FlagThis - #threatactor

Void Blizzard, a cyber threat actor with ties to Russia, has been identified as conducting extensive cyberespionage operations targeting critical sectors across Europe and North America. These operations, active since at least April 2024 and escalating in 2025, are aimed at gathering intelligence crucial to Russian governmental objectives. The targeted sectors include government, defense, transportation, media, NGOs, and healthcare, reflecting a broad scope of interest. Void Blizzard, also known as LAUNDRY BEAR, employs various techniques to infiltrate organizations and steal sensitive data.

Spear phishing and credential theft are among the primary methods used by Void Blizzard. The group has been observed using stolen credentials sourced from infostealer ecosystems and launching spear phishing campaigns with typosquatted domains to mimic authentication portals. They also utilize adversary-in-the-middle (AitM) tactics with tools like Evilginx to intercept credentials. A notable campaign in April 2025 targeted over 20 NGOs with a spear phishing attack using a typosquatted domain resembling a Microsoft Entra authentication page. Their post-compromise activities include cloud service abuse, leveraging legitimate cloud APIs for data enumeration and exfiltration, and automating the collection of emails and files from cloud services like Exchange Online and SharePoint.

Meanwhile, security researchers at ESET have uncovered a separate but related cyberespionage campaign dubbed "BladedFeline" targeting Iraqi and Kurdish officials. This operation, linked to OilRig, an Iran-based APT group, utilizes malicious tools such as Whisper, PrimeCache, and Shahmaran to gain unauthorized access to computer systems. The attackers primarily compromise webmail servers to deploy Whisper, a tool designed for data exfiltration and command execution. PrimeCache, a backdoor Internet Information Services (IIS) module, allows persistent covert access to targeted servers. The campaign also highlights the continued use of the Shahmaran backdoor, previously associated with attacks targeting Kurdish diplomatic officials, indicating a sustained interest in intelligence gathering related to Kurdish affairs.


References :

• be4sec: Cyberespionage Campaign Targets Iraqi and Kurdish Officials with Sophisticated Malware
• Rescana: Void Blizzard Cyberespionage: Targeting Critical Sectors and Systems in Europe and North America

Classification:

• HashTags: #cyberespionage #threatactor #cybersecurity
• Company: Rescana
• Target: Europe and North America Critical Sectors, Iraqi and Kurdish Officials
• Attacker: Void Blizzard
• Feature: cyberespionage
• Malware: Whisper, PrimeCache, Shahmaran
• Type: Espionage
• Severity: Major

A Russian threat actor, known as Water Gamayun or EncryptHub, is actively exploiting a zero-day vulnerability in the Microsoft Management Console (MMC) framework, identified as CVE-2025-26633. This flaw, dubbed MSC EvilTwin, enables attackers to execute malicious code on infected Windows systems. The attackers manipulate .msc files and the MMC's Multilingual User Interface Path (MUIPath) to bypass security features and deploy various malicious payloads.

Water Gamayun employs sophisticated delivery methods, including provisioning packages, signed MSI files, and Windows MSC files. The group's arsenal includes custom backdoors like SilentPrism and DarkWisp, as well as variants of the EncryptHub Stealer, Stealc, and Rhadamanthys. These payloads are designed to maintain persistence, steal sensitive data, and exfiltrate it to command-and-control servers, using encrypted channels and anti-analysis techniques. Organizations can protect themselves through up-to-date patch management and advanced threat detection technologies.


References :

• www.cybersecuritydive.com: Russian threat actor weaponized Microsoft Management Console flaw
• www.trendmicro.com: Trend Research discusses the delivery methods, custom payloads, and techniques used by Water Gamayun, the suspected Russian threat actor abusing a zero-day vulnerability in the Microsoft Management Console framework (CVE-2025-26633) to execute malicious code on infected machines.
• iHLS: A threat actor is leveraging a zero-day vulnerability in the Microsoft Management Console (MMC) to distribute malware.
• Virus Bulletin: Trend Micro researchers identified a campaign by the Russian threat actor Water Gamayun exploiting CVE-2025-26633, a zero-day vulnerability in the Microsoft Management Console.
• doublepulsar.com: Bleeping Computer reports on claims of a breach of Oracle Cloud federated SSO login servers.
• www.cybersecuritydive.com: Confirmation of patient data stolen in alleged cloud breach.
• : Reports indicate Oracle Health customers received a letter about a data compromise.
• Techzine Global: Oracle acknowledged the breach related to their health tech division.
• www.cybersecuritydive.com: Security firms brace for impact of potential Oracle Cloud breach
• DataBreaches.Net: Oracle attempt to hide serious cybersecurity incident from customers in Oracle SaaS service
• infosec.exchange: Oracle is apparently dealing with two separate breaches — one affecting Oracle Cloud, and one Oracle Health — but the company refuses to say what's actually going on.
• Risky Business Media: Risky Bulletin: Oracle's healthtech division hacked, customers extorted
• aboutdfir.com: Oracle Health breach compromises patient data at US hospitals A breach at Oracle Health impacts multiple US healthcare organizations and hospitals after a threat actor stole patient data from legacy servers. Oracle Health has not yet publicly disclosed the incident, but in private communications sent to impacted customers and from conversations with those involved, BleepingComputer confirmed […] The post appeared first on .
• techcrunch.com: Oracle under fire for its handling of separate security incidents
• techxplore.com: Oracle warns health customers of patient data breach
• The Register - Security: 1990s incident response in 2025 Two Oracle data security breaches have been reported in the past week, and the database goliath not only remains reluctant to acknowledge the disasters publicly – it may be scrubbing the web of evidence, too.…
• www.csoonline.com: Oracle’s healthcare subsidiary, Oracle Health, has suffered a data breach, potentially exposing customers’ sensitive data, the company told some of its customers.
• SiliconANGLE: Oracle denies cloud breach, while researchers point to credible indicators
• Danny Palmer: NEW: Oracle is apparently dealing with two separate breaches — one affecting Oracle Cloud, and one Oracle Health — but the company refuses to say what's actually going on. Both public and employees are confused at this point, as there is little transparency. Here's a recap of what's happening.

Classification:

• HashTags: #ZeroDay #ThreatActor #CyberAttack
• Company: Trend Micro
• Target: Windows Systems
• Attacker: EncryptHub(Water Gamayun)
• Product: Microsoft Management Console
• Feature: Zero-Day Exploit
• Malware: EncryptHub
• Type: 0Day
• Severity: Critical