{"uuid": "32cea786-71f2-4d49-a37a-702bb48bbb89", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-44976", "type": "seen", "source": "https://poliverso.org/objects/0477a01e-819d118a-86d3aec2c9a2e739", "content": "From cause to cash: a cross-border look at hacktivist activity\nWhile tracking the activities of 4BID we uncovered a new string of campaigns that appear to be the work of several interconnected actors. While politically motivated groups generally limit their scope to specific nations \u2013 for 4BID and its peers, primarily Russian and occasionally Belarusian organizations \u2013 our latest findings reveal a shift. The actual geographic footprint of these attacks became broader than expected, striking companies across Kazakhstan, the UAE, Syria, and Egypt.\nWhat triggered our investigation was spotting a cluster of indicators of compromise within a breached Russian organization\u2019s infrastructure. We used these footprints to successfully track down other environments hit by the same threat actors and piece together the bigger picture.\nThis article dives into the software deployed throughout these hacktivist campaigns:\n\nNew ransomware samples\nScripts used at various stages of the attacks\nCommercially available IT remote monitoring and management (RMM) tools\nThese include both updated versions of known threat-actor tools and previously unseen software.\nOverlapping activity streams\nWithin the initial organization\u2019s infrastructure, we found numerous activity indicators linked to several interconnected hacktivist groups \u2013 which ultimately set the direction for our follow-up analysis. We can attribute the following findings to hacktivist activity with a medium level of confidence:\n\nSeveral samples of BlackReaperRAT, which we attribute to the 4BID group, were found alongside scripts designed to download Panorama9 RMM, AnyDesk, and Dev Tunnels.\nBesides the artifacts listed above, we discovered ClearWater ransomware in other compromised infrastructures. Interestingly, during this same window, public sources showed Hakerskii Kit claiming a successful attack on a Russian factory. Also detected in that facility\u2019s infrastructure was ClearWater ransomware, with the attackers publicly thanking the \u0421.A.S. group for their contribution.\nWe uncovered several samples of Warp RAT within the hit infrastructures, which we link to the Goffee threat group. A detailed report on this specific activity will be published at a later date.\n\nTechnical details\nVulnerable web servers and fd.aspx\nAnalysis of the compromised environments revealed that the attackers gained initial access in most cases by exploiting the ProxyShell vulnerability in Microsoft Exchange, which allows for full server compromise.\nOnce inside, the attackers deployed the fd.aspx web shell \u2013 a modular ASP.NET file designed for remote control, file transfers, and system reconnaissance. Communication with the web shell relied on a basic security check: if the key parameter in an incoming request failed to match the AUTH_KEY constant, fd.aspx simply returned \u201cAccess Denied\u201d.\nAccess key verification\nIf the verification was successful, the command contained in the request\u2019s scriptText parameter was passed directly to PowerShell, and the output returned to the operator in the body of the HTTP response. In environments where PowerShell execution was restricted, the web shell swapped it out for cmd.exe. The CreateNoWindow: true and UseShellExecute: false flags were used to keep the command execution hidden from the user.\nBeyond running commands, the web shell features bidirectional Base64-encoded file transfers. This allows any binary data \u2013 like executables, archives, or certificates \u2013 to be passed right inside the body of an HTTP request. The UploadFile function writes files to any directory the web server process can access, which makes it easy to drop additional shells or swap out legitimate files. The DownloadFile function exfiltrates any accessible file from the compromised system back to the attackers\u2019 C2 server.\nThe web shell also includes a system reconnaissance feature that grabs the following data points:\n\nOSVersion: operating system version\nMachineName: hostname\nUserName: current username\nUserDomainName: domain name\nProcessorCount: number of processors\nSystemDirectory: system directory path\nCurrentDirectory: current working directory\nVersion: .NET Framework version\nAdditionally, the reconnaissance feature uses the DriveInfo.GetDrives() function to enumerate running processes and map out connected drives \u2013 along with the amount of free space available on each. This file system reconnaissance is topped off with LastWriteTime metadata for each object, which helps the operator quickly spot recently modified files and get their bearings within the storage layout.