CyberWatchers
@cyberwatchers.bsky.social
Interested in cyber security - highlighting news stories, advisories and cyber attacks.
Russia is using Ukrainian digital resources it had stolen during the occupation of part of Ukrainian territories for its cyberattacks and disinformation operations
www.ukrinform.net/rubric-ato/4...
www.ukrinform.net/rubric-ato/4...
Weaponization of stolen IP addresses -- how Russia is exploiting Ukrainian digital resource in its war against Ukraine
RIPE NCC continues to serve occupying administration entities contrary to EU sanctions — Ukrinform.
www.ukrinform.net
December 4, 2025 at 2:34 PM
Russia is using Ukrainian digital resources it had stolen during the occupation of part of Ukrainian territories for its cyberattacks and disinformation operations
www.ukrinform.net/rubric-ato/4...
www.ukrinform.net/rubric-ato/4...
Based on evidence uncovered during the course of this investigation, Arctic Wolf Labs assesses with a medium-to-high confidence level that Russia’s GRU unit 29155 is utilizing SocGholish to target victims.
arcticwolf.com/resources/bl...
arcticwolf.com/resources/bl...
Russian RomCom Utilizing SocGholish to Deliver Mythic Agent to U.S. Companies Supporting Ukraine - Arctic Wolf
Arctic Wolf Labs recently identified a U.S.-based company that was targeted by the Russian-aligned threat group RomCom via SocGholish, operated by TA569. This is the first time that a RomCom payload h...
arcticwolf.com
November 26, 2025 at 2:37 PM
Based on evidence uncovered during the course of this investigation, Arctic Wolf Labs assesses with a medium-to-high confidence level that Russia’s GRU unit 29155 is utilizing SocGholish to target victims.
arcticwolf.com/resources/bl...
arcticwolf.com/resources/bl...
SolarWinds this week announced patches for three critical vulnerabilities found in its Serv-U enterprise file transfer solution.
www.securityweek.com/solarwinds-p...
www.securityweek.com/solarwinds-p...
SolarWinds Patches Three Critical Serv-U Vulnerabilities
SolarWinds this week announced patches for three critical vulnerabilities found in its Serv-U enterprise file transfer solution.
www.securityweek.com
November 20, 2025 at 10:55 AM
SolarWinds this week announced patches for three critical vulnerabilities found in its Serv-U enterprise file transfer solution.
www.securityweek.com/solarwinds-p...
www.securityweek.com/solarwinds-p...
According to the press release put out by Thailand’s Cyber Crime Investigation Bureau (CCIB), the man is a “world-class” hacker who had previously breached secure systems and carried out attacks on various government agencies.
theins.press/en/news/286815
theins.press/en/news/286815
“World-class” Russian hacker wanted by FBI and arrested in Thailand is likely GRU officer Aleksey Lukashev
On Nov. 12, Thai cyber police announced the arrest of a 35-year-old Russian citizen on the island of Phuket, adding that the unnamed suspect stands wanted in the United States on charges of hacking go...
theins.press
November 14, 2025 at 10:01 AM
According to the press release put out by Thailand’s Cyber Crime Investigation Bureau (CCIB), the man is a “world-class” hacker who had previously breached secure systems and carried out attacks on various government agencies.
theins.press/en/news/286815
theins.press/en/news/286815
Google said it had observed APT28, a Russia-linked group associated with the country’s GRU military intelligence agency, using PROMPTSTEAL in Ukraine. Google said those attacks were the first time it had seen malware querying an LLM in the wild.
anesthesiaexperts.com/ai-based-mal...
anesthesiaexperts.com/ai-based-mal...
AI-based malware makes attacks stealthier and more adaptive - Anesthesia Experts
Author: Eric Geller Cybersecurity DIVE Dive Brief: Cyber threat actors have recently begun using AI to develop malware, in a dramatic evolution of the technology’s role in the hacking ecosystem, Googl...
anesthesiaexperts.com
November 13, 2025 at 9:59 AM
Google said it had observed APT28, a Russia-linked group associated with the country’s GRU military intelligence agency, using PROMPTSTEAL in Ukraine. Google said those attacks were the first time it had seen malware querying an LLM in the wild.
anesthesiaexperts.com/ai-based-mal...
anesthesiaexperts.com/ai-based-mal...
Cybersecurity researchers have disclosed details of a new Android remote access trojan (RAT) called Fantasy Hub that's sold on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model.
thehackernews.com/2025/11/andr...
thehackernews.com/2025/11/andr...
