Author: blogmirnet

APT44, also known as Sandworm, FROZENBARENTS, Seashell Blizzard, and Voodoo Bear, is a Russian state-sponsored cyber group attributed to GRU Unit 74455. APT44 has significantly evolved its operations in recent years, expanding from traditional cyber espionage into a full-spectrum capability encompassing sabotage, psychological operations, and battlefield support. Its campaigns have targeted Ukraine and NATO countries, with a growing focus on critical infrastructure such as energy, water, and telecommunications.

APT44’s operations increasingly leverage a combination of custom wiper malware, “living-off-the-land” (LOTL) techniques, and publicly available tools to conduct destructive attacks while minimizing attribution and detection. The group has also employed hacktivist personas and false-flag operations to obscure its involvement and sow confusion in the information space.

This shift reflects a broader strategic trend in Russian cyber doctrine, where cyber operations are fully integrated into military campaigns and geopolitical influence efforts. As hybrid conflict becomes the norm, organizations supporting critical functions must prepare not just for espionage, but pre-positioning and sabotage by highly capable actors like APT44.

Key Points

• APT44 is a Russian state-sponsored cyber sabotage and espionage group linked to GRU Unit 74455, known for targeting Ukraine, NATO member states, and global critical infrastructure.
• The group has expanded its mission set from military intelligence collection to including destructive operations, information warfare, and support for military campaigns.
• APT44 employs a hybrid toolkit combining custom wiper malware, commodity RATs, and LOTL techniques, often delivered through supply-chain compromises, phishing, and edge device exploitation.
• APT44’s tactics enable it to operate covertly within civilian networks, undermining traditional perimeter defenses and increasing operational risk for infrastructure operators, especially in energy, water, and telecom sectors.

Risk Assessment

The NJCCIC has assessed that APT44 poses a significant and escalating threat to organizations that operate critical infrastructure, higher education networks, and government systems. By deploying destructive malware, targeting industrial control systems, and integrating LOTL techniques with newer cloud and AI-enabled capabilities, the group can achieve both immediate disruption and sustained covert access.

This evolution is particularly concerning for organizations with operational technology dependencies and hybrid cloud environments, where visibility into lateral movement, identity abuse, and process manipulation are often limited. APT44 has previously conducted highly disruptive attacks such as NotPetya and Industroyer2 against similar targets, and its malware families have been observed exploiting vulnerabilities common across enterprise and industrial systems.

These tactics align with persistent weaknesses in cloud security, OT/IT integration, and incident response readiness, increasing the likelihood of severe service disruption, data loss, or reputational harm. The group’s destructive mandate, combined with its ability to blend disruption with stealthy persistence, underscores the urgent need for enhanced detection, network segmentation, and resilience planning against APT44 campaigns.

Threat Actor Summary

APT44, associated with the GRU’s Unit 74455 (Sandworm), primarily targets government, energy, critical infrastructure, technology, and education sectors in countries such as Ukraine, the United States, NATO members, and other Western allies. Since 2009, the group has been actively tracked by the cybersecurity community and is regarded as one of Russia’s most destructive and disruptive cyber units, supporting Moscow’s military and geopolitical objectives.

Technical Analysis

Tactics, Techniques, & Procedures

APT44 is known for its destructive and disruptive cyber operations in support of Russian military objectives. The group often gains access through spearphishing campaigns, exploitation of edge vulnerabilities, and supply chain compromises. They also employ LOTL techniques to blend into normal network activity and establish persistence.

Once inside, APT44 deploys custom malware families such as NotPetya, BlackEnergy, Industroyer, and Industroyer2, designed to wipe data, disrupt systems, or directly manipulate industrial control systems (ICS). Unlike espionage-focused groups, APT44 frequently times operations with kinetic military actions and leverages wipers, ICS-targeting tools, and destructive payloads to maximize impact.

Infrastructure

APT44 maintains a diverse and adaptable infrastructure to support its operations. This includes the use of compromised servers, hijacked domains, and VPNs for command-and-control (C2). They have also leveraged hardcoded infrastructure within destructive malware, creating global spillover effects, as seen in the NotPetya campaign. In recent activity, APT44 has increasingly relied on compromised network devices and legitimate administrative tools to maintain access and facilitate attacks.

