{
	"id": "f593f3f9-9e68-460a-b934-74c7eb511390",
	"created_at": "2026-04-06T00:13:07.395019Z",
	"updated_at": "2026-04-10T03:24:23.642804Z",
	"deleted_at": null,
	"sha1_hash": "32cfaef324d7f3ebc2cb3b67635e5385271d33ff",
	"title": "Phishing campaign targets Russian govt dissidents with Cobalt Strike",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 3174318,
	"plain_text": "Phishing campaign targets Russian govt dissidents with Cobalt Strike\r\nBy Bill Toulas\r\nPublished: 2022-03-30 · Archived: 2026-04-05 20:46:44 UTC\r\nA new spear phishing campaign is taking place in Russia targeting dissenters with opposing views to those promoted by the\r\nstate and national media about the war against Ukraine.\r\nThe campaign targets government employees and public servants with emails warning of the software tools and online\r\nplatforms that are forbidden in the country.\r\nThe messages come with a malicious attachment or link embedded in the body that is dropping a Cobalt Strike beacon to the\r\nrecipient's system, enabling remote operators to conduct espionage on the target.\r\nhttps://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe campaign's discovery and subsequent reporting come from threat analysts at Malwarebytes Labs, who have managed to\r\nsample several of the bait emails.\r\nMultiple phishing pathways\r\nThe phishing emails pretend to be from a Russian state entity, a ministry, or a federal service, to entice recipients to open the\r\nattachment.\r\nThe \"Ministry of Information Technologies and Communications of the Russian Federation\" and the \"Ministry of Digital\r\nDevelopment, Communications, and mass communications\" are the primary two spoofed entities.\r\nThe threat actors use three different file types to infect their targets with Cobalt Strike, namely RTF (rich text format) files,\r\narchive attachments of documents laced with malicious documents, and download links embedded in the email body.\r\nThe case of the RTFs is the most interesting due to involving the exploitation of CVE-2021-40444, a remote code execution\r\nflaw in the rendering engine used by Microsoft Office documents.\r\nRTF file triggering the rendering engine exploit (Malwarebytes)\r\nAs is to be expected, all of the phishing emails are written in Russian, and they seem to have been crafted by native speakers\r\nof the language and not machine translated, suggesting that the campaign is endeavor from a Russian-speaking actor.\r\nApart from Cobalt Strike, Malwarebytes also noticed parallel attempts to deploy a heavily obfuscated PowerShell-based\r\nremote access trojan (RAT) with next-stage payload fetching capabilities.\r\nCrackdown on dissidents\r\nThe targets of this campaign work mainly in the Russian government and public agencies, including the following entities:\r\nPortal of authorities of the Chuvash Republic Official Internet portal\r\nRussian Ministry of Internal Affairs\r\nministry of education and science of the Republic of Altai\r\nMinistry of Education of the Stavropol Territory\r\nMinister of Education and Science of the Republic of North Ossetia-Alania\r\nGovernment of Astrakhan region\r\nMinistry of Education of the Irkutsk region\r\nPortal of the state and municipal service Moscow region\r\nMinistry of science and higher education of the Russian Federation\r\nhttps://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/\r\nPage 3 of 4\n\nThe above organizations indicate that the phishing actors target individuals who hold key positions and could cause\r\nproblems to the central government by instigating war-opposing movements.\r\nThe so-called \"special operation\" in Ukraine hasn't unfolded the way Kremlin had envisioned, and western sanctions\r\nmanifested on a scale way beyond what was accounted for, so this campaign may be the result of the higher government\r\nramping up its alertness against potential coups.\r\nThis is a very likely explanation of why Russia-based hackers are interested in conducting espionage against semi-high\r\nranking government officials and ministry employees, but at this time, it's just an assumption.\r\nMalwarebytes has mapped the infrastructure used by the threat actor(s) behind the latest campaign and will continue to\r\nmonitor the associated activity.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/\r\nhttps://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike/"
	],
	"report_names": [
		"phishing-campaign-targets-russian-govt-dissidents-with-cobalt-strike"
	],
	"threat_actors": [
		{
			"id": "610a7295-3139-4f34-8cec-b3da40add480",
			"created_at": "2023-01-06T13:46:38.608142Z",
			"updated_at": "2026-04-10T02:00:03.03764Z",
			"deleted_at": null,
			"main_name": "Cobalt",
			"aliases": [
				"Cobalt Group",
				"Cobalt Gang",
				"GOLD KINGSWOOD",
				"COBALT SPIDER",
				"G0080",
				"Mule Libra"
			],
			"source_name": "MISPGALAXY:Cobalt",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434387,
	"ts_updated_at": 1775791463,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/32cfaef324d7f3ebc2cb3b67635e5385271d33ff.pdf",
		"text": "https://archive.orkl.eu/32cfaef324d7f3ebc2cb3b67635e5385271d33ff.txt",
		"img": "https://archive.orkl.eu/32cfaef324d7f3ebc2cb3b67635e5385271d33ff.jpg"
	}
}