Tag: russia-nexus
All items tagged russia-nexus.
- FortiBleed — Russian-speaking operator cracking 86,644 FortiGate credentials into Active Directory
- The Gentlemen — EDR-killer framework documented, OT-adjacent victim claimed, operator named
- G7 Évian cybersecurity declaration calls PQC an "urgent priority" — and the expected hacktivist DDoS materialised on day one
- UPDATE: FortiBleed reaches 86,644 compromised FortiGate devices; CISA issues emergency hardening guidance
- UPDATE: The Gentlemen (Storm-2697) claims OT-adjacent Mackay Sugar attack; operator attributed to a Russian national
- CVE-2025-8088 — WinRAR path traversal: still fuelling Ukraine intrusions a year after the fix `[SINGLE-SOURCE]`
- APT28 (GRU Unit 26165) — Sekoia documents a shift to LLM-generated payloads and cloud-native C2 `[SINGLE-SOURCE]`
- Sekoia: APT28 (GRU Unit 26165) tradecraft shifts to LLM-generated payloads and cloud-native C2 [SINGLE-SOURCE]
- Year-old WinRAR flaw (CVE-2025-8088) still fuels Ukraine intrusions — GIFTEDCROOK via UAC-0226 and an Earth Dahu chain
- Unit 42: Microsoft Teams external-chat now a primary phishing surface for APT29 and UNC6692
- Gamaredon: GammaPhish → GammaWorm (NTFS ADS + USB) → GammaSteel (S3 exfil) — the week's most complete intrusion kill-chain disclosure [SINGLE-SOURCE Sekoia TDR]
- Gamaredon — GammaPhish / GammaWorm / GammaSteel: Russian FSB campaign with USB worm and S3 exfiltration (Sekoia TDR part one) [SINGLE-SOURCE Sekoia TDR]
- EU 20th Russia sanctions package: managed security services prohibition in force since 25 May; Commission interpretive guidance outstanding
- NCSC Switzerland warns of cyber operations around the G7 Évian summit (15–17 June)
- UPDATE: Gamaredon weaponises WinRAR CVE-2025-8088 and adds the GammaSteel stealer
- Sekoia consolidates Gamaredon tooling under GammaPhish / GammaWorm, details an NTFS-ADS USB+network worm
- GREYVIBE — newly documented Russia-nexus cluster deploys five parallel attack chains against Ukraine with AI-generated lures and two PowerShell RATs
- ANNUAL REPORT — ESET APT Activity Report Q4 2025–Q1 2026: Sandworm strikes NATO energy, Lazarus targets EU drone sector, UNC5221 pivots to Ivanti SPAWN toolset
- CrowdStrike, Google and Shadowserver simultaneously sever all four C2 channels of the GlassWorm developer-targeting botnet (not to be confused with the Nx Console / TanStack GitHub-publish chain in § 5) — Russia-attributed, active since early 2025
- FBI FLASH CSA 260526 — Silent Ransom Group sends operatives physically into US law-firm offices to insert USB exfiltration devices when remote social engineering fails
- Lithuania's Centre of Registers loses ~600,000 state-register records to abused institutional credentials; foreign-state actor suspected
- ESET APT Activity Report Q4 2025–Q1 2026 — three state programmes converging on EU energy, defence and edge appliances
- GREYVIBE — independent corroboration; OPSEC slips enabled attribution; charity-front sub-campaign
- EU 20th-package managed-security-services ban in force from 25 May — Switzerland adopted listings only; MSS prohibition deferred
- Netherlands FIOD arrests two over EU sanctions evasion for Stark Industries front; 800 servers seized; NoName057(16) DDoS plumbing dismantled
- Unit 42 — ROADtools operationalised by Midnight Blizzard, Curious Serpens and UTA0355 for Entra ID device registration, token theft and tenant enumeration
- UPDATE: Ghostwriter / UAC-0057 / FrostyNeighbor — CERT-UA documents new OYSTERFRESH → OYSTERBLUES → OYSTERSHUCK implant chain via Prometheus learning-platform lures
- Ghostwriter / UAC-0057 / FrostyNeighbor (Belarus-aligned) — new OYSTER implant chain
- Midnight Blizzard and others operationalise ROADtools for Entra ID abuse
- EU 20th Russia sanctions package — managed-security-services prohibition effective 25 May; Switzerland adopted most measures 22 May
- Public administration and government
- Secret Blizzard / Turla — Kazuar evolved into three-module P2P botnet, European government / diplomatic / defence sectors in scope
- FrostyNeighbor / Ghostwriter (UNC1151) — ESET analysis corroborated, Poland / Lithuania / Ukraine in EU scope
- Secret Blizzard (Turla / FSB Centre 16) evolves Kazuar into a three-module peer-to-peer botnet — worldwide ministries, embassies, defence sector targeted; European environments squarely in scope
- FrostyNeighbor / Ghostwriter (UNC1151, Belarus state-aligned): ESET documents March–May 2026 campaign targeting Polish, Lithuanian, and Ukrainian government and industrial sectors
- Hardening / detection summary
- CVE-2026-32202 — Windows Shell NTLM coercion; Akamai's PatchDiff-AI shows the residual zero-click path left by the CVE-2026-21510 patch
- Critical infrastructure water (PL)
- ABW (Poland) 2025 Annual Report — APT28/APT29/UNC1151 tri-attribution on small-municipal water facilities
- APT28 / APT29 / UNC1151 (Polish water OT)
- Sandworm / GRU Unit 74455 — Bauman pipeline disclosure
- Bauman University "Department No. 4" — leaked GRU cyber-operator training pipeline reveals direct line to Sandworm and APT28 operations against European targets
- UPDATE: Polish water OT intrusions — ABW annual report names five facilities; APT28 / APT29 / UNC1151 formally attributed; NIS2 enforcement context
- CVE-2026-32202 — Windows Shell NTLM coercion / credential capture, APT28 active against EU governments (CISA KEV deadline **2026-05-12**)
- Pro-Russian hacktivists modify OT pump settings at five Polish water treatment facilities
- CVE-2026-32202 — Windows Shell NTLM coercion, APT28 ITW (CVSS 4.3, CISA KEV deadline 2026-05-12)