CyberWatchers
@cyberwatchers.bsky.social
Interested in cyber security - highlighting news stories, advisories and cyber attacks.
Cybersecurity researchers have disclosed details of a new Android remote access trojan (RAT) called Fantasy Hub that's sold on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model.
thehackernews.com/2025/11/andr...
thehackernews.com/2025/11/andr...
Android Trojan 'Fantasy Hub' Malware Service Turns Telegram Into a Hub for Hackers
Fantasy Hub RAT sold via Telegram exploits Android SMS and banking systems amid rising MaaS threats.
thehackernews.com
November 12, 2025 at 9:15 AM
Cybersecurity researchers have disclosed details of a new Android remote access trojan (RAT) called Fantasy Hub that's sold on Russian-speaking Telegram channels under a Malware-as-a-Service (MaaS) model.
thehackernews.com/2025/11/andr...
thehackernews.com/2025/11/andr...
www.netcraft.com/blog/thousan...
A Russian-speaking threat actor operating an ongoing, mass phishing campaign targeting people who might be planning (or about to leave for) a vacation has registered more than 4,300 domain names used in the attacks since the beginning of the year.
A Russian-speaking threat actor operating an ongoing, mass phishing campaign targeting people who might be planning (or about to leave for) a vacation has registered more than 4,300 domain names used in the attacks since the beginning of the year.
Thousands of Fake Hotel Domains Used in Massive Phishing Campaign
A Russian-speaking threat actor has registered 4,300+ domains in a sophisticated phishing campaign impersonating major travel brands like Airbnb and Booking.com to steal travelers’ payment data. Learn...
www.netcraft.com
November 12, 2025 at 8:38 AM
www.netcraft.com/blog/thousan...
A Russian-speaking threat actor operating an ongoing, mass phishing campaign targeting people who might be planning (or about to leave for) a vacation has registered more than 4,300 domain names used in the attacks since the beginning of the year.
A Russian-speaking threat actor operating an ongoing, mass phishing campaign targeting people who might be planning (or about to leave for) a vacation has registered more than 4,300 domain names used in the attacks since the beginning of the year.
Victims included banks, telecommunications companies and engineering firms in Pennsylvania, California, Michigan, Illinois, Georgia and Ohio.
therecord.media/russian-hack...
therecord.media/russian-hack...
Russian hacker to plead guilty to aiding Yanluowang ransomware group
Court documents show evidence proving Volkov served as an initial access broker for the ransomware gang — breaking into the network of victims and then offering his access for a percentage of the rans...
therecord.media
November 11, 2025 at 1:08 PM
Victims included banks, telecommunications companies and engineering firms in Pennsylvania, California, Michigan, Illinois, Georgia and Ohio.
therecord.media/russian-hack...
therecord.media/russian-hack...
Russian state-backed hacker group Sandworm has deployed multiple data-wiping malware families in attacks targeting Ukraine's education, government, and the grain sector, the country's main revenue source.
www.bleepingcomputer.com/news/securit...
www.bleepingcomputer.com/news/securit...
Sandworm hackers use data wipers to disrupt Ukraine's grain sector
Russian state-backed hacker group Sandworm has deployed multiple data-wiping malware families in attacks targeting Ukraine's education, government, and the grain sector, the country's main revenue sou...
www.bleepingcomputer.com
November 6, 2025 at 2:07 PM
Russian state-backed hacker group Sandworm has deployed multiple data-wiping malware families in attacks targeting Ukraine's education, government, and the grain sector, the country's main revenue source.
www.bleepingcomputer.com/news/securit...
www.bleepingcomputer.com/news/securit...
Silent Push Threat Analysts have uncovered threat actors using AdaptixC2 and has observed heavy ties linking AdaptixC2 to Russia and the Russian criminal underworld.
www.silentpush.com/blog/adaptix...
www.silentpush.com/blog/adaptix...
Silent Push Unearths AdaptixC2's Ties to Russian Criminal Underworld, Tracks Threat Actors Harnessing Open-Source Tool for Malicious Payloads
Silent Push has uncovered threat actors tied to the Russian underworld using the AdaptixC2 framework to deliver malicious payloads.
www.silentpush.com
October 30, 2025 at 11:10 AM
Silent Push Threat Analysts have uncovered threat actors using AdaptixC2 and has observed heavy ties linking AdaptixC2 to Russia and the Russian criminal underworld.
www.silentpush.com/blog/adaptix...
www.silentpush.com/blog/adaptix...