\nAlongside the web shells, we encountered a variety of scripts and C2 frameworks across all compromised infrastructures, which we break down below.\nScripts deployed\nOnce the attackers gained control over a target system, they moved on to the next phase: loading their required toolkit via custom scripts. Variations of these scripts were consistently found alongside fd.aspx on compromised hosts. Most of them interact with legitimate tools, which makes them look almost identical to routine administrative scripts at first glance. The only real giveaway is the code comments, written in Ukrainian. One such script is responsible for deploying AnyDesk on the compromised host.\nThe build quality of these scripts is worth discussing separately. Several of them show telltale signs of AI generation; inside some compromised systems, we found multiple iterations of the exact same script, a few of which were completely broken. AI-generated code typically fails to work out of the box and requires manual tweaking to run properly.\nFirst, the script checks for admin privileges, as it cannot proceed without them. If that check passes, it looks for an active anydesk.exe process. If the process is missing, the script fetches and installs the application directly from the official website. Once AnyDesk is successfully installed, the script configures an unattended access password and pulls the unique AnyDesk ID. All the collected details are compiled into a report and exfiltrated to the attackers\u2019 server at 185.221.153[.]121. Because we spotted simultaneous activity from multiple groups \u2013 4BID, Hakerskii Kit, and C.A.S. \u2013 on the analyzed hosts, this IP address could potentially belong to any one of them.\nBesides AnyDesk, the threat actors leverage other legitimate tools. One example is Microsoft Dev Tunnels, a Microsoft service that exposes a local server to the internet. It\u2019s brought into the system by a separate script that, much like the one for AnyDesk, checks if the utility is already present before downloading it from the official site. In certain instances, the utility was fetched directly from the attackers\u2019 server instead:\nOnce installed, the application runs, and the resulting connection details are saved to a file named login.txt. The contents of this file consist of standard instructions for using a provided code to authenticate on a Microsoft page through a web browser.To sign in, use a web browser to open login.microsoft.com/device and enter the code \n.\nAs a final step, the script opens up the required ports and creates the tunnel, giving the attackers a back door into the compromised host.\n\nAnother script we uncovered handles the installation of Panorama9, a legitimate remote monitoring and management utility. Immediately after downloading that application, the attackers configure it via the registry to hide both its system tray icon and its installation folder. To camouflage the Panorama9 services, the attackers rename them to Windows Update Helper and Windows Update Helper Cache and swap out their descriptions, making the utility look almost identical to standard system components. Once the utility finishes its job, the script clears its tracks.\n\nThe attackers used a dedicated script to establish persistence on the system. When executed, it used the net user command to spin up a local user account and then hid it via the registry. The script added this new user to every available local group; if the machine was domain-joined, it also attempted to inject the user into all Active Directory groups.\n\nAt the same time, the script tweaked RDP settings: it set the minimum encryption level through the registry, added a firewall rule to allow port 3389, and ran the relevant services.\n\n[url=https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/06/07125138/hacktivists-broaden-attack-geography-code-02.png][/url]\nAfter it wrapped up its main tasks, the script wiped the event logs, command history, temporary files, and finally itself. Once the attackers got what they wanted out of the infected host, they triggered another script that removed the previously created user account, cleaned out the registry keys generated during the earlier phases, and then deleted itself as well.\n\nThe scripts described here are just the most telling examples out of dozens of samples we found. An analysis of the attackers\u2019 toolkit reveals a clear trend: they aren\u2019t just fine-tuning the solutions they\u2019ve used in the past (specifically, the AnyDesk deployment script), but are actively broadening their arsenal with new tools like Panorama9, Dev Tunnels, and others.