Targeted Sectors

·         Energy (electric utilities, energy providers)

·         Technology (cloud infrastructure, collaboration platforms, source code repositories)

·         Telecommunications

·         Managed Security Service Providers

Targeted Countries

·         North America

·         Western and Eastern Europe
the Middle East (global reach).

BLUF

Russian state-sponsored actors are using misconfigured network edge devices hosted on AWS and other cloud services to gain initial access to critical infrastructure, then using credential harvesting and replay attacks for lateral movement and persistence.

Date of First Reported Activity

·         Activity observed between 2021 and December 16, 2025

Date of Last Reported Activity Update

·         December 16, 2025

APT Names

·         APT44

·         FROZENBARENTS

·         Sandworm

·         Seashell Blizzard

·         Voodoo Bear

Associated Criminal Organization Names

·         Infrastructure overlaps with "Curly COMrades"

IOCs

·         Massive exploitation of internet-facing Virtual Network Computing (VNC) connections (port 5900/5901) to directly access HMI and SCADA systems.

Tools Used in Campaign

·         Native packet capture features on compromised devices, Hyper-V abuse for EDR evasion, custom implants like CurlyShell and CurlCat.

CVEs and CVSS Vectors

CVE-2023-27532

CVSS:3.1

·         (7.5) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Nessus ID(s)

·         173398

Is this on the KEV list?

·         Yes

CISA patch by date

·         September 12, 2023

Patching/Mitigation Data

Patch Release Date

·         March 7, 2023

URL to patch

hxxps://www.veeam.com/kb4424

Mitigation

·         If patching is not immediately possible, Veeam recommends blocking external connections to TCP port 9401 in the backup server firewall for all-in-one appliances.

CVE-2023-22518

CVSS:3.1

·         (10.0) AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Nessus ID(s)

·         114109

·         185344

·         114105

·         114104

·         114103

·         114102

·         114101

·         184079

Is this on the KEV list?

·         Yes

CISA patch by date

·         November 28, 2023

Patching/Mitigation Data

Patch Release Date

·         October 31, 2023

URL link to patching information

·         hxxps://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html

CVE-2021-26084

CVSS:3.1

·         (9.8) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nessus ID(s)

·         112964

·         112963

·         112962

·         112961

·         153087

·         112944

·         152864

Is this on the KEV list?

·         Yes

CISA patch by date

·         August 25, 2021

Patching/Mitigation Data

Patch Release Date

·         August 25, 2021

URL link to patching information

·         hxxps://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

CVE-2022-26318

CVSS:3.1

·         (9.8) AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Nessus ID(s)

·         No plugin available

Is this on the KEV list?

·         Yes

CISA patch by date

·         April 15, 2022

Patching/Mitigation Data

Patch Release Date

February 23, 2022

URL link to patch information

·         hxxps://www.watchguard.com/wgrd-psirt/advisory/wgsa-2022-00002

Mitigation Data

Focuses on adherence to a multi-faceted approach to supply chain cybersecurity, including risk assessment, continuous monitoring, and secure configurations.

Malware Names

·         CurlyShell

·         CurlCat

·         WhisperGate

Malware Samples

CurlyShell

Sha256

CurlyShell Core Binary (init_tools)

142b638c6a60b60c7f9928da4fb85a5a8e1422a9ffdc9ee49e17e56ccca9cf6e

URL to sample

hxxps://www.virustotal.com/gui/file/142b638c6a60b60c7f9928da4fb85a5a8e1422a9ffdc9ee49e17e56ccca9cf6e

CurlCat

Sha256

142b638c6a60b60c7f9928da4fb85a5a8e1422a9ffdc9ee49e17e56ccca9cf6e

URL to sample

hxxps://www.virustotal.com/gui/file/142b638c6a60b60c7f9928da4fb85a5a8e1422a9ffdc9ee49e17e56ccca9cf6e

WhisperGate

Stage 1 Master Boot Record Wiper

Sha256

a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92

URL to sample

·         hxxps://www.virustotal.com/gui/file/a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92

Stage 2 Downloader/Installer

dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

URL to sample

·         hxxps://www.virustotal.com/gui/file/dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

TTPs

Initial Access & Reconnaissance

·         T1595.002: Active Scanning (Vulnerability Scanning) – Scanning for internet-facing Operational Technology (OT) devices and open VNC ports.

·         T1190: Exploit Public-Facing Application – Exploiting known vulnerabilities in network edge devices, such as Roundcube, Outlook, and Veeam.

·         T1110.003: Brute Force (Password Spraying) – Utilizing large-scale automated attempts to guess credentials for VNC, VPN, and RTSP camera servers.

·         T1078: Valid Accounts – Gaining access via default, weak, or previously stolen credentials (common in SCADA/HMI targeting).

Execution & Persistence

·         T1059.001: Command and Scripting Interpreter (PowerShell) – Preparing data for exfiltration and executing malicious scripts.