Attackers are gaining access using a custom, Sandworm-linked webshell. One of the webshells used was Localolive which, according to Microsoft, is associated with a sub-group of the Russian Sandworm group.
www.security.com/threat-intel...
www.security.com/threat-intel...
Ukrainian organizations still heavily targeted by Russian attacks
Attackers are gaining access using a custom, Sandworm-linked webshell and are making heavy use of Living-off-the-Land tactics to maintain persistent access.
www.security.com
October 29, 2025 at 12:28 PM
Attackers are gaining access using a custom, Sandworm-linked webshell. One of the webshells used was Localolive which, according to Microsoft, is associated with a sub-group of the Russian Sandworm group.
www.security.com/threat-intel...
www.security.com/threat-intel...
COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, shifted operations after the May 2025 public disclosure of its LOSTKEYS malware.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
To Be (A Robot) or Not to Be: New Malware Attributed to Russia State-Sponsored COLDRIVER | Google Cloud Blog
Russia state-sponsored COLDRIVER started using new malware immediately following a May public disclosure of their activity.
cloud.google.com
October 29, 2025 at 7:42 AM
COLDRIVER, a Russian state-sponsored threat group known for targeting high profile individuals in NGOs, policy advisors and dissidents, shifted operations after the May 2025 public disclosure of its LOSTKEYS malware.
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Continuous investigation on the Water Saci campaign reveals innovative email-based C&C system, multi-vector persistence, and real-time command capabilities that allow attackers to orchestrate coordinated botnet operations.
www.trendmicro.com/en_us/resear...
www.trendmicro.com/en_us/resear...
Active Water Saci Campaign Spreading Via WhatsApp Features Multi-Vector Persistence and Sophisticated C&C
Continuous investigation on the Water Saci campaign reveals innovative email-based C&C system, multi-vector persistence, and real-time command capabilities that allow attackers to orchestrate coordina...
www.trendmicro.com
October 28, 2025 at 1:52 PM
Continuous investigation on the Water Saci campaign reveals innovative email-based C&C system, multi-vector persistence, and real-time command capabilities that allow attackers to orchestrate coordinated botnet operations.
www.trendmicro.com/en_us/resear...
www.trendmicro.com/en_us/resear...
The hackers stole information from a file transfer solution and the country’s power supply was not affected.
www.securityweek.com/hackers-targ...
www.securityweek.com/hackers-targ...
Hackers Target Swedish Power Grid Operator
Swedish state-owned power grid operator Svenska kraftnät has confirmed that it fell victim to a cyberattack that resulted in a data breach.
www.securityweek.com
October 28, 2025 at 10:45 AM
The hackers stole information from a file transfer solution and the country’s power supply was not affected.
www.securityweek.com/hackers-targ...
www.securityweek.com/hackers-targ...
"This leak could expose the tools, techniques, and infrastructure used in state-sponsored information warfare and cyber-espionage campaigns."
#Russia #GRU #hack
www.brinztech.com/breach-alert...
#Russia #GRU #hack
www.brinztech.com/breach-alert...
Hacker Claims Breach of GRU-Linked Russian Firm, Leaks Malware and 'Troll Farm' Data
Meta Description: A hacker has claimed to have breached a Russian firm allegedly working for the GRU, exfiltrating and leaking sensitive data including custom malware and a "troll farm management syst...
www.brinztech.com
October 14, 2025 at 3:17 PM
"This leak could expose the tools, techniques, and infrastructure used in state-sponsored information warfare and cyber-espionage campaigns."
#Russia #GRU #hack
www.brinztech.com/breach-alert...
#Russia #GRU #hack
www.brinztech.com/breach-alert...
The Evolution of Russian Physical-Cyber Espionage - GRU hackers 'APT28, have long combined digital intrusions with physical tradecraft and human assets.'
www.trellix.com/blogs/resear...
www.trellix.com/blogs/resear...
www.trellix.com
October 10, 2025 at 9:48 AM
The Evolution of Russian Physical-Cyber Espionage - GRU hackers 'APT28, have long combined digital intrusions with physical tradecraft and human assets.'
www.trellix.com/blogs/resear...
www.trellix.com/blogs/resear...
Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia.
unit42.paloaltonetworks.com/phantom-taur...
unit42.paloaltonetworks.com/phantom-taur...
