State-Backed Intrusions Exploit RDP, VPN, SSH, and Supply Chains for Initial Access
Russian and China-linked threat activity has relied on common but effective entry points to penetrate government, telecom, defense, energy, and other critical-sector networks. Ukrainian officials said CERT-UA recorded 5,927 cyber incidents in 2025, a 37.4% increase over the prior year, with Russian groups including UAC-0002 (Sandworm), UAC-0001 (APT28), UAC-0010 (Gamaredon), and UAC-0190 (Void Blizzard) using exposed RDP services, vulnerable VPN appliances, supply-chain compromise, phishing, and stolen credentials to gain access. Separately, telecom intrusions tied to the China-linked cluster UAT-9244 used exposed web applications, ProxyLogon, exposed SSH services, weak credentials, and unpatched server software to establish footholds in Linux-heavy environments.
Once inside, the actors deployed a broad toolset for espionage, persistence, and disruption, including RATs, stealers, ransomware, wipers, and Linux malware such as PeerTime, which supports multiple architectures and uses peer-to-peer, BitTorrent-like communications to avoid reliance on centralized command-and-control. The reporting highlights exploitation of products including Cisco ASA/AnyConnect, Roundcube, Fortinet, WinRAR, 7-Zip, and legacy Microsoft Office components, alongside social-engineering tactics such as ClickFix, device-code phishing, OAuth phishing, and QR-code hijacking. The campaigns also abused legitimate services and native system tools, while under-monitored embedded Linux devices, routers, edge systems, and container hosts were described as especially attractive for long-term persistence, lateral movement, scanning, and covert communications.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
8 events from the most recent confirmed update back to the earliest known activity.
PeerTime Linux malware identified in telecom-linked intrusion activity
A Linux malware payload called PeerTime was highlighted as supporting multiple architectures including ARM, AArch64, MIPS, PowerPC, and x86, suggesting targeting of embedded appliances, routers, and virtualized infrastructure. The malware reportedly uses peer-to-peer and BitTorrent-like traffic patterns and checks for Docker before execution, indicating an effort to persist in modern enterprise and telecom environments.
Telecom intrusions tied to UAT-9244 use exposed services and weak credentials
Recent telecom-focused intrusions associated with the China-linked cluster UAT-9244 were reported as using exposed web applications, ProxyLogon exploitation, exposed SSH services, weak credentials, and unpatched server-side software for access. The operations emphasized persistence and infrastructure abuse rather than novel exploitation.
CERT-UA reports H2 2025 decline in incidents but more advanced tradecraft
CERT-UA published a report on the second half of 2025 stating that the number of cyber incidents had decreased, while attackers increasingly relied on more sophisticated social engineering and more standardized toolkits. The report added an official Ukrainian assessment of changing threat quality during late 2025 rather than only overall annual volume.
Mandiant publishes threat intelligence on attacks targeting the defense industrial base
Google Cloud/Mandiant published a threat-intelligence report detailing cyber threats affecting the defense industrial base, adding a distinct disclosure focused on DIB-targeting activity. This represents a new reporting development separate from the existing Ukraine-wide and telecom-focused entries.
Russian state-linked groups intensify 2025 campaigns using varied initial access methods
During 2025, Russian state-sponsored groups including UAC-0002 (Sandworm), UAC-0001 (APT28), UAC-0010 (Gamaredon), and UAC-0190 (Void Blizzard) intensified operations using exposed RDP, VPN vulnerabilities, supply-chain compromise, phishing, messaging-app lures, and brokered stolen credentials for initial access. Reported exploitation included flaws in Cisco ASA/AnyConnect, Roundcube, Fortinet, WinRAR, 7-Zip, and legacy Microsoft Office, alongside social-engineering techniques such as ClickFix, Device Code phishing, OAuth phishing, and GhostPairing QR-code hijacking.
CERT-UA records 5,927 cyber incidents in Ukraine during 2025
Ukraine’s CERT-UA recorded about 5,927 cyber incidents in 2025, representing a 37.4% increase over 2024. The activity was described as deliberate and persistent, with government, defense, energy, and other critical sectors in Ukraine and across Europe heavily targeted.
Sandworm breaches 11 Ukrainian telecom providers
Ukraine's CERT-UA disclosed that the Russian state-backed Sandworm group had compromised 11 Ukrainian telecommunications providers since May 2023. The intrusions targeted telecom infrastructure during the war, marking a specific campaign against Ukraine's communications sector.