\n[h3]Publicly available utilities[/h3]\nAs previously mentioned, the attackers leverage a broad spectrum of dual-use public software, such as all kinds of remote monitoring and management utilities. While they use the scripts discussed above to drop some of the utilities onto systems, we didn\u2019t encounter scripts for others, so we can\u2019t confirm whether any exist. We observed the following tools deployed across the campaigns in question:\n[ul]\n[li]AnyDesk: a remote administration tool[/li]\n[li]Advanced IP Scanner: a network scanning utility[/li]\n[li]Dev Tunnels: a Microsoft service used for exposing a server to the internet[/li]\n[li]Panorama9: an IT infrastructure management and monitoring service[/li]\n[li]Nezha Monitoring: a server status monitoring utility[/li]\n[li]Tactical RMM: a remote monitoring and management tool[/li]\n[/ul][h3]C2 and communications[/h3]\nTo gain a foothold in the victim\u2019s infrastructure, the attackers relied on several post-exploitation frameworks. Some of these are publicly available utilities, while others are custom-built.\n\nAmong the publicly available tools in the group\u2019s arsenal are:\n[ul]\n[li]Sliver[/li]\n[li]Havoc[/li]\n[li]Apollo Mythic[/li]\n[li]Adaptix[/li]\n[/ul]\nWe also discovered a previously undocumented backdoor, dubbed [strong]BlackSalt[/strong], which contacts the C2 server to fetch commands and executes them via cmd.exe.\n[h4]Sliver[/h4]\nOn several hosts, following the initial Microsoft Exchange server compromise, files named upd.exe, winhost.exe, update1.exe, update.exe, and akolo.exe were dropped alongside the previously mentioned fd.aspx files and scripts. All of them were located in the C:\\Windows\\System32\\inetsrv\\ directory and were configured as SFX archives with nearly identical payloads, which ran an install.bat script upon extraction.\n\n[url=https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/06/05142954/hacktivists-broaden-attack-geography12.png][/url]\nContents of the SFX archive\n\n[url=https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/06/05143056/hacktivists-broaden-attack-geography26.png][/url]\nThe install.bat script contents\n\nThe script copies the malicious components into the Windows folder and installs servicechecker.bat as a system service. To do this, it leverages the legitimate [url=https://github.com/winsw/winsw/]Windows Service Wrapper [u](WinSW)[/u][/url] utility included in the archive under the filename backupsrv.exe. The archive also contains the WinSW configuration file, backupsrv.xml, which specifies exactly which script should be registered as a service. Once installed, servicechecker.bat is configured to run automatically on system boot.\n\nThe servicechecker.bat script, in turn, runs backupagnt.exe, a loader for the main malicious component housed in WindowsInternal.UpdateComponent.dll. This file was built with the help of the Donut utility and is encrypted with a simple single-byte XOR key (0x0F). Its primary job is to inject the Sliver code straight into the device\u2019s memory.\n\n[url=https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/06/05143201/hacktivists-broaden-attack-geography2.png][/url]\nThe backupagnt.exe loader code\n\nAll Sliver instances uncovered during this investigation were configured to communicate with the C2 server at 185.221.153[.]121 over mTLS.\n[h4]Havoc[/h4]\nInside a similar SFX archive located in the user directory $user\\desktop\\ under the filename demon.x64.exe, we found another post-exploitation framework: Havoc. This instance was configured to communicate with the C2 server at 77.72.85[.]62.\n[h4]Apollo[/h4]\nMythic Apollo is a cross-platform post-exploitation agent used within the Mythic framework to manage compromised systems. It provides a persistent connection to the C2 server, executes operator commands, handles file uploads/downloads, runs arbitrary code, and supports expansion via plugins. We previously provided a detailed breakdown of the Mythic framework in our post, [url=https://securelist.com/detecting-mythic-in-network-traffic/118291/]Hunting for Mythic in Network Traffic[/url].\n\nHere is an example of the Mythic Apollo configuration we encountered in these hacktivist attacks:\n\n[url=https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/06/07125225/hacktivists-broaden-attack-geography-code-03.png][/url]\nThis specific sample of the .NET Mythic Apollo agent was compiled with an extensive suite of modules and supports multiple transport profiles that enable communication via HTTP, TCP, WebSocket, SMB, named pipes, and web shells. The C2 address 77.72.85[.]62 is hardcoded into its configuration.\n[h4]Adaptix[/h4]\nAdaptixC2 is another post-exploitation framework in the attackers\u2019 arsenal. This is a relatively new open-source project, which we broke down in our post, [url=https://securelist.com/tr/adaptixc2-network-and-host-detection/119424/]Adapt or pay:an analysis of the AdaptixC2 framework[/url].