Phantom Taurus: A New Chinese Nexus APT and the Discovery of the NET-STAR Malware Suite
Phantom Taurus is a previously undocumented Chinese threat group. Explore how this group's distinctive toolset lead to uncovering their existence.
unit42.paloaltonetworks.com
October 1, 2025 at 9:06 AM
Over the past two and a half years, Unit 42 researchers have observed Phantom Taurus targeting government and telecommunications organizations across Africa, the Middle East, and Asia.
unit42.paloaltonetworks.com/phantom-taur...
unit42.paloaltonetworks.com/phantom-taur...
Two Dutch teens were allegedly contacted by pro-Russian hackers on Telegram. It was reported that the two were arrested “on suspicions that are linked to government-sponsored interference.”
thecyberexpress.com/wifi-sniffer...
thecyberexpress.com/wifi-sniffer...
WiFi Sniffer Leads to Russian Spying Charges for Dutch Teens
Two teenagers in the Netherlands face charges that they allegedly spied for pro-Russia hackers. The 17-year-old boys were reportedly arrested
thecyberexpress.com
September 30, 2025 at 2:56 PM
Two Dutch teens were allegedly contacted by pro-Russian hackers on Telegram. It was reported that the two were arrested “on suspicions that are linked to government-sponsored interference.”
thecyberexpress.com/wifi-sniffer...
thecyberexpress.com/wifi-sniffer...
ThreatLabz discovered a multi-stage ClickFix campaign that is likely affiliated with the nation-state threat group known as COLDRIVER, a Russia-linked APT group that has mainly targeted dissidents and their supporters through phishing campaigns.
www.zscaler.com/blogs/securi...
www.zscaler.com/blogs/securi...
COLDRIVER Adds BAITSWITCH and SIMPLEFIX | ThreatLabz
The Russia-linked group COLDRIVER targeted dissidents and their supporters using a ClickFix technique, resulting in the deployment of BAITSWITCH and SIMPLEFIX.
www.zscaler.com
September 25, 2025 at 8:54 AM
ThreatLabz discovered a multi-stage ClickFix campaign that is likely affiliated with the nation-state threat group known as COLDRIVER, a Russia-linked APT group that has mainly targeted dissidents and their supporters through phishing campaigns.
www.zscaler.com/blogs/securi...
www.zscaler.com/blogs/securi...
Reposted by CyberWatchers
SolarWinds on Tuesday released a hotfix - again - for a critical, 9.8-severity flaw in its Web Help Desk IT ticketing software that could allow a remote, unauthenticated attacker to run commands on a host machine.
SolarWinds patches critical RCE - for the third time
: Or maybe 3 strikes, you're out?
www.theregister.com
September 23, 2025 at 7:04 PM
SolarWinds on Tuesday released a hotfix - again - for a critical, 9.8-severity flaw in its Web Help Desk IT ticketing software that could allow a remote, unauthenticated attacker to run commands on a host machine.
Reposted by CyberWatchers
Putting the Secret Service's nonsense framing aside, it's a pretty cool discovery. Those black boxes are SIM gateways which you plug sim cards into and they act like virtual cell phones. They then route the access over the internet so people can use the sim cards from anywhere in the world.🧵
1/3
1/3
September 23, 2025 at 4:38 PM
Putting the Secret Service's nonsense framing aside, it's a pretty cool discovery. Those black boxes are SIM gateways which you plug sim cards into and they act like virtual cell phones. They then route the access over the internet so people can use the sim cards from anywhere in the world.🧵
1/3
1/3
Reposted by CyberWatchers
A former Florida police officer now runs a Kremlin-backed troll empire, an investigation found
Using AI tools like Llama 3, the network churns out fabricated news and deepfakes to undermine Ukraine's aid and meddle in elections in the West
euromaidanpress.com/2025/09/23/f...
Using AI tools like Llama 3, the network churns out fabricated news and deepfakes to undermine Ukraine's aid and meddle in elections in the West
euromaidanpress.com/2025/09/23/f...
Former Florida cop turned Kremlin operative, spreading Russian propaganda through over 200 fake news websites
John Mark Dougan fled to Moscow in 2016 after facing charges in Florida, then received political asylum and now coordinates GRU-funded servers running AI models.
euromaidanpress.com
September 23, 2025 at 10:08 PM
A former Florida police officer now runs a Kremlin-backed troll empire, an investigation found
Using AI tools like Llama 3, the network churns out fabricated news and deepfakes to undermine Ukraine's aid and meddle in elections in the West
euromaidanpress.com/2025/09/23/f...
