individuals or user groups through the platform, given Telegram's user base of over a billion.
Recommended read:
References :
- CyberInsider: Russian Zero-Day Firm Offers Record $4 Million for Telegram Exploits
- infosec.exchange: NEW: A zero-day provider that exclusively sells to the Russian government is offering up to $4 million for flaws in Telegram. This announcement offers a glimpse into what the Russian government may be especially interested in, and willing to pay (even at a premium), right now. Sources in the industry tell me the prices offered are broadly right.
- techcrunch.com: Russian zero-day seller is offering up to $4 million for Telegram exploits
- securityaffairs.com: Zero-day broker Operation Zero offers up to $4 million for Telegram exploits
- securityonline.info: The Russian vulnerability broker, Operation Zero, is a company specializing in the acquisition and sale of security vulnerabilities—whether The post appeared first on .
- Davey Winder: The Russian exploit brokerage firm, Operation Zero, is offering up to $4 million for zero-day vulnerabilities in Telegram. This signifies heightened state-sponsored interest in hacking Telegram.
- hackread.com: A broker that only sells to Russian private and government organizations has just offered $4 million for a zero-day hack attack against the Telegram messenger app.
Carly Page@TechCrunch
//
The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, has announced a significant data breach affecting over 500,000 members. The breach, which occurred in July 2024, resulted in attackers stealing sensitive personal information. PSEA is now notifying the impacted individuals about the incident and the potential risks.
The stolen data includes highly sensitive information, such as government-issued identification documents, Social Security numbers, passport numbers, medical information, and financial data like card numbers with PINs and expiration dates. Member account numbers, PINs, passwords, and security codes were also accessed. PSEA took steps to ensure, to the best of its ability and knowledge, that the stolen data was deleted.
Recommended read:
References :
- bsky.app: The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, is notifying over half a million individuals that attackers stole their personal information in a July 2024 security breach.
- BleepingComputer: The Pennsylvania State Education Association (PSEA), the largest public-sector union in Pennsylvania, is notifying over half a million individuals that attackers stole their personal information in a July 2024 security breach.
- techcrunch.com: US teachers’ union says hackers stole sensitive personal data on over 500,000 members
- www.bleepingcomputer.com: Pennsylvania education union data breach hit 500,000 people
- The Register - Security: Attackers swipe data of 500k+ people from Pennsylvania teachers union
- The DefendOps Diaries: Understanding the PSEA Data Breach: Lessons and Future Prevention
- : The Pennsylvania State Education Association (PSEA) has sent breach notifications to over 500,000 current and former members
- Zack Whittaker: Pennsylvania's biggest union for educators had a data breach, exposing over half a million members' personal information.
- securityaffairs.com: Pennsylvania State Education Association data breach impacts 500,000 individuals
- Carly Page: The Pennsylvania State Education Association says hackers stole the sensitive personal and financial information of more than half a million of its members. PSEA said it “took steps†to ensure the stolen data was deleted, suggesting it was the target of a ransomware or data extortion attack, and subsequently paid a ransom demand to the hackers responsible
- infosec.exchange: NEW: A zero-day provider that exclusively sells to the Russian government is offering up to $4 million for flaws in Telegram. This announcement offers a glimpse into what the Russian government may be especially interested in, and willing to pay (even at a premium), right now. Sources in the industry tell me the prices offered are broadly right.
- securityaffairs.com: Zero-day broker Operation Zero offers up to $4 million for Telegram exploits
- techcrunch.com: Russian zero-day seller is offering up to $4 million for Telegram exploits
- CyberInsider: Cyber Insider article about Russian Zero-Day Firm Offering Record $4 Million for Telegram Exploits
- www.techradar.com: Data breach at Pennsylvania education union potentially exposes 500,000 victims
Sunny Yadav@eSecurity Planet
//
A large-scale cryptocurrency miner campaign is currently targeting Russian users, employing the SilentCryptoMiner malware. The malware disguises itself as a legitimate tool designed to bypass internet restrictions, enticing users to download and install it. This campaign has already affected over 2,000 Russian users, who were tricked into downloading fake VPN and DPI bypass tools.
The attackers are distributing the malware through popular YouTube channels, with some boasting over 60,000 subscribers. The malicious files are presented as safe tools, while in reality, the archive contains a Python-based loader that retrieves the miner payload. To further their deception, attackers instruct victims to disable their antivirus programs, falsely claiming they trigger false positives, further exposing their systems to persistent, hidden threats.