\n\nThe agent samples discovered during our investigation into these hacktivist campaigns consist of a packed AdaptixC2 Beacon delivered via a custom x64 loader. Upon execution, the payload decrypts an embedded shellcode, allocates memory, and executes the malicious payload using the CreateThread WinAPI function. Packed inside the shellcode is the AdaptixC2 Beacon agent in DLL format, featuring a configuration encrypted using RC4.\n\nAccording to the AdaptixC2 classification system, this agent falls under the BEACON_HTTP type. It is capable of executing commands, performing file operations, enumerating and killing processes, launching new programs, and exfiltrating data back to the C2. It also supports SOCKS port forwarding and BOF modules.\n\nAdaptixC2 uses encryption to keep its configuration under wraps. The corresponding block contains the data size, the actual RC4-encrypted configuration, and a 16-byte key.\n\n[url=https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/06/07125354/hacktivists-broaden-attack-geography-code-04.png][/url]\nExample agent configuration\n\n[url=https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/06/05143441/hacktivists-broaden-attack-geography7.png][/url]\nExample of agent requests pinging the C2 address, as flagged by Kaspersky solutions and displayed in Kaspersky Threat Lookup\n\n[h4]BlackSalt Backdoor[/h4]\nDuring the investigation, we also came across target infrastructures running vulnerable versions of Microsoft Exchange where \u2013 much like the Sliver cases \u2013 SFX archives named WindowsServiceHelper.exe were discovered in the C:\\Windows\\System32\\inetsrv\\ directory. Once extracted, the archive executed an install.bat file.\n\n[url=https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/06/05143530/hacktivists-broaden-attack-geography8.png][/url]\nSFX archive contents (09d0517a1f69feff8186655ae3b567e0)\n\n[url=https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/06/05143953/hacktivists-broaden-attack-geography10.png][/url]\nThe install.bat script contents\n\nSimilar to the other archives of this type, the script uses the WinSW utility to install the malicious components. In this specific case, however, the primary payload is a file named svc.exe, which turns out to be an obfuscated backdoor written in VBS. Much like the deployment scripts used for the remote management utilities, the code of this setup BAT script was clearly put together with AI tools and features comments in Ukrainian.\n\n[url=https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/06/08112721/hacktivists-broaden-attack-geography-00.png][/url]\nMain backdoor loop\n\nThe backdoor is essentially a textbook reverse shell. Its capabilities boil down to fetching commands from the C2 server at 45.150.109[.]2, executing them via cmd.exe, and piping the output back to the C2.\n[h4]EDR killers[/h4]\nIn their attacks, the threat actors deploy what are known as EDR killers: malicious tools designed to disable security software on the system. In the vast majority of cases, these utilities rely on the BYOVD technique.\n\nOn the hosts compromised during these hacktivist operations, we discovered samples named kil.exe and Killer.exe. These are modified versions of the public, Rust-based BYOVD project EDRKiller. The attackers streamlined the utility to act strictly as a client for the driver and expanded the hardcoded list of security processes to terminate. The sample targets the vulnerable Warsaw_PM driver, though it lacks the functionality to load the driver itself \u2013 the attackers drop it onto the system separately.\n\nThe general workflow plays out as follows:\n[ol]\n[li]In user mode, the program finds the PID of the target process.[/li]\n[li]It opens a handle to \\\\.\\Warsaw_PM.[/li]\n[li]It constructs a buffer containing the target process\u2019s PID.[/li]\n[li]It calls DeviceIoControl.[/li]\n[li]The driver executes the calls:[ul]\n[li]ZwOpenProcess;[/li]\n[li]ZwTerminateProcess.[/li]\n[/ul][/li]\n[/ol]\nThe EDR killer continuously enumerates processes, repeatedly sending the IOCTL and terminating the target processes every single time they pop up.\n\n[url=https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/06/05144527/hacktivists-broaden-attack-geography24.png][/url]\nExample of the process list storage inside the EDR killer\n\nBoth kil.exe and Killer.exe share the exact same list of processes targeted for termination:\nMsMpEng.exe, SenseIR.exe, SenseNdr.exe, SenseCncProxy.exe, SenseSampleUploader.exe, NisSrv.exe, avp.exe, kavfs.exe, bdagent.exe, bdservicehost.exe, vsserv.exe, AvastSvc.exe, AvastUI.exe, aswidsagent.exe, avgsvc.exe, mfemms.exe, mfefire.exe, mfevtps.exe, dwengine.exe, dwservice.exe, elastic-agent.exe, elastic-endpoint.exe, Sysmon.exe, wazuh-agent.exe, ipban.exe\nAnother utility used to kill security software processes is ghostdriver.exe, an unmodified build of the open-source project GhostDriver. In this case, the attackers simply pulled a version straight from GitHub and didn\u2019t modify any of its code.