Cloud Atlas activity in the second half of 2025 and early 2026: new tools and a new payload

In 2025, we observed pervasive SSH tunnel activity, which has remained active into 2026, affecting many government organizations and commercial companies in Russia and Belarus. Behind some of this activity is Cloud Atlas, a group we have known since 2014. During our investigation, we identified n...

Mem3nt0 mori – The Hacking Team is back!

In March 2025, Kaspersky detected a wave of infections that occurred when users clicked on personalized phishing links sent via email. No further action was required to initiate the infection; simply visiting the malicious website using Google Chrome or another Chromium-based web browser was...

EUVD-2022-1390

Malicious code in bioql PyPI...

ComicForm and SectorJ149 Hackers Deploy Formbook Malware in Eurasian Cyberattacks

Organizations in Belarus, Kazakhstan, and Russia have emerged as the target of a phishing campaign undertaken by a previously undocumented hacking group called ComicForm since at least April 2025. The activity primarily targeted industrial, financial, tourism, biotechnology, research, and trade...

Rare Werewolf APT Uses Legitimate Software in Attacks on Hundreds of Russian Enterprises

The threat actor known as Rare Werewolf formerly Rare Wolf has been linked to a series of cyber attacks targeting Russia and the Commonwealth of Independent States CIS countries. "A distinctive feature of this threat is that the attackers favor using legitimate third-party software over developin...

Sticky Werewolf Uses Undocumented Implant to Deploy Lumma Stealer in Russia and Belarus

The threat actor known as Sticky Werewolf has been linked to targeted attacks primarily in Russia and Belarus with the aim of delivering the Lumma Stealer malware by means of a previously undocumented implant. Cybersecurity company Kaspersky is tracking the activity under the name Angry Likho,...

Belarus-Linked Ghostwriter Uses Macropack-Obfuscated Excel Macros to Deploy Malware

Opposition activists in Belarus as well as Ukrainian military and government organizations are the target of a new campaign that employs malware-laced Microsoft Excel documents as lures to deliver a new variant of PicassoLoader. The threat cluster has been assessed to be an extension of a...

Hacktivists Exploits WinRAR Vulnerability in Attacks Against Russia and Belarus

A hacktivist group known as Head Mare has been linked to cyber attacks that exclusively target organizations located in Russia and Belarus. "Head Mare uses more up-to-date methods for obtaining initial access," Kaspersky said in a Monday analysis of the group's tactics and tools. "For instance, t...

Head Mare: adventures of a unicorn in Russia and Belarus

Head Mare is a hacktivist group that first made itself known in 2023 on the social network X formerly Twitter1. In their public posts, the attackers reveal information about some of their victims, including organization names, internal documents stolen during attacks, and screenshots of desktops...

Sticky Werewolf Expands Cyber Attack Targets in Russia and Belarus

Cybersecurity researchers have disclosed details of a threat actor known as Sticky Werewolf that has been linked to cyber attacks targeting entities in Russia and Belarus. The phishing attacks were aimed at a pharmaceutical company, a Russian research institute dealing with microbiology and vacci...

CEO of Data Privacy Company Onerep.com Founded Dozens of People-Search Firms

The data privacy company Onerep.com bills itself as a Virginia-based service for helping people remove their personal information from almost 200 people-search websites. However, an investigation into the history of onerep.com finds this company is operating out of Belarus and Cyprus, and that it...

belarus-travel.com Cross Site Scripting vulnerability OBB-3829662

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

Researchers Uncover Years-Long Cyber Espionage on Foreign Embassies in Belarus

A hitherto undocumented threat actor operating for nearly a decade and codenamed MoustachedBouncer has been attributed to cyber espionage attacks aimed at foreign embassies in Belarus. "Since 2020, MoustachedBouncer has most likely been able to perform adversary-in-the-middle AitM attacks at the...

Winter Vivern APT Group Targeting Indian, Lithuanian, Slovakian, and Vatican Officials

The advanced persistent threat known as Winter Vivern has been linked to campaigns targeting government officials in India, Lithuania, Slovakia, and the Vatican since 2021. The activity targeted Polish government agencies, the Ukraine Ministry of Foreign Affairs, the Italy Ministry of Foreign...

K42801711: node-ipc vulnerability CVE-2022-23812

Security Advisory Description This affects the package node-ipc from 10.1.1 and before 10.1.3. This package contains malicious code, that targets users with IP located in Russia or Belarus, and overwrites their files with a heart emoji. Note: from versions 11.0.0 onwards, instead of having...

Minecraft Servers Under Attack: Microsoft Warns About Cross-Platform DDoS Botnet

Microsoft on Thursday flagged a cross-platform botnet that's primarily designed to launch distributed denial-of-service DDoS attacks against private Minecraft servers. Called MCCrash, the botnet is characterized by a unique spreading mechanism that allows it to propagate to Linux-based devices...

New Hacker Forum Takes Pro-Ukraine Stance

A new hacker forum is taking a unique political stance to support Ukraine in its war with Russia, entertaining only topics and threat activity focused against Russia and Belarus, researchers have found. The Russian-language site, DUMPS Forum, has been around since late May, and at first glance...

GSD-2022-30190 From the original tweet: Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code. From Microsoft: A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calling application such as Word. An attacker who successfully exploits this vulnerability can run arbitrary code with the privileges of the calling application. The attacker can then install programs, view, change, or delete data, or create new accounts in the context allowed by the user’s rights. This issue has been nicknamed "Follina "

From the original tweet: Interesting maldoc was submitted from Belarus. It uses Word's external link to load the HTML and then uses the "ms-msdt" scheme to execute PowerShell code. From Microsoft: A remote code execution vulnerability exists when MSDT is called using the URL protocol from a calli...

Researchers Warn of New Microsoft Office 0-Day Vulnerability “Follina”

By Deeba Ahmed NaoSec cybersecurity researchers state the "odd-looking" MS Word document was uploaded on VirusTotal from a Belarus IP address.… This is a post from HackRead.com Read the original post: Researchers Warn of New Microsoft Office 0-Day Vulnerability "Follina"...

Watch Out! Researchers Spot New Microsoft Office Zero-Day Exploit in the Wild

Cybersecurity researchers are calling attention to a zero-day flaw in Microsoft Office that could be abused to achieve arbitrary code execution on affected Windows systems. The vulnerability came to light after an independent cybersecurity research team known as naosec uncovered a Word document...