Hacktivists are broadening their scope beyond political motivation
Essential information
- Published
- 08/06/2026 10:30
- Modified
- 09/06/2026 08:59
- Tags
- 2026-06-08 CVE-2023-44976 abcdoor adaptixc2 blackout locker blackreaperrat blacksalt byovd techniques clearwater clearwater ransomware cross-border targeting edr killers ghostdriver hacktivist campaigns havoc mythic apollo post-exploitation frameworks proxyshell exploitation sliver valleyrat warp rat
- Related entities
- 1 vulnerabilities (cve), 6 observables, 1 intrusion sets (apt), 20 techniques (mitre), 12 malware, 10 others
Description
Kaspersky researchers uncovered interconnected hacktivist campaigns attributed to groups including 4BID, Hakerskii Kit, and C.A.S., targeting organizations primarily in Russia and Belarus, but expanding to Kazakhstan, UAE, Syria, and Egypt. Attackers exploited ProxyShell vulnerabilities in Microsoft Exchange servers to deploy fd.aspx web shells and various post-exploitation frameworks including Sliver, Havoc, Mythic Apollo, AdaptixC2, and a custom BlackSalt backdoor. The campaigns deployed ransomware including ClearWater and updated versions of Blackout Locker, alongside EDR killers using BYOVD techniques. Attackers leveraged legitimate RMM tools like AnyDesk, Panorama9, and Tactical RMM for persistence, with AI-generated scripts showing varying quality. The geographical expansion and increased use of ransomware suggest a shift from purely political motivation toward financial gain.