\n\n[url=https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/06/05144818/hacktivists-broaden-attack-geography30.png][/url]\nExample of output from the GhostDriver utility\n\nThe tool operates through the following stages:\n[ol]\n[li][strong]Identify target processes\n[/strong]The program takes a list of process names (such as msmpeng.exe) via command-line arguments. If no list is specified, it falls back to a default set.[/li]\n[li][strong]Enumerate system processes\n[/strong]To locate PIDs, the tool relies on standard Windows APIs:[ul]\n[li]CreateToolhelp32Snapshot[/li]\n[li]Process32First[/li]\n[li]Process32Next[/li]\n[/ul][/li]\n[li][strong]Generate a list of processes[/strong] to kill.[/li]\n[li][strong]Load the vulnerable driver\n[/strong]This is the core phase of the utility\u2019s operation. During this step:[ul]\n[li]The sys driver is written to disk.[/li]\n[li]A SERVICE_KERNEL_DRIVER type service is created.[/li]\n[li]The driver is kicked off via the Service Control Manager (SCM).[/li]\n[/ul][/li]\n[/ol]\n[url=https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2026/06/05145109/hacktivists-broaden-attack-geography31.png][/url]\n\nGhostDriver.sys is hardcoded inside the GhostDriver executable and is a binary driver known as [strong]RentDrv2 (BadRentdrv2)[/strong].\n\nIt contains the [strong]CVE-2023-44976[/strong] vulnerability, which allows it to:\n[ul]\n[li]Accept user-mode commands via DeviceIoControl.[/li]\n[li]Perform operations on processes from kernel mode.[/li]\n[li]Bypass security mechanisms, including Protected Process.[/li]\n[/ul]\nUpon execution, GhostDriver drops RentDrv2 to disk, loads it into the Windows kernel, and connects to it via the virtual device [code]\\\\.\\rentdrv2. The utility then issues command 0x22E010 to the driver, passing along the target process ID, and the driver terminates that process directly from kernel mode.\nGhostDriver runs in a continuous loop. Every ~700 ms, it rescans for the target processes and sends out termination commands.\nAfter the driver starts up, the utility attempts to delete the ghostdriver.sys file. To do this, it opens a file handle, uses the SetFileInformationByHandle WinAPI function to rename it to something like :GhostDriver, reopens the handle, and marks the file for deletion via FileDispositionInfo. Before wrapping up, it also tries to stop and remove the driver service, and delete the C:\\rentdrv.log file where the driver writes its logs.\nExample of the adversary command execution launching GhostDriver:Current versions of Kaspersky products are resilient to these types of attacks: the utilities described in this post cannot terminate their processes.\nConnection to the ClearWater ransomware\nAlongside the previously described Mythic Apollo samples (C2: 77.72.85.62), backupagnt.exe loaders, and Panorama9 deployment scripts, we discovered a new ransomware strain named ClearWater across several compromised infrastructures. Written in C++ and compiled with GCC (MinGW), the sample is a 64-bit Windows executable. It features zero obfuscation; in fact, the binary wasn\u2019t stripped of its DWARF debug information. This makes analyzing the sample significantly easier and points to either sloppiness or a lack of technical expertise on the developers\u2019 part.\nOriginal function names preserved within the Trojan\u2019s body\nWhen executed, ClearWater logs its progress in a separate console window.\nThe console window displayed upon launching the Trojan\nFile encryption\nLike most ransomware strains, ClearWater is a Trojan designed to locate and encrypt the victim\u2019s files. The Trojan executable contains a hardcoded RSA-2048 primary public key in PEM format.\nFor every file it processes, the ransomware generates a new 32-byte key and a 12-byte nonce \u2013 though only 8 of those 12 bytes are actually used \u2013 and encrypts the file\u2019s contents via the ChaCha20 symmetric algorithm. The ChaCha key is then RSA-encrypted and appended to a specific data structure at the end of the file. To pull this off, the malware leverages cryptographic implementations from the open-source libsodium library.struct{\tuint8_t label[4];\t\t\t//'M', 'Y', 'E', 'K' marker\tuint32_t rsa_encr_size;\t\t//size of RSA-encrypted data\tuint8_t rsa_encr_data[256];\t//RSA-encrypted ChaCha key};The Trojan processes all files except those with a .txt extension. This approach can easily break installed software, as it blindly encrypts both libraries and executables; however, it does explicitly skip the system directory during its search. Encrypted files are additionally appended with the .clear extension. The malware scans for targets on local drives as well as SMB network shares, which it maps out by using the net view command.\nAdditional functionality\nWithin every directory it processes, the Trojan drops the attackers\u2019 demands into a file named CLEARWATER_README.txt.