Our experts have detected a new wave of malicious emails targeting Russian private-sector organizations. The goal of the attack is to infect victimsβ computers with an infostealer. This campaign is particularly noteworthy because the attackers tried to disguise their activity as the operations of legitimate software and traffic to the ubiquitously-used state and municipal services website.
How the attack begins
The attackers distribute an email containing a malicious attachment disguised as a regular PDF document. In reality, the file is an executable hiding behind a PDF icon; double-clicking it triggers an infection chain on the victimβs computer. In the campaign we analyzed, the malicious files were named Π£ΠΠΠΠΠΠΠΠΠΠ ΠΎ Π²ΠΎΠ·Π±ΡΠΆΠ΄Π΅Π½ΠΈΠΈ ΠΈΡΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΠΎΠ³ΠΎ ΠΏΡΠΎΠΈΠ·Π²ΠΎΠ΄ΡΡΠ²Π° (NOTICE of Initiation of Enforcement Proceedings) and ΠΠΎΠΏΠΎΠ»Π½ΠΈΡΠ΅Π»ΡΠ½ΡΠ΅ Π²ΡΠΏΠ»Π°ΡΡ (Additional Payouts), though these are probably not the only document names the attackers employ to trick victims into clicking the files.
Technically, the file disguised as a document is a downloader built with the help of the .NET framework. It downloads a secondary loader that installs itself as a service to establish persistence on the victimβs machine. This other loader then retrieves a JSON string containing encrypted files from the command-and-control server. It saves these files to the compromised computer in C:\ProgramData\Microsoft Diagnostic\Tasks, and executes them one by one.
Example of the server response
The key feature of this delivery method is its flexibility: the attackers can provide any malicious payload from the command-and-control server for the malware to download and execute. Presently, the attackers are using an infostealer as the final payload, but this attack could potentially be used to deliver even more dangerous threats β such as ransomware, wipers, or tools for deeper lateral movement within the victimβs infrastructure.
Masking malicious activity
The command-and-control server used to download the malicious payload in this attack was hosted on the domain gossuslugi{.}com. The name is visually similar to Russiaβs widely used state and municipal services portal. Furthermore, the second-stage loader has the filename NetworkDiagnostic.exe, which installs itself in the system as a Network Diagnostic Service.
Consequently, an analyst doing only a superficial review of network traffic logs or system events might overlook the server communication and malware execution. This can also complicate any subsequent incident investigation efforts.
What the infostealer collects
The attackers start by gathering information about the compromised system: the computer name, OS version, hardware specifications, and the victimβs IP address. Additionally, the malware is capable of capturing screenshots from the victimβs computer, and harvesting files in formats of interest to the attackers (primarily various documents and archives). Files smaller than 100MB, along with the rest of the collected data, are sent to a separate communication server: ants-queen-dev.azurewebsites{.}net.
File formats of interest to the attackers
The final malicious payload currently in use consists of four files: one executable and three DLL libraries. The executable enables screen capture capabilities. One of the libraries is used to add the executable to startup, another is responsible for data collection, while the third handles data exfiltration.
During network communication, the malware adds an AuthKey header to its requests, which contains the victimβs operating system identifier.
Code snippet: a function for sending messages to the attackersβ server
How to stay safe
Our security solutions detect both the malicious code used in this attack and its communication with the attackersβ command-and-control servers. Therefore, we recommend using reliable security solutions on all devices used by your company to access the internet. And to prevent malicious emails from ever reaching your employees, we also advise deploying a security solution at the corporate email gateway level too.
Our experts from the Global Research and Analysis Team (GReAT) have investigated a new wave of targeted emails from the ForumTroll APT group. Whereas previously their malicious emails were sent to public addresses of organizations, this time the attackers have targeted specific individuals β scientists from Russian universities and other organizations specializing in political science, international relations, and global economics. The purpose of the campaign was to infect victimsβ computers with malware to gain remote access thereto.
What the malicious email looks like
The attackers sent the emails from the address support@e-library{.}wiki, which imitates the address of the scientific electronic library eLibrary (its real domain is elibrary.ru). The emails contained personalized links to a report on the plagiarism check of some material, which, according to the attackersβ plan, was supposed to be of interest to scientists.
