Pro-Ukrainian Hacktivists Expand Exchange Intrusions Into CIS and Middle East
Kaspersky reported that several interconnected pro-Ukrainian hacktivist groups, including 4BID, Hacker kiт, C.A.S, and Goffee, expanded attacks beyond Russia and Belarus to targets in Kazakhstan, the UAE, Syria, and Egypt. Victims included government entities, healthcare organizations, and the aviation sector. Researchers said the intrusions commonly began with exploitation of Microsoft Exchange ProxyShell vulnerabilities, followed by deployment of the fd.aspx ASP.NET web shell, execution of PowerShell or cmd.exe, reconnaissance, and installation of remote-management tools such as AnyDesk, Dev Tunnels, Panorama9, Tactical RMM, and Nezha Monitoring.
The campaigns used a broad post-compromise toolkit that mixed public C2 frameworks and custom malware, including Sliver, Havoc, Mythic Apollo, AdaptixC2, BlackSalt backdoor, Warp RAT, BlackReaperRAT, ClearWater ransomware, and an updated Blackout Locker. Investigators also observed BYOVD-based EDR killers, including modified EDRKiller variants and GhostDriver, along with signs that some delivery scripts may have been AI-generated. ClearWater was seen encrypting files with ChaCha20 and RSA-2048, dropping ransom notes, changing wallpapers, and deleting recovery artifacts, while Blackout Locker added a persistent screen-locking feature, reinforcing researchers' assessment that the actors are shifting from politically branded hacktivism toward financially motivated operations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Kaspersky assesses shift from hacktivism toward financial motivation
Based on the broader targeting and ransomware deployment, the researchers assessed that these actors are moving away from primarily ideological operations toward more financially motivated campaigns.
BYOVD-based EDR killers and AI-generated-looking scripts are documented
The campaigns used EDR-killing tools leveraging bring-your-own-vulnerable-driver techniques, including modified EDRKiller variants and GhostDriver, and researchers also noted signs that some delivery scripts appeared AI-generated.
Researchers observe BlackSalt, ClearWater, and updated Blackout Locker
Post-exploitation activity included a mixed toolset of public C2 frameworks, legitimate remote-management software, and malware such as the newly identified BlackSalt backdoor, ClearWater ransomware, and an updated Blackout Locker ransomware variant.
Campaigns expand beyond Russia and Belarus into the CIS and Middle East
The researchers found that victimology had broadened from primarily Russian and Belarusian targets to organizations in Kazakhstan, the UAE, Syria, and Egypt, including government, healthcare, and aviation-sector entities.
Attackers exploit ProxyShell and deploy fd.aspx web shell for initial access
Across the observed intrusions, the attackers commonly gained access by exploiting Microsoft Exchange ProxyShell vulnerabilities and deploying the fd.aspx ASP.NET web shell, then executing PowerShell or cmd.exe for follow-on activity.
Kaspersky links multiple pro-Ukrainian hacktivist groups in a campaign cluster
Kaspersky researchers analyzed a cluster of campaigns they linked with medium confidence to interconnected pro-Ukrainian hacktivist groups including 4BID, the Hacker kiт, C.A.S, and Goffee, finding overlapping activity that suggested possible cooperation or operational links.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
State-Backed Intrusions Exploit RDP, VPN, SSH, and Supply Chains for Initial Access
Russian and China-linked threat activity has relied on common but effective entry points to penetrate government, telecom, defense, energy, and other critical-sector networks. Ukrainian officials said CERT-UA recorded **5,927 cyber incidents** in 2025, a **37.4% increase** over the prior year, with Russian groups including **UAC-0002 (Sandworm)**, **UAC-0001 (APT28)**, **UAC-0010 (Gamaredon)**, and **UAC-0190 (Void Blizzard)** using exposed **RDP** services, vulnerable **VPN** appliances, supply-chain compromise, phishing, and stolen credentials to gain access. Separately, telecom intrusions tied to the China-linked cluster **UAT-9244** used exposed web applications, **ProxyLogon**, exposed **SSH** services, weak credentials, and unpatched server software to establish footholds in Linux-heavy environments. Once inside, the actors deployed a broad toolset for espionage, persistence, and disruption, including RATs, stealers, ransomware, wipers, and Linux malware such as **PeerTime**, which supports multiple architectures and uses peer-to-peer, BitTorrent-like communications to avoid reliance on centralized command-and-control. The reporting highlights exploitation of products including **Cisco ASA/AnyConnect**, **Roundcube**, **Fortinet**, **WinRAR**, **7-Zip**, and legacy Microsoft Office components, alongside social-engineering tactics such as **ClickFix**, device-code phishing, OAuth phishing, and QR-code hijacking. The campaigns also abused legitimate services and native system tools, while under-monitored embedded Linux devices, routers, edge systems, and container hosts were described as especially attractive for long-term persistence, lateral movement, scanning, and covert communications.
May 25, 2026
Twelve Used Stolen Access, Ransomware, and Wipers Against Russian Targets
Threat actor **Twelve**, a hacktivist group that emerged during the Russian-Ukrainian conflict, has continued targeting Russian government organizations with intrusions that progress from stolen access to data theft, ransomware deployment, and destructive wiping. Researchers linked a late June 2024 attack to the group through matching tactics, techniques, procedures, and command-and-control infrastructure, indicating Twelve remained active even after its Telegram channel was blocked for publishing personal data. The group commonly gains entry through **valid accounts**, VPN access, or SSH certificates, sometimes by first compromising contractors connected to the ultimate target. Once inside, Twelve uses tools including **RDP**, **PowerShell**, **ngrok**, **Cobalt Strike**, and **mimikatz** for lateral movement, privilege escalation, credential theft, and evasion. It has also deployed PHP web shells and exploited VMware vSphere flaws `CVE-2021-21972` and `CVE-2021-22005` to install the **FaceFish** backdoor on vCenter servers. For impact, the group exfiltrates sensitive data such as Telegram session information, uploads archives to **DropMeFiles**, encrypts systems with LockBit 3.0- and Chaos-based ransomware variants, and then distributes **Shamoon-like wipers** through Group Policy and scheduled tasks, underscoring an operation focused on sabotage and reputational damage rather than ransom payments.
May 21, 2026
FamousSparrow Repeatedly Breached Azerbaijani Oil Firm via Microsoft Exchange
A China-linked threat actor tracked as **FamousSparrow** and `UAT-9244` repeatedly compromised an unnamed Azerbaijani oil and gas company in a multi-wave campaign that ran from late December 2025 through late February 2026. Bitdefender assessed with moderate-to-high confidence that the attackers gained initial access by exploiting a vulnerable **Microsoft Exchange Server**, likely through the `ProxyNotShell` chain, and repeatedly re-entered the environment even after remediation efforts. The targeting expands the group's known victimology into Azerbaijan, a country with growing strategic importance to European energy security. Across three intrusion waves, the operators deployed or attempted to deploy **Deed RAT** (also known as **Snappybee**), **TernDoor**, and a modified version of Deed RAT, while using web shells, lateral movement, and redundant footholds to preserve access. Researchers also reported an evolved DLL side-loading technique that abused the legitimate **LogMeIn Hamachi** binary to help evade defenses. The operation was described as sustained and adaptive, with the attackers changing payloads and persistence methods while continuing to exploit the same Exchange entry point.
May 17, 2026