Victims

APT44’s targeting closely aligns with Russia’s military and geopolitical priorities, focusing on disruption rather than espionage. Victims have included critical infrastructure operators, energy providers, higher education institutions, and government agencies, particularly those supporting Ukraine or NATO allies. Their operations are designed to undermine stability, cause economic damage, and erode confidence in Western institutions.

Target Sectors

• Government and Defense Institutions
• Energy and Critical Infrastructure (including ICS/SCADA systems)
• Higher Education and Research
• Technology and Telecommunications
• Media and Olympics

Geographic Focus

• Ukraine
• United States
• NATO Member States
• European Union Countries
• Western Allies supporting Ukraine

Attribution

APT44 has been widely attributed to the Russian GRU’s Main Center for Special Technologies (Unit 74455), commonly referred to as Sandworm. This attribution is supported by forensic evidence, including the reuse of destructive malware families, infrastructure overlaps, operational timing aligned with Russian military campaigns, and strategic targeting consistent with Russian state objectives. The group’s working patterns, Russian language artifacts, and repeated coordination with broader GRU operations reinforce its role as a core offensive cyber unit of the Russian state.

Have you received a text message regarding an unpaid toll or package misdelivery lately? You are not the only one. Researchers discovered a SMiShing (SMS text phishing) campaign attributed to the “Smishing Triad” that has been circulating since April 2024. A China-based threat actor has been impersonating a variety of international services within critical infrastructure, including banking, cryptocurrency, e-commerce, healthcare, law enforcement, and social media. The campaign places a significant focus on targeting US residents by impersonating organizations, such as commercial and state-owned mail and package delivery services, state vehicles and licensing agencies, and state and federal tax services or agencies. The “Smishing Triad” employs standard tactics by sending text messages that create urgency to trick victims into acting immediately. Once victims click on an included link, they are directed to a phishing page that captures sensitive information, including Social Security numbers, addresses, payment information, and login credentials.

This threat actor has been challenging to detect due to their operation and hosting infrastructure. Researchers have identified 194,000 malicious domains linked to the operation. The attack infrastructure is primarily hosted on popular US cloud services, despite the malicious domains being registered through a Hong Kong-based registrar and utilizing Chinese nameservers. A majority of the “Smishing Triad” root domains were created with a hyphenated series of strings followed by a top-level domain (TLD) (e.g., [string1]-[string2].[TLD]). For example, one of the domains linked to this threat actor is “ezpassnj[.]gov-mhmt[.]xin,” which could be mistaken for the legitimate ezpassnj.gov. Notably, this campaign is evolving to impersonate many types of services, as there has been a significant increase in the registration of “.gov” TLDs in the past three months.

Document Review Detours to Legitimate Jotform Platform

Jotform is used to create online forms and apps to collect data, process payments, and automate workflows without coding. It is a versatile tool for businesses and individuals in legitimate use cases. However, Jotform can also create opportunities for threat actors to exploit it for malicious purposes, such as phishing, information gathering, and malware distribution.

Threat actors compromised the user’s account and utilized the user’s signature and organization branding to send multiple phishing emails. The emails purport to be powered by Docusign and claim to be a document for review. Depending on the campaign, the subject line indicates a file transfer notification (which differs from the message content as shown in the above image) or a named document for review.

If the “Review Documents” button is clicked, the target is directed to the Jotform platform, which displays a fake form to convince users to “install” an app. Threat actors use the sender’s organization name from the compromised account to label the form title in the web browser’s tab and app, making it appear legitimate. Installing an app to view a document is typically a red flag, especially for popular Microsoft or Adobe products and services, as many businesses currently utilize them for work assets. If the “app” is installed, it is added to the home screen and claims to open and run safely in a focused window, offer quick access options such as pinning to the taskbar or start menu, and sync across multiple devices. Additionally, the user is prompted with a Cloudflare check to verify that they are human and “activate” safe browsing features.

A Microsoft phishing page is displayed, featuring stolen branding, to trick users into entering their account credentials to review the supposed document. Another red flag is the URL because it does not contain “Microsoft” in the domain name. Instead, it includes “document365s” and uses “.com” appended with a sneaky “.de” top-level domain (TLD) to appear legitimate.