In reality, the link downloaded an archive from the same e-library{.}wiki domain. Inside was a malicious .lnk file and a .Thumbs directory with some images that were apparently needed to bypass security technologies. The victimβs full name was used in the filenames of the archive and the malicious link-file.
In case the victim had doubts about the legitimacy of the email and visited the e-library{.}wiki page, they were shown a slightly outdated copy of the real website.
What happens if the victim clicks on the malicious link
If the scientist who received the email clicked on the file with the .lnk extension, a malicious PowerShell script was executed on their computer, triggering a chain of infection. As a result, the attackers installed a commercial framework Tuoni for red teams on the attacked machine, providing the attackers with remote access and other opportunities for further compromising the system. In addition, the malware used COM Hijacking to achieve persistency, and downloaded and displayed a decoy PDF file, the name of which also included the victimβs full name. The file itself, however, was not personalized β it was a rather vague report in the format of one of the Russian plagiarism detection systems.
Interestingly, if the victim tried to open the malicious link from a device running on a system that didnβt support PowerShell, they were prompted to try again from a Windows computer. A more detailed technical analysis of the attack, along with indicators of compromise, can be found in a post on the Securelist website.
How to stay safe
The malware used in this attack is successfully detected and blocked by Kasperskyβs security products. We recommend installing a reliable security solution not only on all devices used by employees to access the internet, but also on the organization's mail gateway, which can stop most threats delivered via email before they reach an employeeβs device.
Attackers often go after outdated and unused test accounts, or stumble upon publicly accessible cloud storage containing critical data thatβs a bit dusty. Sometimes an attack exploits a vulnerability in an app component that was actually patched, say, two years ago. As you read these breach reports, a common theme emerges: the attacks leveraged something outdated: a service, a server, a user accountβ¦ Pieces of corporate IT infrastructure that sometimes fall off the radar of IT and security teams. They become, in essence, unmanaged, useless, and simply forgotten. These IT zombies create risks for information security, regulatory compliance, and lead to unnecessary operational costs. This is generally an element of shadow IT β with one key difference: nobody wants, knows about, or benefits from these assets.
In this post, we try to identify which assets demand immediate attention, how to identify them, and what a response should look like.
Physical and virtual servers
Priority: high. Vulnerable servers are entry points for cyberattacks, and they continue consuming resources while creating regulatory compliance risks.
Prevalence:high. Physical and virtual servers are commonly orphaned in large infrastructures following migration projects, or after mergers and acquisitions. Test servers no longer used after IT projects go live, as well as web servers for outdated projects running without a domain, are also frequently forgotten. The scale of the problem is illustrated by Lets Encrypt statistics: in 2024, half of domain renewal requests came from devices no longer associated with the requested domain. And there are roughly a million of these devices in the world.
Detection: the IT department needs to implement an Automated Discovery and Reconciliation (AD&R) process that combines the results of network scanning and cloud inventory with data from the Configuration Management Database (CMDB). It enables the timely identification of outdated or conflicting information about IT assets, and helps locate the forgotten assets themselves.
This data should be supplemented by external vulnerability scans that cover all of the organizationβs public IPs.
Response: establish a formal, documented process for decommissioning/retiring servers. This process needs to include verification of complete data migration, and verified subsequent destruction of data on the server. Following these steps, the server can be powered down, recycled, or repurposed. Until all procedures are complete, the server needs to be moved to a quarantined, isolated subnet.
To mitigate this issue for test environments, implement an automated process for their creation and decommission. A test environment should be created at the start of a project, and dismantled after a set period or following a certain duration of inactivity. Strengthen the security of test environments by enforcing their strict isolation from the primary (production) environment, and by prohibiting the use of real, non-anonymized business data in testing.
Forgotten user, service, and device accounts
Priority: critical. Inactive and privileged accounts are prime targets for attackers seeking to establish network persistence or expand their access within the infrastructure.
Prevalence:very high. Technical service accounts, contractor accounts, and non-personalized accounts are among the most commonly forgotten.
Detection: conduct regular analysis of the user directory (Active Directory in most organizations) to identify all types of accounts that have seen no activity over a defined period (a month, quarter, or year). Concurrently, itβs advisable to review the permissions assigned to each account, and remove any that are excessive or unnecessary.