Recommended read:
References :
- securityaffairs.com: Large-scale cryptocurrency miner campaign targets Russian users with SilentCryptoMiner
- thehackernews.com: SilentCryptoMiner infects 2,000 Russian users via fake VPN and DPI Bypass Tools
- eSecurity Planet: SilentCryptoMiner Infects 2,000 Russian Users via Fake VPN Tools
@csoonline.com
//
Recent reports have surfaced indicating that the US government ordered a temporary halt to offensive cyber operations against Russia, a decision that has stirred considerable debate and concern within the cybersecurity community. According to an exclusive report, Defense Secretary Pete Hegseth instructed U.S. Cyber Command (CYBERCOM) to suspend all planning against Moscow, including offensive digital actions. The directive, delivered to CYBERCOM chief Gen. Timothy Haugh, appears to be part of a broader effort by the White House to normalize relations with Russia amid ongoing negotiations regarding the war in Ukraine.
The decision to pause cyber operations has been met with skepticism and warnings from cybersecurity professionals, who fear the potential consequences of reducing vigilance against a known digital adversary. Concerns have been raised about potential increases in global cyber threats and a decrease in shared confidence in the U.S. as a defensive partner. However, the Cybersecurity and Infrastructure Security Agency (CISA) has denied these reports, labeling them as fake news and a danger to national security. CISA also noted that Russia has been at the center of numerous cybersecurity concerns for the U.S.
Recommended read:
References :
- bsky.app: DHS says CISA will not stop monitoring Russian cyber threats
- The Register - Security: US Cyber Command reportedly pauses cyberattacks on Russia
- Anonymous ???????? :af:: US Cybersecurity and Infrastructure Security Agency says that media reports about it being directed to no longer follow or report on Russian cyber activity are untrue, and its mission remains unchanged.
- securityboulevard.com: Security Pros Push Back as Trump Orders Halt to Cyber Ops vs. Russia
- www.bitdefender.com: Stop targeting Russian hackers, Trump administration orders US Cyber Command
- www.csoonline.com: US Cybercom, CISA retreat in fight against Russian cyber threats: reports
- Carly Page: The US has suspended its offensive cyber operations against Russia, according to reports, amid efforts by the Trump administration to grant Moscow concessions to end the war in Ukraine.
- Metacurity: US Cybercom, CISA are softening stances on Russia as a cyber foe: reports
- Zack Whittaker: The U.S. has reportedly suspended its offensive cyber operations against Russia, per multiple news outlets, amid efforts by the Trump administration to grant Moscow concessions to end the war in Ukraine.
- securityaffairs.com: CISA maintains stance on Russian cyber threats despite policy shift
- CyberInsider: CISA Denies Reports That It Has Halted Cyber Operations Against Russian Threats
- iHLS: U.S. Pauses Cyber Operations Against Russia
Pierluigi Paganini@securityaffairs.com
//
Russian state-aligned hackers are exploiting the "Linked Devices" feature in Signal Messenger to conduct cyber-espionage campaigns. Google's Threat Intelligence Group (GTIG) has uncovered these campaigns, revealing that the hackers are using phishing tactics to gain unauthorized access to Signal accounts. These campaigns involve tricking users into linking their devices to systems controlled by the attackers.
Russian threat actors are launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest. The hackers employ sophisticated methods to trick targets into linking their Signal account to a device controlled by the attacker, compromising their secure communications.
Recommended read:
References :
- cyberinsider.com: Russian Hackers Exploit Signal’s Linked Devices to Spy on Users
- BleepingComputer: Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest.
- www.bleepingcomputer.com: Russian threat actors have been launching phishing campaigns that exploit the legitimate "Linked Devices" feature in the Signal messaging app to gain unauthorized access to accounts of interest.
- CyberInsider: Google's Threat Intelligence Group (GTIG) has uncovered a series of cyber-espionage campaigns by Russian state-aligned hackers targeting Signal Messenger accounts.
- securebulletin.com: Russia-Aligned actors intensify targeting of Signal Messenger
- securityaffairs.com: Russia-linked threat actors exploit Signal messenger
- Talkback Resources: Russian Groups Target Signal Messenger in Spy Campaign [app] [social]
- cloud.google.com: Russian Threat Actors targeting Signal messenger accounts used by individuals of interest to Russia's intelligence services. The goal seems to be espionage or military reconnaissance in context of war in Ukraine.
