From May to July 2025, Positive Technologies specialists discovered more than 180 infected systems in Russian organizations. The malicious activity originated from the PhantomCore group and was targeted exclusively at Russia’s critical infrastructure.
Among the compromised organizations were government agencies, research institutes, enterprises in the defense-industrial sector, the shipbuilding industry, the chemical, mining, and manufacturing industries, as well as IT companies.
The first infection dates back to May 12, 2025, and the attacks reached their peak intensity in June, with 56% of all infections occurring on June 30.
Researchers report that, on average, the group remained in compromised networks for 24 days, with a maximum of 78 days. At least 49 hosts are still under the attackers’ control.
According to experts, the PhantomCore APT group has been active since early 2024 and is focused on gaining access to confidential information. The hackers’ attacks are notable for their considerable scale and selectivity: among the victims are Russian organizations in key sectors of the economy and government administration.
It is noted that PhantomCore possesses an impressive offensive arsenal, ranging from popular open-source utilities and updated versions of well-known tools to previously unseen, custom-developed samples. This diversity of malware helps the hackers remain undetected in compromised networks for extended periods. In addition, the group’s malicious infrastructure is strictly segmented by function and by classes of tools it operates.
The geography of PhantomCore’s malicious infrastructure is characterized by the fact that almost half of the servers (48%) are located in Russia, primarily within the networks of three Russian providers. The share of overseas infrastructure is 52% and is distributed almost evenly among Finland, France, the Netherlands, the United States, Germany, Hong Kong, Moldova, and Poland. At the same time, 33% of the entire infrastructure is concentrated within the networks of a Canadian provider.
“We believe that the main surge in the cyber-espionage campaign under review was driven by the evolution of PhantomCore’s malicious toolset. It is likely that up until the end of April the attackers were preparing a new series of attacks, focusing primarily on their tooling. In addition, we managed to uncover a new offshoot of the group, separate from the core team and composed of low-skilled operators. It was presumably set up by one of the core PhantomCore members to ramp up cybercriminal activity and expand the attack surface,” comments Viktor Kazakov, lead specialist of the PT ESC TI cyber intelligence group.
The report emphasizes that the experts identified the victims and notified them of the cyber threats before any unacceptable incidents occurred.