Response: after checking with the relevant service owner on the business side or employee supervisor, outdated accounts should be simply deactivated or deleted. A comprehensive Identity and Access Management system (IAM) offers a scalable solution to this problem. In this system, the creation, deletion, and permission assignment for accounts are tightly integrated with HR processes.
For service accounts, itβs also essential to routinely review both the strength of passwords, and the expiration dates for access tokens β rotating them as necessary.
Forgotten data stores
Priority: critical. Poorly controlled data in externally accessible databases, cloud storage and recycle bins, and corporate file-sharing services β even βsecureβ ones β has been a key source of major breaches in 2024β2025. The data exposed in these leaks often includes document scans, medical records, and personal information. Consequently, these security incidents also lead to penalties for non-compliance with regulations such as HIPAA, GDPR, and other data-protection frameworks governing the handling of personal and confidential data.
Prevalence:high. Archive data, data copies held by contractors, legacy database versions from previous system migrations β all of these often remain unaccounted for and accessible for years (even decades) in many organizations.
Detection: given the vast variety of data types and storage methods, a combination of tools is essential for discovery:
Native audit subsystems within major vendor platforms, such as AWS Macie, and Microsoft Purview
Specialized Data Discovery and Data Security Posture Management solutions
Automated analysis of inventory logs, such as S3 Inventory
Unfortunately, these tools are of limited use if a contractor creates a data store within its own infrastructure. Controlling that situation requires contractual stipulations granting the organizationβs security team access to the relevant contractor storage, supplemented by threat intelligence services capable of detecting any publicly exposed or stolen datasets associated with the companyβs brand.
Response: analyze access logs and integrate the discovered storage into your DLP and CASB tools to monitor its usage β or to confirm itβs truly abandoned. Use available tools to securely isolate access to the storage. If necessary, create a secure backup, then delete the data. At the organizational policy level, itβs crucial to establish retention periods for different data types, mandating their automatic archiving and deletion upon expiry. Policies must also define procedures for registering new storage systems, and explicitly prohibit the existence of ownerless data thatβs accessible without restrictions, passwords, or encryption.
Unused applications and services on servers
Priority: medium. Vulnerabilities in these services increase the risk of successful cyberattacks, complicate patching efforts, and waste resources.
Prevalence:very high. services are often enabled by default during server installation, remain after testing and configuration work, and continue to run long after the business process they supported has become obsolete.
Detection: through regular audits of software configurations. For effective auditing, servers should adhere to a role-based access model, with each server role having a corresponding list of required software. In addition to the CMDB, a broad spectrum of tools helps with this audit: tools like OpenSCAP and Lynis β focused on policy compliance and system hardening; multi-purpose tools like OSQuery; vulnerability scanners such as OpenVAS; and network traffic analyzers.
Response: conduct a scheduled review of server functions with their business owners. Any unnecessary applications or services found running should be disabled. To minimize such occurrences, implement the principle of least privilege organization-wide and deploy hardened base images or server templates for standard server builds. This ensures no superfluous software is installed or enabled by default.
Outdated APIs
Priority: high. APIs are frequently exploited by attackers to exfiltrate large volumes of sensitive data, and to gain initial access into the organization. In 2024, the number of API-related attacks increased by 41%, with attackers specifically targeting outdated APIs, as these often provide data with fewer checks and restrictions. This was exemplified by the leak of 200 million records from X/Twitter.
Prevalence:high. When a service transitions to a new API version, the old one often remains operational for an extended period, particularly if itβs still used by customers or partners. These deprecated versions are typically no longer maintained, so security flaws and vulnerabilities in their components go unpatched.
Detection: at the WAF or NGFW level, itβs essential to monitor traffic to specific APIs. This helps detect anomalies that may indicate exploitation or data exfiltration, and also identify APIs that get minimal traffic.
Response: for the identified low-activity APIs, collaborate with business stakeholders to develop a decommissioning plan, and migrate any remaining users to newer versions.
For organizations with a large pool of services, this challenge is best addressed with an API management platform in conjunction with a formally approved API lifecycle policy. This policy should include well-defined criteria for deprecating and retiring outdated software interfaces.
Software with outdated dependencies and libraries
Priority: high. This is where large-scale, critical vulnerabilities like Log4Shell hide, leading to organizational compromise and regulatory compliance issues.