This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

A vulnerability has been discovered in Microsoft Windows Server Update Services (WSUS) which could allow for remote code execution. WSUS is a tool that helps organizations manage and distribute Microsoft updates across multiple computers. Instead of every PC downloading updates from Microsoft’s servers, WSUS downloads the updates and stores them, then distributes them to all computers on the network that connect to it. Successful exploitation of the vulnerability could allow a threat actor to gain full control of the WSUS server and distribute malicious updates to client devices.

Threat Intelligence

Proof-of-concept exploit code was released according to open source reporting. Additionally, CISA added CVE-2025-59287 to the Known Exploited Vulnerabilities (KEV) catalog.

Systems Affected

Windows Server 2012 R2 versions prior to build 6.3.9600.22826 Windows Server 2012 versions prior to build 6.2.9200.25728 Windows Server 2016 versions prior to build 10.0.14393.8524 Windows Server 2025 versions prior to build 10.0.26100.6905 Windows Server 2022, 23H2 Edition (Server Core installation) versions prior to build 10.0.25398.1916 Windows Server 2022 versions prior to build 10.0.20348.4297 Windows Server 2019 versions prior to build 10.0.17763.7922

Risk

Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by Microsoft or other vendors which use this software to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References

Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59287 HelpNetSecurity: https://www.helpnetsecurity.com/2025/10/24/wsus-vulnerability-cve-2025-59287-exploited/

Multiple vulnerabilities have been discovered in Oracle products, the most severe of which could allow for remote code execution.

Threat Intelligence

Watchtowr reports CVE-2025-61882 and CVE-2025-61884 were exploited in the recent wave of Cl0p data theft attacks and subsequent extortion campaign.

Systems Affected

Risk

Government: – Large and medium government entities: High – Small government entities: High

Businesses: – Large and medium business entities: High – Small business entities: High

Home Users: Low

Recommendations

Apply appropriate patches or appropriate mitigations provided by Oracle to vulnerable systems immediately after appropriate testing. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Apply the Principle of Least Privilege to all systems and services and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems, which could include suspicious process, file, API call, etc. behavior. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

References

Oracle: https://www.oracle.com/security-alerts/cpuoct2025.html https://www.oracle.com/security-alerts/alert-cve-2025-61882.html https://www.oracle.com/security-alerts/alert-cve-2025-61884.html

This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

A vulnerability has been discovered in Oracle E-Business Suite, which could allow for remote code execution. Oracle E-Business Suite (EBS) is a comprehensive suite of integrated business applications that runs core enterprise functions. Successful exploitation of this vulnerability could allow a threat actor to execute code in the context of the affected component. A threat actor could then install programs; view, change, or delete data; or create new accounts with full user rights.

Threat Intelligence

Oracle is aware that CVE-2025-61882 has been exploited in the wild.

Systems Affected

Oracle E-Business Suite, versions 12.2.3-12.2.14

Risk

Government: – Large and medium government entities: High – Small government entities: Medium

Businesses: – Large and medium business entities: High – Small business entities: Medium

Home Users: Low

Recommendations

Apply appropriate updates provided by Oracle or other vendors which use this software to vulnerable systems immediately after appropriate testing. Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack. Use vulnerability scanning to find potentially exploitable software vulnerabilities to remediate them. Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems. Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.

Reference

Oracle: https://www.oracle.com/security-alerts/alert-cve-2025-61882.html

Ransomware remains a persistent and ever-evolving threat to businesses of all sizes and sectors.  While the tactics, techniques, and procedures (TTPs) may vary, the end goal is often the same – a substantial payday.

After months of silence, LockBit recently reemerged with an announcement of its “LockBit 5.0 Affiliate Program,” which grants its affiliates the ability to target critical infrastructure usually off-limits under standard ransomware-as-a-service (RaaS) rules. Shortly after LockBit reentered the ransomware scene, three well-known groups—Qilin, LockBit, and DragonForce—announced they were forming an alliance. Their goal is to collaborate and share techniques, infrastructure, and resources.

Another cybercrime group known for deploying ransomware, Storm-1175, has been exploiting a vulnerability in GoAnywhere MFT. During their multi-stage attack, they exploited CVE-2025-10035, which enabled remote code execution. After gaining access, they installed remote device management tools, such as SimpleHelp and MeshAgent, to allow them to drop web shells and move laterally across networks using Windows utilities. In one attack, they were able to drop RClone and Medusa ransomware.