CISA alerts on Russian targeting of energy and critical infrastructure
CISA issued alert TA18-074A describing Russian government cyber activity targeting U.S. energy, nuclear, commercial facilities, water, aviation, and other critical infrastructure sectors. The alert publicly documented intrusion tactics and warned that the activity enabled access to operationally sensitive networks.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access
cybersecuritynews.com
Open sourceLinux Infrastructure Attacks by FamousSparrow Exploit SSH Weaknesses
linuxsecurity.com
Open sourceДержавна служба спеціального зв’язку та захисту інформації України
cip.gov.ua
Open sourceCERT-UA Reports Drop in Cyber Incidents but Warns of Advanced Social Engineering and Standardised Hacker Toolkits in H2 2025
cip.gov.ua
Open sourceRussian Sandworm hackers breached 11 Ukrainian telcos since May
bleepingcomputer.com
Open sourceRussian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors | CISA
us-cert.cisa.gov
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
Mar 21, 2026
Social Engineering and Phishing-Driven Intrusions Targeting Identity and Remote Access
Multiple reports highlight **social engineering and phishing** as primary initial-access vectors, with attackers increasingly targeting **identity systems** rather than exploiting software vulnerabilities. Microsoft was again the most spoofed brand in phishing during Q4 2025 (22% of observed brand-impersonation attempts), reflecting how attackers abuse trust in major identity and productivity platforms to harvest credentials; examples cited include lures mimicking Netflix account recovery, Roblox-related pages, and Spanish-language Facebook scams. Separately, an incident response case described payroll fraud achieved without malware or a network breach: an attacker impersonated employees to help desks, reset passwords, re-enrolled MFA, and registered an external email as an authentication method in **Azure Active Directory**, then altered direct-deposit details to redirect paychecks—underscoring how **help-desk processes and MFA reset workflows** can be exploited for persistence and financial theft. Targeted campaigns also show continued evolution in delivery tradecraft for **remote access**. A spear-phishing operation against Argentina’s judicial sector used ZIP attachments containing a weaponized Windows shortcut (`.lnk`) masquerading as a PDF plus scripts and a decoy court document to deploy a **Remote Access Trojan** while minimizing user suspicion. In parallel, research described **Pulsar RAT** (a Quasar RAT derivative) emphasizing stealth via **memory-only execution** and **HVNC**, with TLS-encrypted C2 and configuration retrieval from public paste sites, alongside persistence mechanisms such as scheduled tasks and UAC-bypass techniques. Another campaign attributed to **Konni APT** (“Operation Poseidon”) abused **Google and Naver ad redirection** (e.g., `ad.doubleclick[.]net`, `mkt.naver[.]com`) to launder clicks through trusted ad infrastructure before landing victims on compromised sites hosting malware, demonstrating how open-redirect and ad-tech trust can bypass reputation-based controls.
Mar 21, 2026
Exploitation of Managed File Transfer and Messaging Server Vulnerabilities for Remote Code Execution and Ransomware Deployment
Threat actors continue to prioritize internet-facing infrastructure that provides high-leverage initial access, with multiple reports highlighting **active exploitation of remote code execution (RCE) paths** in widely deployed services. A DFIR case study described attackers exploiting **Apache ActiveMQ** `CVE-2023-46604` by sending a crafted OpenWire command that forced the broker to load a remote Spring XML configuration, leading to payload retrieval via `certutil`, rapid privilege escalation to **SYSTEM**, credential dumping from **LSASS**, and eventual **LockBit** ransomware deployment via **RDP** after re-entry using previously stolen privileged credentials. Separately, incident-response reporting warned of ongoing exploitation against **Managed File Transfer (MFT)** products, including Gladinet *CentreStack* (an LFI issue `CVE-2025-11371` used in an exploit chain culminating in RCE, patched as `CVE-2025-30406`) and Fortra *GoAnywhere MFT* (`CVE-2025-10035`, improper deserialization leading to RCE), with observed activity linked to a threat group associated with **Medusa** ransomware. Broader telemetry and research reinforced that edge and externally exposed services remain the primary battleground for initial access at scale. GreyNoise reported nearly **3 billion** malicious sessions against edge infrastructure in 2H 2025, with heavy targeting of enterprise VPNs (notably **Palo Alto GlobalProtect**) and continued exploitation attempts for older issues such as `CVE-2020-2034`, alongside pervasive scanning of **SSH** and remote access services. In parallel, financially motivated and cybercrime-enabling ecosystems are improving their ability to reach victims: Varonis detailed **1Campaign**, a cloaking service that helps malicious **Google Ads** evade review by serving benign pages to scanners while directing real users to phishing/crypto-drainer content, and Have I Been Squatted documented **Diesel Vortex**, a logistics-focused credential-phishing operation using dozens of domains and an exposed backend repository to support industrialized theft. These trends align with reporting that attackers are increasingly using **AI-assisted social engineering and tooling** (including deepfakes and AI-generated phishing) and with law-enforcement actions such as Interpol-backed **Operation Red Card 2.0**, which resulted in **651 arrests** and $4.3M recovered from cyber-enabled fraud activity across 16 African countries.
Mar 21, 2026