Prevalence:Very high, especially in large-scale enterprise management systems, industrial automation systems, and custom-built software.
Detection: use a combination of vulnerability management (VM/CTEM) systems and software composition analysis (SCA) tools. For in-house development, itβs mandatory to use scanners and comprehensive security systems integrated into the CI/CD pipeline to prevent software from being built with outdated components.
Response: company policies must require IT and development teams to systematically update software dependencies. When building internal software, dependency analysis should be part of the code review process. For third-party software, itβs crucial to regularly audit the status and age of dependencies.
For external software vendors, updating dependencies should be a contractual requirement affecting support timelines and project budgets. To make these requirements feasible, itβs essential to maintain an up-to-date software bill of materials (SBOM).
Priority: medium. Forgotten web assets can be exploited by attackers for phishing, hosting malware, or running scams under the organizationβs brand, damaging its reputation. In more serious cases, they can lead to data breaches, or serve as a launchpad for attacks against the given company. A specific subset of this problem involves forgotten domains that were used for one-time activities, expired, and werenβt renewed β making them available for purchase by anyone.
Prevalence:high β especially for sites launched for short-term campaigns or one-off internal activities.
Detection: the IT department must maintain a central registry of all public websites and domains, and verify the status of each with its owners on a monthly or quarterly basis. Additionally, scanners or DNS monitoring can be utilized to track domains associated with the companyβs IT infrastructure. Another layer of protection is provided by threat intelligence services, which can independently detect any websites associated with the organizationβs brand.
Response: establish a policy for scheduled website shutdown after a fixed period following the end of its active use. Implement an automated DNS registration and renewal system to prevent the loss of control over the companyβs domains.
Unused network devices
Priority: high. Routers, firewalls, surveillance cameras, and network storage devices that are connected but left unmanaged and unpatched make for the perfect attack launchpad. These forgotten devices often harbor vulnerabilities, and almost never have proper monitoring β no EDR or SIEM integration β yet they hold a privileged position in the network, giving hackers an easy gateway to escalate attacks on servers and workstations.
Prevalence:medium. Devices get left behind during office moves, network infrastructure upgrades, or temporary workspace setups.
Detection: use the same network inventory tools mentioned in the forgotten servers section, as well as regular physical audits to compare network scans against whatβs actually plugged in. Active network scanning can uncover entire untracked network segments and unexpected external connections.
Response: ownerless devices can usually be pulled offline immediately. But beware: cleaning them up requires the same care as scrubbing servers β to prevent leaks of network settings, passwords, office video footage, and so on.
News outlets recently reported that a threat actor was spreading an infostealer through free 3D model files for the Blender software. This is troubling enough on its own, but it highlights an even more serious problem: the business threat posed by free open source programs, uncontrolled by corporate infosec teams. And the danger comes not from vulnerabilities in the software, but from its very own standard features.
Why Blender and 3D model marketplaces pose a risk
Blender is a 3D graphics and animation suite used by visualization professionals across various industries. The software is free and open-source, and offers extensive functionality. Among Blenderβs capabilities is support for executing Python scripts, which are used to automate tasks and add new features.
The package allows users to import external files from specialized marketplaces like CGTrader or Sketchfab. These platforms host both paid and free 3D models by artists and studios. Any of these model files potentially contain Python scripts.
This creates a concerning scenario: marketplaces where files can be uploaded by any user and may not be scanned for malicious content, combined with software that has an Auto Run Python Scripts feature. It allows files to automatically execute embedded Python scripts immediately upon opening β essentially running arbitrary code on the userβs computer in unattended mode.
Β
How the StealCΒ V2 infostealer spread via Blender files
The attackers posted free 3D models with the .blend file name extension on the popular CGTrader platform. These files contained a malicious Python script. If the user had the Auto Run Python Scripts feature enabled, downloading and opening the file in Blender triggered the script. It then established a connection to a remote server and downloaded a malware loader from the Cloudflare Workers domain.
The loader executed a PowerShell script, which in turn downloaded additional malicious payloads from the attackersβ servers. Ultimately, the victimβs computer was infected with the StealC infostealer, enabling the attackers to:
Extract data from over 23 browsers.
Harvest information from more than 100 browser extensions and 15 crypto wallet applications.