\nRansom note:\nAdditionally, by modifying the HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run registry key, the malware sets up a persistence mechanism that automatically opens the ransom note with notepad.exe on startup.\nClearWater is distributed inside a self-extracting archive. The extraction script runs in silent mode (GUIMode=\u201d2\u2033), escalates privileges via a UAC prompt, drops the Trojan at C:\\ProgramData\\ClearWater_x64.exe, and kicks it off. Once the ransomware finishes running, the SFX archive cleans up after itself and wipes the original archive (SelfDelete=\u201d1\u2033).\nAlongside this script and the Trojan executable, the archive includes a BMP image. The ransomware sets this image as both the desktop wallpaper (by tweaking the HKEY_USERS\\&lt;\u2026&gt;\\Control Panel\\Desktop\\Wallpaper registry key and calling SystemParametersInfoA with the SPI_SETDESKWALLPAPER parameter) and the lock screen background (by modifying the LockScreenImagePath and LockScreenImageUrl values under HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PersonalizationCSP).\nTwo variants of the desktop and lock screen image\nTo complicate system recovery after the attack, ClearWater performs several actions typical of ransomware:\n\nDeletes shadow copies using the following commands:\nWipes the backup catalog and disables Windows Restore:\nRemoves restore points:\nDisables the system startup recovery option:\nClearWater also features a kill_all_non_whitelisted_processes() function designed to terminate active tasks, though it doesn\u2019t actually call it during execution. This function leverages PowerShell to look up and kill any process whose name isn\u2019t included in a hardcoded allowlist within the Trojan\u2019s body. It uses the following PowerShell code to do this:Get-Process|Where-Object{$w -notcontains $_.Name.ToLower()}|Stop-Process -ForceThe exclusion list contains various essential system processes and breaks down as follows:system, idle, smss, csrss, wininit, services, lsass, winlogon, svchost, explorer, dwm, shellexperiencehost, runtimebroker, trustedinstaller, tiworker, textinputhost, taskhostw, mousocoreworker, fontdrvhost, audiodg, sihost, spoolsv, taskeng, taskhost, searchui, securityhealthservice, startmenuexperiencehost, searchindexer, backgroundtaskhost, sppsvc, wmiprvse, wudfhost, vboxservice, vboxtray, vmtoolsd, vmwaretray, vboxguest, vmsrvc, vgauthservice, vmacthlp, qemud, qemu-ga, msdtc, searchprotocolhost, wlanext, dllhost, conhost, comppkgsrv, msmpeng, mssecflt, systemsettings, securityhealthsystray, nvtray, nvvsvc, ravbg64, igfxtray, igfxem, igfxcuiservice, igfxhk, igfxext\nUpdated Blackout Locker\nIn a previously published report (link in Russian) on collaborations between several hacktivist groups, we highlighted a tool called Blackout Locker. In late January 2026, the 4BID group ran a series of attacks against organizations in Russia using an updated version of this malware. This section breaks down the new version of Blackout Locker and covers its key characteristics uncovered during our analysis.\nRust dropper\nThe attackers use a dropper written in Rust to distribute Blackout Locker. Depending on the specific sample, the dropper first carries out a series of staging actions. It then writes the payload executable to \u2026\\Users\\[USERNAME]\\AppData\\Local\\Microsoft\\[REDACTED].dat and swaps its extension to EXE by calling the Windows command prompt:\nAfter that, it launches the renamed executable.\nBlackout Locker\nThe primary tool deployed in the attacks in question is an updated version of Blackout Locker.\nOur analysis revealed that the key difference in this new version is the addition of a screen locker component, which it drops and executes in tandem with the ransomware\u2019s main background payload.\nDuring the initial phase, the screen locker file is created under the following paths:\nTo launch the screen locker, several tasks are created:\nThe screen locker is also written to the following registry keys:\nAfter this, two LNK files, SystemHelper.lnk and WindowsHelper.lnk, are created via PowerShell for subsequent execution:\n\nThe first file is placed in the %PROFILEPATH%\\All users\\Start menu\\Programs\\Startup directory:\nThe second file is placed in the %USERPROFILE%\\Start menu\\Programs\\Startup directory:\nAs a result, a shortcut is created in the startup folder pointing to WindowsSystemHelper.exe located on the desktop. This ensures the screen locker appears every time the user logs in. Even if the victim enters the correct password into the locker window, it will keep popping back up; while the window itself closes after password entry, the corresponding task is never actually deleted.