Using AI tools like Llama 3, the network churns out fabricated news and deepfakes to undermine Ukraine's aid and meddle in elections in the West
euromaidanpress.com/2025/09/23/f...
Reposted by CyberWatchers
-US raids SIM farm in New York
-EU airport disruptions caused by ransomware
-Thieves steal gold from French museum after cyberattack
-SonicWall firmware update removes rootkit
-Jaguar ransomware incident extends to October
Podcast: risky.biz/RBNEWS482/
Newsletter: news.risky.biz/risky-bullet...
-EU airport disruptions caused by ransomware
-Thieves steal gold from French museum after cyberattack
-SonicWall firmware update removes rootkit
-Jaguar ransomware incident extends to October
Podcast: risky.biz/RBNEWS482/
Newsletter: news.risky.biz/risky-bullet...
September 24, 2025 at 8:32 AM
-US raids SIM farm in New York
-EU airport disruptions caused by ransomware
-Thieves steal gold from French museum after cyberattack
-SonicWall firmware update removes rootkit
-Jaguar ransomware incident extends to October
Podcast: risky.biz/RBNEWS482/
Newsletter: news.risky.biz/risky-bullet...
-EU airport disruptions caused by ransomware
-Thieves steal gold from French museum after cyberattack
-SonicWall firmware update removes rootkit
-Jaguar ransomware incident extends to October
Podcast: risky.biz/RBNEWS482/
Newsletter: news.risky.biz/risky-bullet...
Reposted by CyberWatchers
U.S. Secret Service Dismantles 300 SIM Servers and 100,000 SIM Cards Disabling Cell Phone Towers
U.S. Secret Service Dismantles 300 SIM Servers and 100,000 SIM Cards Disabling Cell Phone Towers
cybersecuritynews.com
September 23, 2025 at 1:49 PM
U.S. Secret Service Dismantles 300 SIM Servers and 100,000 SIM Cards Disabling Cell Phone Towers
Sekoia.io’s Threat Detection and Response (TDR) team closely monitors APT28 as one of its highest-priority threat actors.
https://blog.sekoia.io/apt28-operation-phantom-net-voxel/
https://blog.sekoia.io/apt28-operation-phantom-net-voxel/
APT28 Operation Phantom Net Voxel
APT28 Operation Phantom Net Voxel: weaponized Office lures, COM-hijack DLL, PNG stego to Covenant Grunt via Koofr, BeardShell on icedrive.
blog.sekoia.io
September 16, 2025 at 3:40 PM
Sekoia.io’s Threat Detection and Response (TDR) team closely monitors APT28 as one of its highest-priority threat actors.
https://blog.sekoia.io/apt28-operation-phantom-net-voxel/
https://blog.sekoia.io/apt28-operation-phantom-net-voxel/
"a comprehensive exploration of Russia’s integrated cyber warfare doctrine, where digital intrusion, kinetic disruption, and state-controlled defense architecture operate in concert."
treadstone71.com/index.php/un...
treadstone71.com/index.php/un...
Treadstone 71 - Unit 29155 - APT28 - GosSOPKA
Three linked intelligence reports reveal how APT28, GRU Unit 29155, and GosSOPKA form the offensive and defensive pillars of Russia’s cyber warfare doctrine.
treadstone71.com
July 8, 2025 at 10:03 AM
"a comprehensive exploration of Russia’s integrated cyber warfare doctrine, where digital intrusion, kinetic disruption, and state-controlled defense architecture operate in concert."
treadstone71.com/index.php/un...
treadstone71.com/index.php/un...
"the cost of ransomware isn't just in ransom paid, but in days or weeks of downtime, regulatory penalties, and reputation loss. The cost of building an IRE is less than a breach, and the peace of mind it offers is far greater."
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
Isolated Recovery Environments: A Critical Layer in Modern Cyber Resilience | Google Cloud Blog
How isolated recovery environments differ from traditional disaster recovery strategies, and how to implement them.
cloud.google.com
July 7, 2025 at 3:10 PM
"the cost of ransomware isn't just in ransom paid, but in days or weeks of downtime, regulatory penalties, and reputation loss. The cost of building an IRE is less than a breach, and the peace of mind it offers is far greater."
cloud.google.com/blog/topics/...
cloud.google.com/blog/topics/...