Android Trojan 'Fantasy Hub' Malware Service Turns Telegram Into a Hub for Hackers
Fantasy Hub RAT sold via Telegram exploits Android SMS and banking systems amid rising MaaS threats.
thehackernews.com
November 12, 2025 at 9:15 AM
Cybersecurity researchers have disclosed details of a new Android remote access trojan (RAT) called Fantasy Hub that's sold on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model.
thehackernews.com/2025/11/andr...
thehackernews.com/2025/11/andr...
www.netcraft.com/blog/thousan...
A Russian-speaking threat actor operating an ongoing, mass phishing campaign targeting people who might be planning (or about to leave for) a vacation has registered more than 4,300 domain names used in the attacks since the beginning of the year.
A Russian-speaking threat actor operating an ongoing, mass phishing campaign targeting people who might be planning (or about to leave for) a vacation has registered more than 4,300 domain names used in the attacks since the beginning of the year.
Thousands of Fake Hotel Domains Used in Massive Phishing Campaign
A Russian-speaking threat actor has registered 4,300+ domains in a sophisticated phishing campaign impersonating major travel brands like Airbnb and Booking.com to steal travelers’ payment data. Learn...
www.netcraft.com
November 12, 2025 at 8:38 AM
www.netcraft.com/blog/thousan...
A Russian-speaking threat actor operating an ongoing, mass phishing campaign targeting people who might be planning (or about to leave for) a vacation has registered more than 4,300 domain names used in the attacks since the beginning of the year.
A Russian-speaking threat actor operating an ongoing, mass phishing campaign targeting people who might be planning (or about to leave for) a vacation has registered more than 4,300 domain names used in the attacks since the beginning of the year.
Victims included banks, telecommunications companies and engineering firms in Pennsylvania, California, Michigan, Illinois, Georgia and Ohio.
therecord.media/russian-hack...
therecord.media/russian-hack...
Russian hacker to plead guilty to aiding Yanluowang ransomware group
Court documents show evidence proving Volkov served as an initial access broker for the ransomware gang — breaking into the network of victims and then offering his access for a percentage of the rans...
therecord.media
November 11, 2025 at 1:08 PM
Victims included banks, telecommunications companies and engineering firms in Pennsylvania, California, Michigan, Illinois, Georgia and Ohio.
therecord.media/russian-hack...
therecord.media/russian-hack...
Russian state-backed hacker group Sandworm has deployed multiple data-wiping malware families in attacks targeting Ukraine's education, government, and the grain sector, the country's main revenue source.
www.bleepingcomputer.com/news/securit...
www.bleepingcomputer.com/news/securit...
Sandworm hackers use data wipers to disrupt Ukraine's grain sector
Russian state-backed hacker group Sandworm has deployed multiple data-wiping malware families in attacks targeting Ukraine's education, government, and the grain sector, the country's main revenue sou...
www.bleepingcomputer.com
November 6, 2025 at 2:07 PM
Russian state-backed hacker group Sandworm has deployed multiple data-wiping malware families in attacks targeting Ukraine's education, government, and the grain sector, the country's main revenue source.
www.bleepingcomputer.com/news/securit...
www.bleepingcomputer.com/news/securit...
Silent Push Threat Analysts have uncovered threat actors using AdaptixC2 and has observed heavy ties linking AdaptixC2 to Russia and the Russian criminal underworld.
www.silentpush.com/blog/adaptix...
www.silentpush.com/blog/adaptix...
Silent Push Unearths AdaptixC2's Ties to Russian Criminal Underworld, Tracks Threat Actors Harnessing Open-Source Tool for Malicious Payloads
Silent Push has uncovered threat actors tied to the Russian underworld using the AdaptixC2 framework to deliver malicious payloads.
www.silentpush.com
October 30, 2025 at 11:10 AM
Silent Push Threat Analysts have uncovered threat actors using AdaptixC2 and has observed heavy ties linking AdaptixC2 to Russia and the Russian criminal underworld.
www.silentpush.com/blog/adaptix...
www.silentpush.com/blog/adaptix...
Attackers are gaining access using a custom, Sandworm-linked webshell. One of the webshells used was Localolive which, according to Microsoft, is associated with a sub-group of the Russian Sandworm group.
www.security.com/threat-intel...
www.security.com/threat-intel...
Ukrainian organizations still heavily targeted by Russian attacks
Attackers are gaining access using a custom, Sandworm-linked webshell and are making heavy use of Living-off-the-Land tactics to maintain persistent access.
www.security.com
October 29, 2025 at 12:28 PM
Attackers are gaining access using a custom, Sandworm-linked webshell. One of the webshells used was Localolive which, according to Microsoft, is associated with a sub-group of the Russian Sandworm group.
www.security.com/threat-intel...
www.security.com/threat-intel...
COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, shifted operations after the May 2025 public disclosure of its LOSTKEYS malware.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER | Google Cloud Blog
Russia state-sponsored COLDRIVER started using new malware immediately following a May public disclosure of their activity.
cloud.google.com
October 29, 2025 at 7:42 AM
COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, shifted operations after the May 2025 public disclosure of its LOSTKEYS malware.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Continuous investigation on the Water Saci campaign reveals innovative email-based C&C system, multi-vector persistence, and real-time command capabilities that allow attackers to orchestrate coordinated botnet operations.
www.trendmicro.com/en_us/resear...
www.trendmicro.com/en_us/resear...
Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C
Continuous investigation on the Water Saci campaign reveals innovative email-based C&C system, multi-vector persistence, and real-time command capabilities that allow attackers to orchestrate coordina...
www.trendmicro.com
October 28, 2025 at 1:52 PM
Continuous investigation on the Water Saci campaign reveals innovative email-based C&C system, multi-vector persistence, and real-time command capabilities that allow attackers to orchestrate coordinated botnet operations.
www.trendmicro.com/en_us/resear...
www.trendmicro.com/en_us/resear...
The hackers stole information from a file transfer solution and the country’s power supply was not affected.
www.securityweek.com/hackers-targ...
www.securityweek.com/hackers-targ...
Hackers Target Swedish Power Grid Operator
Swedish state-owned power grid operator Svenska kraftnät has confirmed that it fell victim to a cyberattack that resulted in a data breach.
www.securityweek.com
October 28, 2025 at 10:45 AM
The hackers stole information from a file transfer solution and the country’s power supply was not affected.
www.securityweek.com/hackers-targ...
www.securityweek.com/hackers-targ...
"This leak could expose the tools, techniques, and infrastructure used in state-sponsored information warfare and cyber-espionage campaigns."
#Russia #GRU #hack
www.brinztech.com/breach-alert...
#Russia #GRU #hack
www.brinztech.com/breach-alert...
Hacker Claims Breach of GRU-Linked Russian Firm, Leaks Malware and 'Troll Farm' Data
Meta Description: A hacker has claimed to have breached a Russian firm allegedly working for the GRU, exfiltrating and leaking sensitive data including custom malware and a "troll farm management syst...
www.brinztech.com
October 14, 2025 at 3:17 PM
"This leak could expose the tools, techniques, and infrastructure used in state-sponsored information warfare and cyber-espionage campaigns."
#Russia #GRU #hack
www.brinztech.com/breach-alert...
#Russia #GRU #hack
www.brinztech.com/breach-alert...
The Evolution of Russian Physical-Cyber Espionage - GRU hackers 'APT28, have long combined digital intrusions with physical tradecraft and human assets.'
www.trellix.com/blogs/resear...
www.trellix.com/blogs/resear...
www.trellix.com
October 10, 2025 at 9:48 AM
The Evolution of Russian Physical-Cyber Espionage - GRU hackers 'APT28, have long combined digital intrusions with physical tradecraft and human assets.'
www.trellix.com/blogs/resear...
www.trellix.com/blogs/resear...
Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia.
unit42.paloaltonetworks.com/phantom-taur...
unit42.paloaltonetworks.com/phantom-taur...
Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite
Phantom Taurus is a previously undocumented Chinese threat group. Explore how this group's distinctive toolset lead to uncovering their existence.
unit42.paloaltonetworks.com
October 1, 2025 at 9:06 AM
Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia.
unit42.paloaltonetworks.com/phantom-taur...
unit42.paloaltonetworks.com/phantom-taur...
Two Dutch teens were allegedly contacted by pro-Russian hackers on Telegram. It was reported that the two were arrested “on suspicions that are linked to government-sponsored interference.”
thecyberexpress.com/wifi-sniffer...
thecyberexpress.com/wifi-sniffer...
WiFi Sniffer Leads to Russian Spying Charges for Dutch Teens
Two teenagers in the Netherlands face charges that they allegedly spied for pro-Russia hackers. The 17-year-old boys were reportedly arrested
thecyberexpress.com
September 30, 2025 at 2:56 PM
Two Dutch teens were allegedly contacted by pro-Russian hackers on Telegram. It was reported that the two were arrested “on suspicions that are linked to government-sponsored interference.”
thecyberexpress.com/wifi-sniffer...
thecyberexpress.com/wifi-sniffer...
ThreatLabz discovered a multi-stage ClickFix campaign that is likely affiliated with the nation-state threat group known as COLDRIVER, a Russia-linked APT group that has mainly targeted dissidents and their supporters through phishing campaigns.
www.zscaler.com/blogs/securi...
www.zscaler.com/blogs/securi...
