In a posh cyber operation found by Silent Push Risk Analysts, Russian hackers have launched a multi-pronged phishing marketing campaign impersonating numerous organizations, together with the CIA, to collect intelligence on people sympathetic to Ukraine’s protection efforts.
The marketing campaign, believed to be orchestrated by Russian Intelligence Providers or aligned actors, makes use of a community of fraudulent web sites to gather private info from unsuspecting victims.
Exploiting Anti-Conflict Sentiment
The risk actors have created convincing replicas of internet sites belonging to the Russian Volunteer Corps (RVC), Legion Liberty, and “I Need to Dwell” (Hochuzhit), an appeals hotline for Russian service members in Ukraine.
These pretend websites immediate guests to submit private knowledge, ostensibly for recruitment or information-sharing functions.
The marketing campaign particularly targets Russian residents concerned in anti-war actions, that are unlawful within the Russian Federation and may end up in arrests.
Technical Infrastructure and Ways
The phishing infrastructure spans a number of domains hosted on bulletproof suppliers, with a notable presence on Nybula LLC (ASN 401116).
The attackers make use of refined techniques, together with the usage of legitimate-looking Google Kinds to seize sufferer info and the embedding of genuine Telegram channels to boost credibility.
One key area within the CIA impersonation effort, ciagov[.]icu, was discovered to generate suspicious “Submission Reference IDs” when customers tried to report info.
In accordance with the Report, this area, together with others like jagotovoff[.]com, shared infrastructure with the pretend RVC and Legion Liberty websites, indicating a coordinated effort.
The risk actors have additionally manipulated search engine outcomes and created misleading YouTube content material to lure victims to their phishing pages.
For example, a YouTube channel (@contactciaofficial) was found referencing each ciagov[.]icu and a pretend .onion area, demonstrating the marketing campaign’s multi-platform strategy.
As of March 2025, the marketing campaign stays lively with new domains regularly being registered.
Safety researchers have recognized a number of indicators of compromise, together with particular IP addresses and area naming patterns.
Organizations and people are suggested to train warning when interacting with web sites purporting to symbolize these entities and to confirm the authenticity of any types requesting private info.
This refined operation underscores the evolving nature of cyber threats within the context of geopolitical conflicts, highlighting the necessity for enhanced digital vigilance and sturdy cybersecurity measures.
Are you from SOC/DFIR Groups? – Analyse Malware, Phishing Incidents & get dwell Entry with ANY.RUN -> Begin Now for Free.