Hacktivists are broadening their scope beyond political motivation
June 9, 2026, 8:59 a.m.
Description
Kaspersky researchers uncovered interconnected hacktivist campaigns attributed to groups including 4BID, Hakerskii Kit, and C.A.S., targeting organizations primarily in Russia and Belarus, but expanding to Kazakhstan, UAE, Syria, and Egypt. Attackers exploited ProxyShell vulnerabilities in Microsoft Exchange servers to deploy fd.aspx web shells and various post-exploitation frameworks including Sliver, Havoc, Mythic Apollo, AdaptixC2, and a custom BlackSalt backdoor. The campaigns deployed ransomware including ClearWater and updated versions of Blackout Locker, alongside EDR killers using BYOVD techniques. Attackers leveraged legitimate RMM tools like AnyDesk, Panorama9, and Tactical RMM for persistence, with AI-generated scripts showing varying quality. The geographical expansion and increased use of ransomware suggest a shift from purely political motivation toward financial gain.
Tags
Date
- Created: June 8, 2026, 10:30 a.m.
- Published: June 8, 2026, 10:30 a.m.
- Modified: June 9, 2026, 8:59 a.m.
Indicators
- 42dccb7afdc883755eeec27a00fef532e1533d308ba376697b6270ffdbbc2d67
- 212.46.12.182
- 185.221.153.121
- 85.137.253.186
- 45.112.194.82
- 138.226.236.52
Attack Patterns
Additional Informations
- Manufacturing
- Aerospace
- Healthcare
- Government
- United Arab Emirates
- Egypt
- Syrian Arab Republic
- Kazakhstan
- Belarus
- Russian Federation