·         T1053.005: Scheduled Task/Job (Scheduled Task) – Maintaining persistent access within logistics and government networks.

·         T1547.001: Boot or Logon Autostart Execution (Registry Run Keys) – Ensuring malware persists across system restarts.

·         T1125: Video Capture – Specifically targeting IP and traffic cameras (via RTSP) to track military aid and logistics shipments.

Lateral Movement & Collection

·         T1021.005: Remote Services (VNC) – Using unencrypted VNC software to move laterally and directly manipulate HMI devices.

·         T1114.002: Email Collection (Remote Email Services) – Siphoning data from email servers via IMAP, EWS, or modified Microsoft Exchange permissions.

·         T1119: Automated Collection – Using periodic queries to automatically gather new emails and files for exfiltration.

Impact & Sabotage

·         T1485: Data Destruction – Deploying destructive malware like WhisperGate to render systems inoperable.

·         T0813: Modification of Parameter (ICS-Specific) – Directly altering HMI settings in water treatment and energy systems to trigger physical overflows or shutdowns.

·         T1498: Network Denial of Service (DDoS) – Executing simultaneous DDoS attacks to mask more intrusive SCADA/OT manipulations.

Leveraging misconfigured network edge devices as initial access vectors.

Suggested Rules / potential hunts

Suricata Rules

Discord-based Payload Download

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE WhisperGate Stage 2 Downloader (Discord)"; flow:established,to_server; content:"cdn.discordapp.com"; http_host; content:"/attachments/"; http_uri; sid:1000001; rev:1;)

Suspicious Outbound File Retrieval

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"SURICATA Suspicious EXE Download from External Source"; flow:established,to_client; file_data; content:"MZ"; startswith; sid:1000002; rev:1;)

Suggested SentinelOne rules

Defense Evasion (Windows Defender Exclusion)

processCmd RegExp "Add-MpPreference -ExclusionPath" AND processCmd ContainsCIS "C:\"

Suspicious File Activity in Temp Folders

(ProcessName In ("powershell.exe", "cmd.exe")) AND (FilePath ContainsCIS "\AppData\Local\Temp\")

Suggested Splunk hunts

Excessive File Deletions

index=windows sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=23

| stats count BY Image, TargetFilename

| where count > 50

Windows Event Log Clearing

index=windows (EventCode=1102 OR EventCode=104)

| stats count by host, _time, user, LogName

Master Boot Record (MBR) Corruption Indicators

index=windows sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=1

Image="*vssadmin.exe*" CommandLine="*delete shadows*"

Look for anomalies in log entries for package installations

index=* sourcetype=your_CI/CD_logs "npm install"

Monitor for exfiltration patterns in build log

index=* sourcetype=authentication logs "AWS access key"

Delivery Method

Exploitation of misconfigured customer network edge devices with exposed management interfaces.

Email Samples

Not applicable to these campaigns

References

CISA

·         hxxps://www.cisa.gov/news-events/cybersecurity-advisories/aa24-249a

·         hxxps://www.cisa.gov/news-events/news/cisa-fbi-and-us-and-global-partners-urge-immediate-action-defend-critical-infrastructure-pro-russia

NSA

·         hxxps://www.nsa.gov/Press-Room/Press-Releases-Statements/Press-Release-View/Article/4355881/nsa-fbi-and-others-call-out-pro-russia-hacktivist-groups-targeting-critical-inf

Paubox

·         hxxps://www.paubox.com/blog/pro-russia-hacktivists-target-infrastructure-in-global-cyber-attacks

ICS3

·         hxxps://www.ic3.gov/CSA/2025/251209.pdf

Tenable

·         hxxps://www.tenable.com/cve/CVE-2023-27532/plugins

·         hxxps://www.tenable.com/cve/CVE-2023-22518/plugins

·         hxxps://www.tenable.com/cve/CVE-2021-26084/plugins

·         hxxps://www.tenable.com/cve/CVE-2022-26318/plugins

Veeam

·         hxxps://www.veeam.com/kb4424

Confluence Atlassian

·         hxxps://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html

·         hxxps://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

WatchGuard

·         hxxps://www.watchguard.com/wgrd-psirt/advisory/wgsa-2022-00002

VirusTotal

·         hxxps://www.virustotal.com/gui/file/142b638c6a60b60c7f9928da4fb85a5a8e1422a9ffdc9ee49e17e56ccca9cf6e

·         hxxps://www.virustotal.com/gui/file/142b638c6a60b60c7f9928da4fb85a5a8e1422a9ffdc9ee49e17e56ccca9cf6e

·         hxxps://www.virustotal.com/gui/file/dcbbae5a1c61dbbbb7dcd6dc5dd1eb1169f5329958d38b58c3fd9384081c9b78

·         hxxps://www.virustotal.com/gui/file/a196c6b8ffcb97ffb276d04f354696e2391311db3841ae16c8c9f56f36a38e92