Ransomware attacks are typically opportunistic, and a wide range of businesses have become victims. Asahi Group Holdings, a Japanese brewery and food giant, recently experienced an attack on its manufacturing operations, with Qilin RaaS claiming responsibility for the incident. While Asahi immediately shut down operations and isolated affected systems, it is still working to fully restore its systems and get everything back online.

Salt Typhoon continues to target US critical infrastructure through sustained and coordinated cyber operations. The group, an advanced persistent threat (APT) linked to the People’s Republic of China (PRC), focuses much of its activity in communications, government, and defense. These intrusions enable the theft of sensitive national security information while advancing China’s efforts to expand its disruptive cyber capabilities. This access could be leveraged to impede the US military’s ability to respond effectively during a crisis or conflict.

The NJCCIC has assessed that Salt Typhoon poses a high-risk threat to public and private infrastructure in the United States, including organizations in New Jersey. Our latest threat analysis report provides an in-depth Threat Actor Profile (TAP) that includes:

An overview of ongoing threat activity, targeting patterns, objectives, and key incidents. A risk assessment evaluating the likelihood and potential impact of attacks. An outline of the tactics, techniques, and procedures (TTPs) employed. Examples of real-world cyber intrusions and campaigns. Defensive guidance and resources for network administrators and critical infrastructure operators.

The 2025 NY Metro Joint Cyber Security Conference is in the planning stage, celebrating our 12^th year featuring keynotes, panels and sessions aimed at educating everyone on the various aspects of information security and technology. Workshops featuring in-depth extended classroom-style educational courses to expand your knowledge and foster security discussions will take place virtually post-conference.

We are pleased to announce our opening keynote Richard Greenberg, CISSP, a well-known Cyber Security Leader and Evangelist, CISO, Advisor, and ISSA Hall of Fame, Distinguished Fellow & Honor Roll.

Conference attendees are invited to our after-party graciously sponsored by The Cyber Breakfast Club.

Register NOW

New York Metro Joint Cyber Security Conference –

The Cybersecurity and Infrastructure Security Agency (CISA) issued Emergency Directive ED 26-01: Mitigate Vulnerabilities in F5 Devices to direct Federal Civilian Executive Branch agencies to inventory F5 BIG-IP products, evaluate if the networked management interfaces are accessible from the public internet, and apply newly released updates from F5.

A nation-state affiliated cyber threat actor has compromised F5 systems and exfiltrated data, including portions of the BIG-IP proprietary source code and vulnerability information, which provides the actor with a technical advantage to exploit F5 devices and software. This poses an imminent threat to federal networks using F5 devices and software.

Successful exploitation of the impacted F5 products could enable a threat actor to access embedded credentials and Application Programming Interface (API) keys, move laterally within an organization’s network, exfiltrate data, and establish persistent system access. This could potentially lead to a full compromise of target information systems.

Although ED 26-01 and the associated guidance are directed to federal agencies, all public and private sector organizations are urged to review the Emergency Directive and associated resources and take steps to mitigate these vulnerabilities.

Key Actions Required:

Inventory: Identify all instances of F5 BIG-IP hardware devices and F5OS, BIG-IP TMOS, Virtual Edition, BIG-IP Next, BIG-IP IQ software, and BNK / CNF. Harden Public-Facing Hardware and Software Appliances: Identify if physical or virtual BIG-IP devices exposed to the public internet provide public access to the networked management interface. Update Instances of BIG-IP Hardware and Software Applications: Apply the latest vendor updates by October 22, for the following products: F5OS, BIG-IP TMOS, BIG-IQ, and BNK / CNF— validate the F5 published MD5 checksums for its software image files and other F5 downloaded software. For other devices, update with the latest software release by October 31, and apply the latest F5-provided asset hardening guidance. Disconnect End of Support Devices: Disconnect all public-facing F5 devices that have reached their end-of-support date. Report mission-critical exceptions to CISA. Mitigate Against Cookie Leakage: If CISA notifies an agency of a BIG-IP cookie leakage vulnerability, the agency shall follow CISA’s accompanying mitigation instructions. Report: Submit a complete inventory of F5 products and actions taken to CISA by 11:59 p.m. EDT, October 29.