\nScreen locker\nDuring execution, Blackout Locker generates a file named README.txt, which the screen locker later references to pull the text displayed to the user. Some Blackout Locker samples drop a ransom note written in English:\nOn the lock screen, it may look like this:\nOther samples deploy a ransom note in Russian:\nIf the program fails to read README.txt, it falls back to a hardcoded ransom message. If this fallback message is in Russian but the victim\u2019s operating system lacks support for Cyrillic encodings, the loader\u2019s on-screen output renders as garbled text.\n\nAttack geography\nThe majority of the compromised infrastructures belong to Russian and Belarusian organizations, which aligns with the stated agenda of these hacker groups. However, for the first time, we identified victims in other countries with no relation to this agenda: Kazakhstan, the UAE, Syria, and Egypt. Within the network of a Kazakh aviation company, we detected multiple post-exploitation frameworks pointing to C2 servers at 77.72.85[.]62 and 185.221.153[.]121, traces of the Panorama9 and Tactical RMM platforms, and backupagnt.exe loaders. A similar footprint was observed in the infrastructure of an Egyptian hospital, though the familiar toolkit was augmented by the fd.aspx web shell. The remaining international victims exhibited a nearly identical combination of artifacts, with only minor variations.\nWhile the primary targeting vector previously centered on Russia and Belarus, the threat actors now appear to be pivoting their attention toward the wider CIS region and the Middle East. This strategic shift correlates with a statement from a member of the 4BID group, who claimed that attacking Russia is no longer profitable.\n\nTakeaways\nThe hacktivist groups discussed in this report are steadily expanding the geographical footprint of their campaigns, pushing beyond Russia and the wider CIS region. Alongside this expansion, we observe the growing use of ransomware and other tooling consistent with financially motivated operations, which may further influence their choice of victims.\nThis shift underscores the critical need for continuous threat landscape monitoring. To stay ahead of threat actors, organizations must look beyond the immediate risks facing their perimeter and proactively track emerging threats, including the tactics of groups targeting specific industry verticals or geographic regions.\nDetection by Kaspersky solutions\nKaspersky solutions reliably detect the malicious activity in question at every stage of the malware lifecycle. This section outlines potential detection scenarios.Publicly available dual-use software leaves numerous artifacts on targeted hosts, which helps Kaspersky Endpoint Detection and Response Expert trace the activity of these utilities.\nFor instance, network connections established with Panorama9 servers both during the initial software launch and throughout the tool\u2019s operation trigger the panorama9_dns_activity rule. The Hunt Hub section of our TI Portal features detection rules for other event types and specific operating systems, searchable with the keyword panorama9. Similar rules exist for the other utilities described in this post: Tactical RMM, Nezha, and Dev tunnels.\nGhostDriver.exe relies on an embedded vulnerable driver, which it drops onto the target host. The creation of these drivers is detected by the vuln_driver_created_by_unsigned_process rule family.\nRansomware is inherently quite noisy and so can be detected at various execution phases. The execution graph within Kaspersky Cloud Sandbox on our Threat Intelligence Portal visualizes the entire ClearWater execution chain, capturing key behaviors such as modifying the desktop wallpaper and deleting shadow copies.\nClearWater execution graph in Kaspersky Cloud Sandbox\nAdditionally, the Threat Lookup and Research Graph sections of Kaspersky Threat Intelligence Portal allow you to visualize and analyze the connections between the malicious domains and files used by the adversaries.\nVisualization via Research Graph on Kaspersky Threat Intelligence Portal\nKaspersky Threat Lookup demonstrating the connection between malicious files and the attackers\u2019 IP address\nMonitoring network traffic is another highly effective method for detecting the malicious activity described here. Kaspersky Anti Targeted Attack (KATA) with the NDR module detects the network communications of all malware samples in question utilized throughout this campaign.\nFor instance, upon detecting HTTP network activity characteristic of the BlackSalt backdoor, the system triggers an alert for the Backdoor.BlackSalt.HTTP.C&amp;C rule triggering.\nExamples of using the Kaspersky Anti Targeted Attack (KATA) platform with the NDR module to detect other agents described here \u2013 along with their detailed technical analysis \u2013 are available in our dedicated reports on Adaptix and Mythic detection.