From May to July 2025, Positive Technologies specialists discovered more than 180 infected systems in Russian organizations. The malicious activity originated from the PhantomCore group and was targeted exclusively at Russia’s critical infrastructure.
Among the compromised organizations were government agencies, research institutes, enterprises in the defense-industrial sector, the shipbuilding industry, the chemical, mining, and manufacturing industries, as well as IT companies.
The first infection dates back to May 12, 2025, and the attacks reached their peak intensity in June, with 56% of all infections occurring on June 30.
Researchers report that, on average, the group remained in compromised networks for 24 days, with a maximum of 78 days. At least 49 hosts are still under the attackers’ control.
According to experts, the PhantomCore APT group has been active since early 2024 and is focused on gaining access to confidential information. The hackers’ attacks are notable for their considerable scale and selectivity: among the victims are Russian organizations in key sectors of the economy and government administration.
It is noted that PhantomCore possesses an impressive offensive arsenal, ranging from popular open-source utilities and updated versions of well-known tools to previously unseen, custom-developed samples. This diversity of malware helps the hackers remain undetected in compromised networks for extended periods. In addition, the group’s malicious infrastructure is strictly segmented by function and by classes of tools it operates.
The geography of PhantomCore’s malicious infrastructure is characterized by the fact that almost half of the servers (48%) are located in Russia, primarily within the networks of three Russian providers. The share of overseas infrastructure is 52% and is distributed almost evenly among Finland, France, the Netherlands, the United States, Germany, Hong Kong, Moldova, and Poland. At the same time, 33% of the entire infrastructure is concentrated within the networks of a Canadian provider.
“We believe that the main surge in the cyber-espionage campaign under review was driven by the evolution of PhantomCore’s malicious toolset. It is likely that up until the end of April the attackers were preparing a new series of attacks, focusing primarily on their tooling. In addition, we managed to uncover a new offshoot of the group, separate from the core team and composed of low-skilled operators. It was presumably set up by one of the core PhantomCore members to ramp up cybercriminal activity and expand the attack surface,” comments Viktor Kazakov, lead specialist of the PT ESC TI cyber intelligence group.
The report emphasizes that the experts identified the victims and notified them of the cyber threats before any unacceptable incidents occurred.
2025.04.04 — Privilege escalation vulnerability in Google Cloud resulting in sensitive data leaks finally patched
Tenable Research revealed details of a recently patched privilege escalation vulnerability in Google Cloud Platform (GCP) Cloud Run enabling an attacker to gain access to container images…
Full article →
2025.02.12 — 2.8 million IP addresses used to brute-force network devices
The Shadowserver Foundation warns of a massive web login brute-forcing attacks targeting nearly 2.8 million IP addresses per day. Unknown attackers are seeking…
Full article →
2025.03.18 — Black Basta ransomware group developed its own automated brute-forcing framework
According to EclecticIQ, Black Basta Ransomware-as-a-Service (RaaS) group has developed its own automated brute-forcing framework dubbed BRUTED. It's used to hack edge network devices…
Full article →
2025.02.20 — Newly-discovered vulnerabilities in OpenSSH open the door to MiTM and DoS attacks
OpenSSH fixed two vulnerabilities that could result in MiTM and denial of service (DoS) attacks. Interestingly, one of these bugs appeared in the code more than 10…
Full article →
2025.01.25 — 18,000 script kiddies have been infected with backdoor via XWorm RAT builder
According to CloudSEK analysts, malefactors attack novice hackers using a fake malware builder. Script kiddies' systems become infected with a backdoor that steals data and subsequently…
Full article →
2025.04.22 — Scammers pose as FBI IC3 specialists, offer 'assistance' to fraud victims
According to the FBI, scammers impersonating employees of the FBI Internet Fraud Complaint Center (IC3) contact fraud victims offering them 'assistance' in getting their money…
Full article →
2025.03.26 — Cloudflare to block all unencrypted traffic to its APIs
According to Cloudflare, effective immediately, only secure HTTPS connections to api.cloudflare.com will be accepted; while all HTTP ports are to be closed. The purpose of this decision…
Full article →
2025.03.05 — Polish Space Agency disconnects its network due to hacker attack
Last weekend, the Polish Space Agency (POLSA) had to disconnect all of its systems from the Internet to localize an attack targeting its IT infrastructure. After discovering the intrusion,…
Full article →
2025.04.01 — Hackers abuse MU plugins to inject malicious payloads to WordPress
According to Sucuri, hackers store malicious code in the MU-plugins (Must-Use Plugins) directory in WordPress and execute it while remaining undetected. The technique was first discovered…
Full article →
2025.04.25 — Asus patches vulnerability in AMI's MegaRAC enabling attackers to brick servers
Asus released patches for the CVE-2024-54085 vulnerability that allows attackers to seize and disable servers. The security hole affects the American Megatrends International (AMI) MegaRAC Baseboard Management…
Full article →