By me: Microsoft has fixed three zero-day bugs in Windows and Office that are being actively abused by hackers to break into people's computers. Microsoft said three of the exploits are now public.
Google, which helped find the bugs, said one of them is under โwidespread, active exploitation."
Outstanding work ๐
Report cover showing a dark blue patch with crossed sword, arrow and scroll emblem, titled "Unveiling GRU's Information Operations Troops (VIO)"
๐ด ๐ก๐๐ช ๐ฅ๐๐ฃ๐ข๐ฅ๐ง
Last year, we've been able to unearth the infrastructure of the FSB's 16th Centre, combining #OSINT techniques and photos of old medals. We replicated this method to explore the Information Operations Troops (#VIO) of #Russiaโs military intelligence service (#GRU).
Overall, this activity underscores the GRUโs continued reliance on credential harvesting as a low-cost, high-yield intelligence collection method, enabled by the persistent abuse of legitimate internet services and disposable infrastructure. (5/5)
Victimology indicates targeted activity rather than broad spraying. Observed targets included researchers linked to a Turkish energy research agency, a European think tank, and organizations in North Macedonia and Uzbekistan, which align with Russian intelligence priorities. (4/5)
The credential-harvesting pages captured usernames and passwords and then redirected victims to legitimate portals to reduce suspicion. BlueDelta refined its JavaScript to automate URL handling, victim tracking, and data exfiltration, lowering operational overhead and complicating detection. (3/5)
BlueDelta impersonated MS OWA, Google, and Sophos VPN login pages, often using multi-stage redirection chains hosted on free services such as Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok. Several campaigns began with legitimate PDF lures to increase credibility. (2/5)
Today, we released new @RecordedFuture research detailing BlueDeltaโs expanded credential-harvesting activity observed between February and September 2025. #BlueDelta #APT28 #FANCYBEAR #ForestBlizzard #FROZENLAKE #ITG05 #PawnStorm #Sednit #Sofacy #TA422 (1/5) www.recordedfuture.com/research/gru...
Notably, the infrastructure shows rapid adaptation following previous takedown actions. BlueDelta continues to rely on free, disposable hosting and tunneling services, enabling resilient, low-cost credential theft operations targeting Ukrainian users. (5/5)
While the campaign does not reveal specific victim industries, this activity aligns with BlueDeltaโs longstanding objective: collecting credentials to support GRU intelligence requirements amid Russiaโs ongoing war in Ukraine. (4/5)
These pages harvested usernames, passwords, MFA codes, and CAPTCHA responses. BlueDelta refined its JavaScript to automate URL handling and exfiltration, reducing operational overhead and complicating detection efforts. (3/5)
BlueDelta impersonated UKR.NET login pages using multi-stage redirection chains hosted on free services such as Mocky, DNS EXIT, and later ngrok and Serveo. The group also deployed PDF lures to bypass automated email filtering and increase user trust. (2/5)
Today, we released new @RecordedFuture research detailing BlueDeltaโs sustained credential-harvesting campaign targeting UKR.NET users between June 2024 and April 2025. www.recordedfuture.com/research/blu...
#BlueDelta #APT28 #FANCYBEAR #ForestBlizzard #FROZENLAKE #PawnStorm #Sednit #Sofacy (1/5)
Great work by Sekoia uncovering new #BlueDelta #APT28 #Sofacy #FancyBear #ForestBlizzard #TAG110 malware samples. Linked to CERT-UAโs BeardShell & Covenant frameworks + revealed fresh weaponized docs & subtle TTPs. Activity ties to Russia-nexus ops incl. Double-Tap. blog.sekoia.io/apt28-operat...
Ukraine claims cyberattacks on Russian election systems; Moscow confirms disruptions
therecord.media/ukraine-clai...
New report published today from our team at Recorded Future: โRussian Influence Assets Converge on Moldovan Electionsโ
www.recordedfuture.com/research/rus...
This report on Stark Industries is a fantastic case study in the cat-and-mouse game between hosting providers and law enforcement. The new "Threat Activity Enabler" (TAE) terminology is spot-on and highlights the critical role these providers play in the cybercrime ecosystem.
Scandi noir meets The Wire...
๐ซ๐ฎ๐ข
The captain of a Russia-linked oil tanker that damaged five subsea cables in the Baltic Sea on Christmas Day was instructed by his shipping company to destroy evidence after the ship was seized by Finnish authorities, according to a wiretap transcript.
Is it really 2025?! Cisco Smart Install and SNMP brute attacks... We are giving the FSB an easy ride. Great report by the Talos team! blog.talosintelligence.com/static-tundra/
Fantastic new report by @julianferdinand.bsky.social and @aejleslie.bsky.social exposing Lummaโs vast info-stealing ecosystemโwhere affiliates juggle scams, MaaS platforms, and evasion tools to stay ahead of defenders๐ช Great work team ๐ฅ
Saher's first blog on the scourge that is ClickFix usage in the espionage space!!
Had to sneak in the UNK_RemoteRogue RDP shenanigans as well - a thus far unattributed group we assess to be Russia-aligned, using a pretty fun set of email tactics
Attention!
Check your Compromised Website Report for critical events tagged โfortinet-compromisedโ and follow Fortinet's mitigation advice on compromised devices:
fortinet.com/blog/psirt-b...
Data available from 2025-04-11+
shadowserver.org/what-we-do/n...
Snoop, a Romanian investigative journalism outlet, has linked an online advertising company named AdNow to intelligence officials from Russia's FSB and SVR services
snoop.ro/pe-urmele-ba...
๐ชก Our 2024 Malicious Infrastructure Report showcases the results of our detections across hundreds of malware families and threat actors, revealing victims in 200+ countries and highlighting the global scale of cyber threats.
Blog: www.recordedfuture.com/research/202... (1/10)
@volexity.com recently identified multiple Russian threat actors targeting users via #socialengineering + #spearphishing campaigns with Microsoft 365 Device Code authentication (a well-known technique) with alarming success: www.volexity.com/blog/2025/02...
#dfir #threatintel #m365security
New Insikt Report just landed: RedMike AKA Salt Typhoon targeting of Global Telcos.
www.recordedfuture.com/research/red...
๐ฅ Live streams resume this week! Greg Lesnewich joins us to talk about 100 Days of Yara, some Yara rule tips and the current state of email borne threats!
https://buff.ly/4gukMSN
๐๏ธ Thursday at 2pm CST
Ukrainian military officials, lawmakers, and experts are discussing the creation of a separate branch of Ukraine's Armed Forces dedicated to cyberspace operations, according to the General Staff of Ukraine.
kyivindependent.com/ukraine-cons...
New report! Check it out.
This research examines the operations of Crazy Evil โ a Russian-speaking โtraffer teamโ and cryptoscam gang โ which has victimized thousands of people with infostealer malware.
Blog: www.recordedfuture.com/research/cra...
PDF: go.recordedfuture.com/hubfs/report...
New Blog! Tracking Adversaries: Ghostwriter APT Infrastructure ๐ง๐พ
blog.bushidotoken.net/2025/01/trac...