COLDRIVER Adds BAITSWITCH and SIMPLEFIX | ThreatLabz
The Russia-linked group COLDRIVER targeted dissidents and their supporters using a ClickFix technique, resulting in the deployment of BAITSWITCH and SIMPLEFIX.
www.zscaler.com
September 25, 2025 at 8:54 AM
ThreatLabz discovered a multi-stage ClickFix campaign that is likely affiliated with the nation-state threat group known as COLDRIVER, a Russia-linked APT group that has mainly targeted dissidents and their supporters through phishing campaigns.
www.zscaler.com/blogs/securi...
www.zscaler.com/blogs/securi...
Reposted by CyberWatchers
SolarWinds on Tuesday released a hotfix - again - for a critical, 9.8-severity flaw in its Web Help Desk IT ticketing software that could allow a remote, unauthenticated attacker to run commands on a host machine.
SolarWinds patches critical RCE - for the third time
: Or maybe 3 strikes, you're out?
www.theregister.com
September 23, 2025 at 7:04 PM
SolarWinds on Tuesday released a hotfix - again - for a critical, 9.8-severity flaw in its Web Help Desk IT ticketing software that could allow a remote, unauthenticated attacker to run commands on a host machine.
Reposted by CyberWatchers
Putting the Secret Service's nonsense framing aside, it's a pretty cool discovery. Those black boxes are SIM gateways which you plug sim cards into and they act like virtual cell phones. They then route the access over the internet so people can use the sim cards from anywhere in the world.🧵
1/3
1/3
September 23, 2025 at 4:38 PM
Putting the Secret Service's nonsense framing aside, it's a pretty cool discovery. Those black boxes are SIM gateways which you plug sim cards into and they act like virtual cell phones. They then route the access over the internet so people can use the sim cards from anywhere in the world.🧵
1/3
1/3
Reposted by CyberWatchers
A former Florida police officer now runs a Kremlin-backed troll empire, an investigation found
Using AI tools like Llama 3, the network churns out fabricated news and deepfakes to undermine Ukraine's aid and meddle in elections in the West
euromaidanpress.com/2025/09/23/f...
Using AI tools like Llama 3, the network churns out fabricated news and deepfakes to undermine Ukraine's aid and meddle in elections in the West
euromaidanpress.com/2025/09/23/f...
Former Florida cop turned Kremlin operative, spreading Russian propaganda through over 200 fake news websites
John Mark Dougan fled to Moscow in 2016 after facing charges in Florida, then received political asylum and now coordinates GRU-funded servers running AI models.
euromaidanpress.com
September 23, 2025 at 10:08 PM
A former Florida police officer now runs a Kremlin-backed troll empire, an investigation found
Using AI tools like Llama 3, the network churns out fabricated news and deepfakes to undermine Ukraine's aid and meddle in elections in the West
euromaidanpress.com/2025/09/23/f...
Using AI tools like Llama 3, the network churns out fabricated news and deepfakes to undermine Ukraine's aid and meddle in elections in the West
euromaidanpress.com/2025/09/23/f...
Reposted by CyberWatchers
-US raids SIM farm in New York
-EU airport disruptions caused by ransomware
-Thieves steal gold from French museum after cyberattack
-SonicWall firmware update removes rootkit
-Jaguar ransomware incident extends to October
Podcast: risky.biz/RBNEWS482/
Newsletter: news.risky.biz/risky-bullet...
-EU airport disruptions caused by ransomware
-Thieves steal gold from French museum after cyberattack
-SonicWall firmware update removes rootkit
-Jaguar ransomware incident extends to October
Podcast: risky.biz/RBNEWS482/
Newsletter: news.risky.biz/risky-bullet...
September 24, 2025 at 8:32 AM
-US raids SIM farm in New York
-EU airport disruptions caused by ransomware
-Thieves steal gold from French museum after cyberattack
-SonicWall firmware update removes rootkit
-Jaguar ransomware incident extends to October
Podcast: risky.biz/RBNEWS482/
Newsletter: news.risky.biz/risky-bullet...
-EU airport disruptions caused by ransomware
-Thieves steal gold from French museum after cyberattack
-SonicWall firmware update removes rootkit
-Jaguar ransomware incident extends to October
Podcast: risky.biz/RBNEWS482/
Newsletter: news.risky.biz/risky-bullet...
Reposted by CyberWatchers
U.S. Secret Service Dismantles 300 SIM Servers and 100,000 SIM Cards Disabling Cell Phone Towers
U.S. Secret Service Dismantles 300 SIM Servers and 100,000 SIM Cards Disabling Cell Phone Towers
cybersecuritynews.com
September 23, 2025 at 1:49 PM
U.S. Secret Service Dismantles 300 SIM Servers and 100,000 SIM Cards Disabling Cell Phone Towers