Twelve Used Stolen Access, Ransomware, and Wipers Against Russian Targets
Threat actor Twelve, a hacktivist group that emerged during the Russian-Ukrainian conflict, has continued targeting Russian government organizations with intrusions that progress from stolen access to data theft, ransomware deployment, and destructive wiping. Researchers linked a late June 2024 attack to the group through matching tactics, techniques, procedures, and command-and-control infrastructure, indicating Twelve remained active even after its Telegram channel was blocked for publishing personal data. The group commonly gains entry through valid accounts, VPN access, or SSH certificates, sometimes by first compromising contractors connected to the ultimate target.
Once inside, Twelve uses tools including RDP, PowerShell, ngrok, Cobalt Strike, and mimikatz for lateral movement, privilege escalation, credential theft, and evasion. It has also deployed PHP web shells and exploited VMware vSphere flaws CVE-2021-21972 and CVE-2021-22005 to install the FaceFish backdoor on vCenter servers. For impact, the group exfiltrates sensitive data such as Telegram session information, uploads archives to DropMeFiles, encrypts systems with LockBit 3.0- and Chaos-based ransomware variants, and then distributes Shamoon-like wipers through Group Policy and scheduled tasks, underscoring an operation focused on sabotage and reputational damage rather than ransom payments.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Late June 2024 attack linked to Twelve
Researchers linked an attack in late June 2024 to Twelve based on matching tactics, techniques, procedures, and command-and-control infrastructure, indicating the group remained active after its Telegram channel was blocked.
Twelve's Telegram channel is blocked after doxxing posts
In spring 2024, Twelve's Telegram channel was blocked for posting personal data, according to the report.
Hacktivist group Twelve forms amid Russian-Ukrainian conflict
Securelist reported that Twelve was formed in April 2023 as a hacktivist group that primarily targeted Russian government organizations.
Dropbox reports repeated-token extraction flaw to OpenAI
Dropbox disclosed that on January 24, 2024 it reported a repeated-token training data extraction vulnerability affecting OpenAI chat completion models including GPT-3.5 and GPT-4. OpenAI confirmed the GPT-3.5 and GPT-4 issues as vulnerabilities and later patched them by expanding filtering to multi-token repeats and adding server-side timeouts.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Pro-Ukrainian Hacktivists Expand Exchange Intrusions Into CIS and Middle East
Kaspersky reported that several interconnected pro-Ukrainian hacktivist groups, including **4BID**, **Hacker kiт**, **C.A.S**, and **Goffee**, expanded attacks beyond Russia and Belarus to targets in **Kazakhstan, the UAE, Syria, and Egypt**. Victims included government entities, healthcare organizations, and the aviation sector. Researchers said the intrusions commonly began with exploitation of Microsoft Exchange **ProxyShell** vulnerabilities, followed by deployment of the `fd.aspx` ASP.NET web shell, execution of PowerShell or `cmd.exe`, reconnaissance, and installation of remote-management tools such as AnyDesk, Dev Tunnels, Panorama9, Tactical RMM, and Nezha Monitoring. The campaigns used a broad post-compromise toolkit that mixed public C2 frameworks and custom malware, including **Sliver**, **Havoc**, **Mythic Apollo**, **AdaptixC2**, **BlackSalt** backdoor, **Warp RAT**, **BlackReaperRAT**, **ClearWater** ransomware, and an updated **Blackout Locker**. Investigators also observed BYOVD-based EDR killers, including modified EDRKiller variants and GhostDriver, along with signs that some delivery scripts may have been AI-generated. ClearWater was seen encrypting files with **ChaCha20** and **RSA-2048**, dropping ransom notes, changing wallpapers, and deleting recovery artifacts, while Blackout Locker added a persistent screen-locking feature, reinforcing researchers' assessment that the actors are shifting from politically branded hacktivism toward financially motivated operations.
Jun 11, 2026
State-Backed Intrusions Exploit RDP, VPN, SSH, and Supply Chains for Initial Access
Russian and China-linked threat activity has relied on common but effective entry points to penetrate government, telecom, defense, energy, and other critical-sector networks. Ukrainian officials said CERT-UA recorded **5,927 cyber incidents** in 2025, a **37.4% increase** over the prior year, with Russian groups including **UAC-0002 (Sandworm)**, **UAC-0001 (APT28)**, **UAC-0010 (Gamaredon)**, and **UAC-0190 (Void Blizzard)** using exposed **RDP** services, vulnerable **VPN** appliances, supply-chain compromise, phishing, and stolen credentials to gain access. Separately, telecom intrusions tied to the China-linked cluster **UAT-9244** used exposed web applications, **ProxyLogon**, exposed **SSH** services, weak credentials, and unpatched server software to establish footholds in Linux-heavy environments. Once inside, the actors deployed a broad toolset for espionage, persistence, and disruption, including RATs, stealers, ransomware, wipers, and Linux malware such as **PeerTime**, which supports multiple architectures and uses peer-to-peer, BitTorrent-like communications to avoid reliance on centralized command-and-control. The reporting highlights exploitation of products including **Cisco ASA/AnyConnect**, **Roundcube**, **Fortinet**, **WinRAR**, **7-Zip**, and legacy Microsoft Office components, alongside social-engineering tactics such as **ClickFix**, device-code phishing, OAuth phishing, and QR-code hijacking. The campaigns also abused legitimate services and native system tools, while under-monitored embedded Linux devices, routers, edge systems, and container hosts were described as especially attractive for long-term persistence, lateral movement, scanning, and covert communications.
May 25, 2026
Ransomware Attack Uncovers Ongoing Espionage in Russian Organizations
Two Russian organizations were simultaneously targeted by separate cyber attack groups, resulting in the exposure of a long-term espionage campaign. The first group, QuietCrabs, believed to be of Asian origin, focused on cyber espionage and maintained a stealthy presence within the victim networks. The second group, known as Thor, attempted to deploy LockBit and Babuk ransomware but was detected early, which inadvertently led to the discovery of QuietCrabs' ongoing activities. Both groups exploited known vulnerabilities in Microsoft SharePoint Server (CVE-2025-53770) and various Ivanti solutions (CVE-2024-21887, CVE-2025-4427, CVE-2025-4428, CVE-2023-38035) to gain initial access. QuietCrabs utilized an ASPX web shell, KrustyLoader malware, and the Sliver C2 implant for persistence and control, while Thor employed tools such as ADRecon, GodPotato, Secretsdump, Mimikatz, Tactical RMM, MeshAgent, and Rclone for lateral movement, privilege escalation, and data exfiltration. The investigation began after Thor's activity was detected, which prevented the ransomware deployment but also revealed the deeper, more persistent espionage threat posed by QuietCrabs. This incident highlights the risk of multiple, unconnected threat actors targeting the same organization and the potential for noisy attacks to expose more covert operations.
Mar 21, 2026