BlackEnergy Used in Targeted Attacks Against Organizations in Ukraine and Poland
ESET reported that the BlackEnergy malware family was used in targeted intrusions against organizations in Ukraine and Poland, linking the activity to a broader campaign focused on compromising selected victims in the region. The reporting described BlackEnergy as an established threat platform adapted for espionage and follow-on malicious activity, with attackers using it to gain footholds inside targeted networks.
The campaign highlighted BlackEnergy’s continued evolution from earlier criminal use into a tool deployed in politically sensitive operations. The incidents underscored the risk to regional government and private-sector entities, showing that attackers were leveraging a known malware framework in focused attacks rather than indiscriminate mass infections.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
1 event from the most recent confirmed update back to the earliest known activity.
ESET publishes analysis of 2014 BlackEnergy attacks in Ukraine and Poland
ESET's WeLiveSecurity blog published a report titled "Back in BlackEnergy: 2014 Targeted Attacks in Ukraine and Poland," documenting targeted BlackEnergy activity affecting organizations in those countries during 2014.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
BlackEnergy and KillDisk Linked to Cyberattack on Ukraine’s Power Grid
Ukrainian authorities reported that attackers used the **BlackEnergy** malware family and the destructive **KillDisk** component during a coordinated intrusion into electric power distribution networks, leading to a temporary disruption of electricity supply. The operation reportedly involved unauthorized remote access to operator environments, interaction with **SCADA/RTU** infrastructure, and actions that interfered with control and communications systems, causing outages that lasted roughly **1 to 3.5 hours** and affected a small share of total annual electricity delivery. The incident was described as a multi-stage compromise of critical infrastructure rather than an isolated malware infection, with the attackers moving from IT environments into operational technology systems used to manage power distribution. In response, **CERT-UA** and Ukrainian officials highlighted defensive measures including stronger network segmentation, limiting direct Internet exposure, improving monitoring and detection, and hardening protections around critical infrastructure networks to reduce the risk of similar grid-disruption attacks.
May 29, 2026
Pro-Ukrainian Hacktivists Expand Exchange Intrusions Into CIS and Middle East
Kaspersky reported that several interconnected pro-Ukrainian hacktivist groups, including **4BID**, **Hacker kiт**, **C.A.S**, and **Goffee**, expanded attacks beyond Russia and Belarus to targets in **Kazakhstan, the UAE, Syria, and Egypt**. Victims included government entities, healthcare organizations, and the aviation sector. Researchers said the intrusions commonly began with exploitation of Microsoft Exchange **ProxyShell** vulnerabilities, followed by deployment of the `fd.aspx` ASP.NET web shell, execution of PowerShell or `cmd.exe`, reconnaissance, and installation of remote-management tools such as AnyDesk, Dev Tunnels, Panorama9, Tactical RMM, and Nezha Monitoring. The campaigns used a broad post-compromise toolkit that mixed public C2 frameworks and custom malware, including **Sliver**, **Havoc**, **Mythic Apollo**, **AdaptixC2**, **BlackSalt** backdoor, **Warp RAT**, **BlackReaperRAT**, **ClearWater** ransomware, and an updated **Blackout Locker**. Investigators also observed BYOVD-based EDR killers, including modified EDRKiller variants and GhostDriver, along with signs that some delivery scripts may have been AI-generated. ClearWater was seen encrypting files with **ChaCha20** and **RSA-2048**, dropping ransom notes, changing wallpapers, and deleting recovery artifacts, while Blackout Locker added a persistent screen-locking feature, reinforcing researchers' assessment that the actors are shifting from politically branded hacktivism toward financially motivated operations.
Jun 11, 2026
ESET Reports Global Surge in State-Aligned Cyberespionage and Destructive Attacks
ESET reported sustained global activity by China-, Iran-, North Korea-, and Russia-aligned threat actors across Q4 2025 and Q1 2026, with operations closely tied to geopolitical priorities. China-aligned groups targeted government, maritime, energy, and technology organizations in countries including Venezuela, Syria, Cambodia, Panama, and South Korea, and also abused **Ivanti VPN** environments. Iran-linked activity shifted during the late-February 2026 war in Iran: established APT operations declined, while proxy, hacktivist, and unattributed actors increased attacks against Israel and other perceived adversaries, including the use of destructive tooling described as a bootkit-style wiper. North Korea-aligned actors continued social-engineering and supply-chain campaigns aimed at developers and cryptocurrency ecosystems, including a Lazarus-linked compromise of the **`axios`** JavaScript library, while **Andariel** resurfaced in South Korea using **TigerRAT** and attempting ransomware deployment. Russia-aligned groups remained heavily focused on Ukraine, with **Sednit** targeting military and drone-related entities and **Sandworm** escalating destructive operations, including a December 2025 incident at a Polish energy company attributed with medium confidence. ESET also documented browser-in-the-browser phishing against a Japanese think tank, **Asin** Android spyware targeting Arabic-speaking users, and the compromise of a UAE defense company through a **SmartOffice CRM** server.
May 29, 2026