Steal data from Telegram, Discord, Tox, Pidgin, ProtonVPN, OpenVPN, and email clients like Thunderbird.
Use a User Account Control (UAC) bypass.
The danger of unmonitored work tools
The problem isnβt Blender itself β threat actors will inevitably try to exploit automation features in any popular software. Most end-users donβt consider the risks of enabling common automation features, nor do they typically dive deep into how these features work or how they could be exploited.
The core issue is that security teams arenβt always familiar with the capabilities of specialized tools used by various departments. They simply donβt account for this vector in their threat models.
How to avoid becoming a victim
If your company uses Blender, the first step is to disable the automatic execution of Python scripts (Auto Run Python Scripts feature). Hereβs how to do it according to official documentation.
How to disable the automatic execution of Python scripts in Blender. Source
Furthermore, to prevent the sudden spread of threats via work tools, we recommend that corporate security teams:
Prohibit the use of tools and extensions that havenβt been approved by the security team.
Thoroughly vet permitted software, and assess risks before implementing any new services or platforms.
Regularly train employees to recognize the risks associated with installing unknown software and using dangerous features. You can automate security awareness training with the Kaspersky Automated Security Awareness Platform.
Enforce the use of secure configurations for all work tools.
On December 3, the coordinated elimination of the critical vulnerability CVE-2025-55182 (CVSSv3 β 10) became known. It was found in React server components (RSC), as well as in a number of derivative projects and frameworks: Next.js, React Router RSC preview, Redwood SDK, Waku, and RSC plugins Vite and Parcel. The vulnerability allows any unauthenticated attacker to send a request to a vulnerable server and execute arbitrary code. Considering that tens of millions of websites, including Airbnb and Netflix, are built on React and Next.js, and vulnerable versions of the components were found in approximately 39% of cloud infrastructures, the scale of exploitation could be very serious. Measures to protect your online services must be taken immediately.
A separate CVE-2025-66478 was initially created for the Next.js vulnerability, but it was deemed a duplicate, so the Next.js defect also falls under CVE-2025-55182.
Where and how does the React4Shell vulnerability work?
React is a popular JavaScript library for creating user interfaces for web applications. Thanks to RSC components, which appeared in React 18 in 2020, part of the work of assembling a web page is performed not in the browser, but on the server. The web page code can call React functions that will run on the server, get the execution result from them, and insert it into the web page. This allows some websites to run faster β the browser doesnβt need to load unnecessary code. RSC divides the application into server and client components, where the former can perform server operations (database queries, access to secrets, complex calculations), while the latter remains interactive on the userβs machine. A special lightweight HTTP-based protocol called Flight is used for fast streaming of serialized information between the client and server.
CVE-2025-55182 lies in the processing of Flight requests, or to be more precise β in the unsafe deserialization of data streams. React Server Components versions 19.0.0, 19.1.0, 19.1.1, 19.2.0 β or, more specifically, the react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack packages β are vulnerable. Vulnerable versions of Next.js are: 15.0.4, 15.1.8, 15.2.5, 15.3.5, 15.4.7, 15.5.6, and 16.0.6.
To exploit the vulnerability, an attacker can send a simple HTTP request to the server, and even before authentication and any checks, this request can initiate the launch of a process on the server with React privileges.
Thereβs no data on the exploitation of CVE-2025-55182 in the wild yet, but experts agree that itβs possible, and will most likely be large-scale. Wiz claims that its test RCE exploit works with almost 100% reliability. A prototype of the exploit is already available on GitHub, so it wonβt be difficult for attackers to adopt it and launch mass attacks.
React was originally designed to create client-side code that runs in a browser; server-side components containing vulnerabilities are relatively new. Many projects built on older versions of React, or projects where React server-side components are disabled, are not affected by this vulnerability.
However, if a project doesnβt use server-side functions, this doesnβt mean itβs protected β RSCs may still be active. Websites and services built on recent versions of React with default settings (for example, an application on Next.js built using create-next-app) will be vulnerable.
Protective measures against exploitation of CVE-2025-55182
Updates. React users should update to the versions 19.0.1, 19.1.2 or 19.2.1. Next.js users should update to versions 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, or 16.0.7. Detailed instructions for updating the react-server component for React Router, Expo, Redwood SDK, Waku, and other projects are provided in the React blog.