\nIndicators of compromiseWeb shells26100db3f56880110a92a2b4742d6eaffd.aspxcf682a6fee80a78be578b1edd82627fafd.aspx2d5533fb65ebb50a5a5fd53e62d73b9afd.aspxfe04d230db612ea24af3826fda667131fd.aspxScripts2db94ee3ec69988588702bd77999a5d4any_local.ps1f88d2b5c3b885ad5a9c1c44551bccc60main.ps11e1edf879b2dc6c9892a22bfa5985db1main.ps178250fa890220821e2b91e31b965de59main.ps1f2af797ac45b9f578c53cc49e5797397auto_dev.ps10c32bfdf83ecebe3a1399d261dc8ff57auto_dev_test.ps1e14cc9a959bbe16c48b8dff063b311f3auto_dev_test_multimple_task.ps136b3be503c6e34613ff50cb28e0f3ddbauto_dev_test_multimple_task.ps1c12ebe625737ed0908b045e811f14ecdtun.ps1, auto_dev_test_multimple_task.ps11c0924f5711a24821921de5ad822213bgrant.ps1d78adab5e16c26d4cd14fe38f77e29e6pan.ps1, pam.ps16cf548445c39aff844be96d73c89e376test.ps1911a21aa999c324dc960d3498eec528eradiant.ps168e310de44c3165ffffa25bc495d6fc54f41a22b3e7469fb6b45a42d71ec708780e5bde401d6b0ca96015ae9cfeb65351c82a94c362a9e98a66ae57d6ff37900fa04aeedc0d2f5bb6ed357fdae1c1435AdaptixC2555a6722436d7cf7de396e0c57d32a27b974141ff9ad1efb60dd9e16977266ca7da855b2fd9b52f9088e64d656164637d08056c2ac28933d6843658c2c8c574f038cab0c60c53cf12f048272014024c0c183033d86d2e052b8eb0deb2136ab29bc0ebf67986eea803b4c9633ed3a4bb518618f4b468ba4e64c2e1072a6da21341742a9fa35e253614b76ac0f687ba02ec7eb6da3aa216816079a1b785097552a3ee38b944e5c83922f99641846f7db0cd8ff7f417d56fa2a3baf3c8933013a251ff222457f5e0e32adfa8341f260dde7ede8ce887dd9ab7add0f0fc872d513691344e6bc51cea35befb4adff7a25899b2a09162d72aa416e18bab46070043a13841b7d3863b49f62d4faa9949ff5df381bd1ca848b15530e39792b4fe6f31367Mythic Apollob36968b98046d1b033d84f292e7ca1cb663a479d6d24c767f1d3229a0a91554b54a308f734095d54ae0e1c86c849a2d83137958eb830186826d486afd9222aee1d09499cb2d7d70df903b60602a58887d74262f968dc3f378c4021a89d16a2923d9cbc944f9a9e127550ffb4e8394965bcd3859f4ddd72c4690d76c3b4ef89553a9b0875fc692944c180b165a83a0d17c558e6a9d0a697c757aa6d7782e269c961647db645f7cc221046999ef1dbe1d102493e1cb684be6a1a1fc6334a56c516a3dba01c76571adc0797801ff30f2b903f4fbba101b209b00e70787fd5bab819cd0c5b9e4e47df4231d02ed87ff49f26b8a13e808b5b5f1836d3e559755139d060f8b115aec8a13b0069efc84fc645f5da55b5612a80ef20ec75b68151e7ff4b7d35b4961914ad83a57f8832d8e870d8334abbdc99d359aab2ea371dd4eda5f2389a1bbdbf5c91bd1c179227f5ae092387d48fbccb4aaee95222e215ecb7ebec76c819185e3c8b8557a2c3986ab80a7c6d19c8eea11d50c01d20f18382a964d1Other C2 frameworks8db0adf8fd6dc6195d7ae55e37e49f9708f3a14a2337eb9936c38f5159be007c717ab7624c192f6f8dd38994116c28dcd1c51b92939aa168f0951a83688413735398b7eaa94f0ee570b1c5642b559047d65a79ea9257637c77cab6e087468912008cd423ca45134d3343f66cced1d1049741672506f26813c71839aaa6aa388206bed0a0906e52c764b3b7016d6a4428upd.exe (SFX archive)08c069f133ac27cbc02a0ed79e4e87baupd.exea36082c998391a3ebaf05ba4f834172cbackupagnt.exe9810ea6752112b3569ddc096e1a72e1dsliverupdate1.exe (SFX archive)10824d14c814524155f2b529cf5fee43update1.exea36082c998391a3ebaf05ba4f834172cbackupagnt.exe9810ea6752112b3569ddc096e1a72e1dsliverakolo.exe (SFX archive)242038139842ec79ec1044c64eb0804aakolo.exe53ba13cc6066adfd67f8098c0a5b8ddebackupagnt.exe9810ea6752112b3569ddc096e1a72e1dsliverupdate.exe (SFX archive)84bb66a982710c5536143a07d84e8749update.exea36082c998391a3ebaf05ba4f834172cbackupagnt.exe9810ea6752112b3569ddc096e1a72e1dsliverakolo.exe (SFX archive)fa3c222f6b53d6a2e35a54600f6aa011akolo.exe0b1870d57221eec6f3bbef648e71a724backupagnt.exe5e81f72614db42615489266be11b1d09sliverakolo.exe (SFX archive)4c8a0531653b5398a35c6b1b80ff1350akolo.exe83f66862c0cc40da20236fd6b47138fdbackupagnt.exe5e81f72614db42615489266be11b1d09sliver[REDACTED].exe (SFX archive)56be07e46fd452315008ed246ebbf52b[REDACTED].exe579e8bbd6a5bcca89b5acd6fb5db32dbbackupagnt.exedd8fea244afc8223b961f1d9d6ac8c5dApolloWindowsServiceHelper.exe (SFX archive)09d0517a1f69feff8186655ae3b567e0WindowsServiceHelper.exe62123c39477389d500e74e82782adea5BlackSalt Backdoorwinexe.exe (SFX archive)6d365de5c5a13006b7cadd6bc6876e84winexe.exe2f40bcee90abed0898e92521da17e52dBlackSalt BackdoorWindowsServiceHelper.exe (SFX archive)6dfef58ef68fb7965a23da8be3141af9WindowsServiceHelper.exe56d1de3159adbfda20aca593c99901f9BlackSalt Backdoor[REDACTED].exe (SFX archive)96dbdc2651d829bf9ba35674dd4bfcae[REDACTED].exe129225b3e93c17f131bcc2a982ffb09aBlackSalt Backdoortest.exe (SFX archive)9f37fff7e5d22f83fc1c0872ad5332f9test.execf54f6cbdb4dbf1ce6fc2e5be4ca3b20BlackSalt Backdoor1.exe (SFX archive)e99efd77392e2b4fe4d9bf5728a12b981.exe129225b3e93c17f131bcc2a982ffb09aBlackSalt BackdoorWindowsServiceHelper.exe (SFX archive)f2dc794bf93887e281ad89209493065aWindowsServiceHelper.exe2f40bcee90abed0898e92521da17e52dBlackSalt BackdoorEDR killersd13997b1716e4c82ab454285202eafdckiller.exe, 2.exeecb57d8793514aa02314417265b1853fkil.exe, 3.exe3b974ff986445e5944c51179d19bd6beGhostDriver.exe\nNetwork indicators212.46.12[.]182185.221.153[.]12177.72.85[.]6245.150.109[.]2130.49.155[.]11245.112.194[.]82138.226.236[.]5285.137.253[.]186 \nsecurelist.com/tr/hacktivists-\u2026", "creation_timestamp": "2026-07-01T14:28:02.198700Z"}