Rainbow Hyena strikes again: new backdoor and shift in tactics
Essential information
- Published
- 15/07/2025 20:39
- Modified
- 16/07/2025 08:15
- Tags
- 2025-07-15 backdoor lnk files phantomremote phishing rainbow hyena
- Related entities
- 1 intrusion sets (apt), 14 techniques (mitre), 1 malware, 3 others
Description
A new phishing campaign targeting healthcare and IT organizations in Russia has been attributed to the Rainbow Hyena cluster. The attackers used compromised email addresses to distribute malicious attachments, including polyglot files and LNK files mimicking legitimate documents. A new custom-built backdoor called PhantomRemote was identified, capable of system information gathering and command execution. The campaign demonstrates a shift in tactics, with threat actors abandoning traditional malicious documents in favor of alternative formats. The sophistication of the tools and techniques suggests a move towards more conventional illicit activities such as espionage and financial gain.