- bsky.app: Russian Threat Actors targeting Signal messenger accounts used by individuals of interest to Russia's intelligence services. The goal seems to be espionage or military reconnaissance in context of war in Ukraine. https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger
- cyble.com: Russia-Linked Actors Exploiting Signal Messenger’s “Linked Devices� Feature for Espionage in Ukraine
- Talkback Resources: State-aligned threat actors, particularly from Russia, are targeting Signal Messenger accounts through phishing campaigns to access sensitive government and military communications, exploiting the app's "linked devices" feature for eavesdropping on secure conversations.
- cyberscoop.com: Russian-aligned threat groups dupe Ukrainian targets via Signal
- Talkback Resources: Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger [social]
- Threats | CyberScoop: Russia-aligned threat groups dupe Ukrainian targets via Signal
- www.onfocus.com: Google Threats on Signals of Trouble
- cyberriskleaders.com: Russian Hackers Targeting Ukrainian Signal Users with Malicious QR Codes
- arstechnica.com: Russia-aligned hackers are targeting Signal users with device-linking QR codes Swapping QR codes in group invites and artillery targeting are latest ploys.
- MeatMutts: Google Warns of Russian Hacking Campaign Targeting Ukraine’s Military on Signal
- Talkback Resources: Hackers Exploit Signal's Linked Devices Feature to Hijack Accounts via Malicious QR Codes
- thecyberexpress.com: Russian state-sponsored hackers are ramping up efforts to compromise Signal messenger accounts, particularly those used by Ukrainian military personnel, government officials, and other key figures.
@www.microsoft.com
//
A subgroup of the Russian state-sponsored hacking group APT44, also known as Seashell Blizzard and Sandworm, has been conducting a multi-year campaign named BadPilot, targeting critical organizations and governments. Microsoft's Threat Intelligence team has been researching this operation, revealing that the group aims to gain initial access to strategically important organizations across the U.S. and Europe. This campaign has been active since at least 2021, with the threat actor focusing on initial access, persistence, and maintaining presence to allow for tailored network operations.
The BadPilot hackers have expanded their focus beyond Ukraine and Eastern Europe, now including targets in the U.S. and U.K. since early 2024. Sectors affected include energy, oil and gas, telecommunications, shipping, arms manufacturing, and government entities. Microsoft assesses that while some targeting is opportunistic, the accumulated compromises offer Seashell Blizzard options when responding to Russia’s evolving strategic objectives and national priorities. The group has been exploiting vulnerabilities in ConnectWise ScreenConnect and Fortinet FortiClient EMS security software to achieve this broadened access.
Recommended read:
References :
- therecord.media: A subgroup of Russia's Sandworm state-backed hacking group has been running a multi-year campaign to gain initial access to dozens of strategically important organizations across the U.S. and Europe
- www.bleepingcomputer.com: A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'
- www.microsoft.com: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
- The Hacker News: Microsoft Uncovers Sandworm Subgroup's Global Cyber Attacks Spanning 15+ Countries
- Know Your Adversary: Microsoft Threat Intelligence have published a on Seashell Blizzard - a high-impact threat actor that conducts global activities ranged from espionage to information operations and cyber-enabled disruptions.
- BleepingComputer: A subgroup of the Russian state-sponsored hacking group APT44, also known as 'Seashell Blizzard' and 'Sandworm', has been targeting critical organizations and governments in a multi-year campaign dubbed 'BadPilot.'
- securityaffairs.com: Russia-linked APT Seashell Blizzard is behind the long running global access operation BadPilot campaign
- Vulnerable U: Russian Hackers Expand Global Cyber Espionage Campaign with "BadPilot" Operation
- hackread.com: Microsoft Uncovers ‘BadPilot’ Campaign as Seashell Blizzard Targets US and UK
- Microsoft Security Blog: The BadPilot campaign: Seashell Blizzard subgroup conducts multiyear global access operation
- Cybernews: Microsoft researchers expose “BadPilot,� a subgroup aiding Kremlin-backed hackers Seashell Blizzard in global cyberattacks
- Information Security Buzz: Russia-Linked Seashell Blizzard Intensifies Cyber Operations Against Critical Sectors
- Industrial Cyber: Microsoft details Seashell Blizzard BadPilot campaign targeting energy, telecom, government sectors
- Security Risk Advisors: Microsoft Security blog post on the BadPilot campaign.
- BleepingComputer: Infosec.exchange post regarding the BadPilot campaign and its global access operation.
- sra.io: SRA.io post discussing Seashell Blizzard's BadPilot campaign to exploit perimeter systems and expand global access.
|
|
FlagThis - #russia