The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations

Nov. 26, 2025, 10:43 a.m.

Description

A hacking group named NetMedved has been conducting phishing attacks against Russian organizations since October 2025. The campaign uses malicious LNK files disguised as business documents to deliver NetSupport RAT malware. The attackers employ various techniques including PowerShell scripts, finger protocol, and anti-analysis checks. They utilize multiple domains for payload delivery and command and control. The group's infrastructure overlaps with previous campaigns from 2024, suggesting an evolution of tactics rather than a new actor. NetMedved's operations involve social engineering, custom obfuscation, and abuse of legitimate tools to evade detection and maintain persistence on compromised systems.

External References

https://habr.com/ru/companies/pt/articles/968572/
https://otx.alienvault.com/pulse/6926cae8043aabe58197d11e
Tags
phishing
social engineering
powershell
lumma stealer
netsupport rat
lnk files
russian targets
2025-11-26
infrastructure reuse
finger protocol

Date

  • Created: Nov. 26, 2025, 9:39 a.m.
  • Published: Nov. 26, 2025, 9:39 a.m.
  • Modified: Nov. 26, 2025, 10:43 a.m.

Indicators

  • ea3d66b8e53cf2475ef89c94d917529360325f3464727a54a3be2aa2ffde0e2b
  • e34552a5338872919b3e0f15efc9c27641479750ca2a43ac7cc5c9b15f15ad20
  • dddfc3c5ca754144b430df11a78a048609106f9d12db4b1fec309bb9805743ec
  • d3aea6e94151bcbb8ac451c50a3a6a5693162521b7d61c53e57c91e4c91c1eb4
  • cc6219c710d5bd0ee986b479723ab4f42027da0f28a49fad66d9f3280774e654
  • cb2c2f492fd44afa9279ee8d4a8a6e8ca11ab65a9224a18da9ba8b0d8f6bec14
  • bf0df57d9dac2aafd89f30d818749d3ce15afe488dcdad912e8996bfd3d0b3c1
  • b69c5134a453d19ddf94967c49dd9ecb825ae2461d491f67d09fb5bda5dd27be
  • b302c16d60f055ec37833e45b091f20b6eae3248be74f389094e69d20f496a7b
  • aa666ff1e5276677b9995f86399743aaad38a6b70b53a124062aa69c798760b6
  • a68b10d3a36423d44d36274dc995a5f11bfb1dd5bba6de81071e9ced8dc780f3
  • a55733d4055fe83817b865638b71690fe8f32de77eec04498171fd7e1cb3eb67
  • a4cf4c55312222dfa5c9e08034377a2efaae3b94213c1283c3e2145d2677c3d3
  • 98a693f412da7b5e5fa790ab54e1c4737ce628ddaedda6cb2359214ec17c11a8
  • 8de51b085e9ae644099bebe8e95ec1d5dbe2b854b4d20d8f33c9160458f6c413
  • 7ffc177f931c6df8542cc87c9da95d3f3a51b587c237253b6091e83451d7c3a2
  • 76d3a58f3fb14e1d8435eabaac21c84f9d256bcd241da3da44b70c4a606134fd
  • 7573e2a6a6a4a5c21bc3f81a53262e3ade3871fd00ab06b9cf9f9a28c45926f2
  • 51012e5e9ee205efe5025e0a83cce90dca5719268229c91b6777060c1b4578d0
  • 59f3acf7a2099899807685c631d8a64af0e784a046a48f45ba2cc40d2e785444
  • 5b83e99dfeeb8c30dc72059d369bff0109c40cb5d9aea63245d90a1ca4a36232
  • 4fed61b2f93f4ef51777ac2f381a89e564c8ddf941ecef9f3f7f1e9c370ff0a3
  • 4546d8fa49836ae06af4df56fca03905afd4d7df60d171cc2c959be03d1d94b2
  • 44e29f1e03d3ff663058338363f144326b1e83a63a43caea86e313c3b8bf98a6
  • 2fdabce92c1915556f2e4d5cfdf34f18147d1e09c454c3758a4dcf31431e1e62
  • 340f085668d115b4f0ae586b26ecc3cc5a977449989221e02a13b09decbf9bb9
  • 3983a383b532c32dfbab8958ad1b35fc8cb3fc3141b5016dd01fcfbfd3c0cd3b
  • 2e851fcc4eb8e60f350ce68b686cc1ce3c4a0370c28a230a0f3468358907c075
  • 25a7dc3f0f16a6f1e69db6e80143f2a8788c5542246966c081a06bf9767264fe
  • 23eb791345d1a125c2c5988fb7a8001824a328a248f0c7588973b045b50bea69
  • 1027cd7578146cafe39eacf1ed6d2048aa12fc6936d2594d49eb093c56b2d840
  • 0f430f2772119b62d32b7812b44726f7d1f3ffc9f9f9ca86b7a0a0c8b314215d
  • 0c61883da958fb23e03eac577b169d5e7535910b5a12916fe6d2a94f6b40a89e
  • 0c166f4c7475ec6d15ac00b9b7bc9cf0d7bb53eb504e14f153af08dfe05c40e2
  • 05464b16c6ea40cd93d39b7c0a20c136be2b7921818aa5041b7b98a7cbbf270f
  • 007ec4eadad16fed2361486bbd79ce8491db3aeae615fef9069e274609233e2f
  • 185.158.249.54
  • 185.158.249.64
  • sara.x-projectlys.com
  • api.metrics-strange.com
  • x-projectlys.com
  • tvfilia.com
  • skillswar.com
  • real-fishburger.com
  • nicevn.net
  • pauldv.com
  • nbmovies.net
  • metrics-strange.com
  • cdn-reserved.com
  • bspaco.com
Download all indicators here!

Attack Patterns

  • Lumma Stealer
  • NetSupport RAT
  • NetMedved

Additional Informations

  • Finance
  • Government
  • Russian Federation