logo

From cause to cash: a cross-border look at hacktivist activity

ID: b57bbd4a-8999-5cbe-9851-85458c112399

STIX ID: report--b57bbd4a-8999-5cbe-9851-85458c112399

Feed Name: Securelist by Kaspersky

Threat Score
80/100

Date Published: 2026-06-08

Date Updated: 2026-07-02

Author: Kaspersky

...
...

This report presents Kaspersky's analysis of a series of interconnected hacktivist campaigns (4BID and associated groups) that leveraged ProxyShell Exchange exploits to deploy fd.aspx web shells, RATs (BlackReaper, Warp), post-exploitation frameworks (Sliver, Havoc, Mythic Apollo, Adaptix), EDR killers (BYOVD/GhostDriver), and ransomware (ClearWater and an updated Blackout Locker) against organizations in Russia, Belarus and, increasingly, Kazakhstan, UAE, Syria and Egypt; it includes technical breakdowns of malware behavior, persistence and deployment scripts, lists of C2 IPs and recommended detection methods.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.