Russia

EvilTokens phishing platform targets Microsoft 365 identities across US, Canada, Australia, New Zealand, and Germany. OAuth abuse bypasses MFA to steal access tokens.

Aleksei Volkov sentenced to nearly 7 years for selling network access to ransomware gangs. Facilitated dozens of attacks causing over $9 million in losses to US organizations.

FBI and CISA alert reveals Russian intelligence operatives have hijacked thousands of Signal and WhatsApp accounts belonging to US officials, military, and journalists through phishing attacks.

New JavaScript backdoor targets Ukrainian entities using Microsoft Edge's debugging features for stealth. S2 Grupo links campaign to Laundry Bear threat group.

Russian GRU-linked APT28 deploys BEARDSHELL and COVENANT implants for long-term surveillance of Ukrainian military personnel. ESET research reveals cloud storage abuse for C2.

Security researchers tie Russia's APT28 to CVE-2026-21513 exploitation using malicious LNK files. The MSHTML zero-day was weaponized weeks before Microsoft's February patch.

Russia's APT28 exploited CVE-2026-21509 to hit maritime and transport organizations across nine countries, with shipping firms making up 35% of targets.

Operation Neusploit saw Russia's APT28 exploit CVE-2026-21509 against 60+ Ukrainian targets within 72 hours of Microsoft's disclosure, delivering MiniDoor and BEARDSHELL backdoors.

Russian-linked gang dumps executive emails, employee IDs, and banking communications in first airline sector attack of 2026.

ESET researchers attribute December cyberattack on Polish energy infrastructure to Russian GRU hackers. Previously unknown wiper malware recovered.

Recorded Future tracks APT28 harvesting credentials from energy, defense, and government targets in the Balkans, Middle East, and Central Asia using free hosting infrastructure.

German and Ukrainian authorities identify 35-year-old Russian national as Black Basta boss, raid homes of two affiliates in Ukraine.

Void Blizzard deploys PLUGGYAPE backdoor through Signal and WhatsApp, impersonating charitable organizations to compromise Ukrainian defense forces.

Fancy Bear campaigns from February through September 2025 targeted energy, defense, and policy organizations using fake VPN and email login pages.

Two crew members detained after cargo vessel's anchor allegedly severed Finland-Estonia telecommunications cable in suspected hybrid warfare operation.

Noname057(16) claims DDoS attack on La Poste that disrupted package tracking and banking services for millions during peak holiday delivery season.

Danish intelligence attributes Z-Pentest hacktivist attack on Køge water utility to Russian state, summons ambassador over 'hybrid war' operations.

Amazon's threat intelligence team exposes and disrupts Sandworm operations targeting Western critical infrastructure through misconfigured edge devices.

Joint advisory from CISA, FBI, NSA warns of pro-Russia hacktivist groups successfully compromising SCADA systems at US water, energy, and food facilities.