Cloud provider protection. Major providers have released rules for their application-level web filters (WAF) to prevent exploitation of vulnerabilities:
AWS (AWS WAF rules are included in the standard set, but require manual activation);
Cloudflare (protects all customers, including those on the free plan. Works if traffic to the React application is proxied through Cloudflare WAF. Customers on professional or enterprise plans should verify that the rule is active);
Google Cloud (Cloud Armor rules for Firebase Hosting and Firebase App Hosting are applied automatically);
However, all providers emphasize that WAF protection only buys time for scheduled patching, and RSC components still need to be updated on all projects.
Protecting web services on your own servers. The least invasive solution would be to apply detection rules that prevent exploitation to your WAF or firewall. Most vendors have already released the necessary rule sets, but you can also prepare them yourself β for example, based on our list of dangerous POST requests.
If granular analysis and filtering of web traffic isnβt possible in your environment, identify all servers on which RSC (server function endpoints) are available, and significantly restrict access to them. For internal services, you can block requests from all untrusted IP ranges; for public services, you can strengthen IP reputation filtering and rate limiting.
An additional layer of protection will be provided by an EPP/EDR agent on servers with RSC. It will help detect anomalies in react-server behavior after the vulnerability has been exploited, and prevent the attack from developing.
In-depth investigation. Although information about exploitation of the vulnerability in the wild hasnβt been confirmed yet, it cannot be ruled out that itβs already happening. Itβs recommended to study the logs of network traffic and cloud environments, and if suspicious requests are detected, to carry out a full response β including the rotation of keys and other secrets available on the server. Signs of post-exploitation activity to look for first: reconnaissance of the server environment, searches for secrets (.env, CI/CD tokens, etc.), and installation of web shells.
The chair of the Office for Budget Responsibility has said he felt mortified by the early release of its budget forecasts as the watchdog launched a rapid inquiry into how it had βinadvertently made it possibleβ to see the documents.
Richard Hughes said he had written to the chancellor, Rachel Reeves, and the chair of the Treasury select committee, Meg Hillier, to apologise.
Hackers stole personal information of 6.6m people but outsourcing firm did not shut device targeted for 58 hours
The outsourcing company Capita has been fined Β£14m for data protection failings after hackers stole the personal information of 6.6 million people, including staff details and those of its clientsβ customers.
John Edwards, the UK information commissioner who levied the fine, said the March 2023 data theft from the group and companies it supported, including 325 pension providers, caused anxiety and stress for those affected.
Lead brand of French luxury group LVMH reassures customers financial data such as bank details were not taken
Louis Vuitton has said the data of some UK customers has been stolen, as it became the latest retailer targeted by cyber hackers.
The retailer, the leading brand of the French luxury group LVMH, said an unauthorised third party had accessed its UK operationβs systems and obtained information such as names, contact details and purchase history.
Regulator acts on leasing of βglobal titleβ numbers after industry efforts to tackle problem were ineffective
The UK communications regulator Ofcom is banning mobile operators from leasing numbers that can be used by criminals to intercept and divert calls and messages, including security codes sent by banks to customers.
Ofcom said it would stop the leasing of βglobal titlesβ, special types of phone numbers used by mobile networks to support services to make sure messages and calls reach the intended recipient.
Jordan Drysdale// tl;dr Inventory management and personnel management are critical to making this work. Often, the difference between your company becoming a statistic and catching someone with a foothold in [β¦]
Jordan Drysdale// tl;dr Vulnerability management is a part of doing business and operating on the public internet these days. Include training as part of this Critical Control. Users should be [β¦]
Jordan Drysdale // Blurb: A few of us have discussed the stress that small and medium business proprietors and operators feel these days. We want to help stress you out [β¦]
Jordan Drysdale // A few of us have discussed the stress that small and medium business proprietors and operators feel these days. We want to help stress you out even [β¦]
Jordan Drysdale// Blurb: A few of us have discussed the stress that small and medium business proprietors and operators feel these days. We want to help stress you out even [β¦]
Carrie Roberts // Β Β Β A malicious macro in a Microsoft Word or Excel document is an effective hacking technique. These documents could be delivered in a variety of [β¦]
Login
