{
  "name": "Hacktivists are broadening their scope beyond political motivation",
  "slug": "hacktivists-are-broadening-their-scope-beyond-political-motivation",
  "description": "Kaspersky researchers uncovered interconnected hacktivist campaigns attributed to groups including 4BID, Hakerskii Kit, and C.A.S., targeting organizations primarily in Russia and Belarus, but expanding to Kazakhstan, UAE, Syria, and Egypt. Attackers exploited ProxyShell vulnerabilities in Microsoft Exchange servers to deploy fd.aspx web shells and various post-exploitation frameworks including Sliver, Havoc, Mythic Apollo, AdaptixC2, and a custom BlackSalt backdoor. The campaigns deployed ransomware including ClearWater and updated versions of Blackout Locker, alongside EDR killers using BYOVD techniques. Attackers leveraged legitimate RMM tools like AnyDesk, Panorama9, and Tactical RMM for persistence, with AI-generated scripts showing varying quality. The geographical expansion and increased use of ransomware suggest a shift from purely political motivation toward financial gain.",
  "published": "2026-06-08T08:30:30+00:00",
  "created_at": "2026-06-08T08:30:30+00:00",
  "modified_at": "2026-06-09T06:59:02+00:00",
  "created_at_opencti": "2026-06-08T08:30:30+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2026-06-08",
    "CVE-2023-44976",
    "abcdoor",
    "adaptixc2",
    "blackout locker",
    "blackreaperrat",
    "blacksalt",
    "byovd techniques",
    "clearwater",
    "clearwater ransomware",
    "cross-border targeting",
    "edr killers",
    "ghostdriver",
    "hacktivist campaigns",
    "havoc",
    "mythic apollo",
    "post-exploitation frameworks",
    "proxyshell exploitation",
    "sliver",
    "valleyrat",
    "warp rat"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "212.46.12.182"
      },
      {
        "id": "",
        "name": "185.221.153.121"
      },
      {
        "id": "",
        "name": "85.137.253.186"
      },
      {
        "id": "",
        "name": "45.112.194.82"
      },
      {
        "id": "",
        "name": "138.226.236.52"
      },
      {
        "id": "",
        "name": "42dccb7afdc883755eeec27a00fef532e1533d308ba376697b6270ffdbbc2d67"
      }
    ],
    "malware": [
      {
        "id": "6e24d6d5-190d-4425-a63d-51ec0f89528d",
        "name": "AdaptixC2",
        "slug": "adaptixc2"
      },
      {
        "id": "b09f5343-ec83-482b-86c5-eb6ecc13eeec",
        "name": "Havoc",
        "slug": "havoc"
      },
      {
        "id": "b5a83a9a-489d-4db1-aced-a4b2a83c5aa8",
        "name": "BlackReaperRAT",
        "slug": "blackreaperrat"
      },
      {
        "id": "f8879be0-dea7-4e8d-9aba-78c8ac8c6207",
        "name": "ValleyRAT",
        "slug": "valleyrat"
      },
      {
        "id": "c70c9980-18de-4208-93f5-0bd2dddeb40c",
        "name": "Sliver",
        "slug": "sliver"
      },
      {
        "id": "1a139b1a-586c-4be9-bc34-ae1f537c1dce",
        "name": "BlackSalt",
        "slug": "blacksalt"
      },
      {
        "id": "c1ea5c09-0450-4f41-ac03-d2d3863ac264",
        "name": "ClearWater",
        "slug": "clearwater"
      },
      {
        "id": "11322227-2cfc-4d1b-a491-31efca8057d3",
        "name": "Blackout Locker",
        "slug": "blackout-locker"
      },
      {
        "id": "fb474ecf-207b-4f57-a11c-30dc3cf44758",
        "name": "Warp RAT",
        "slug": "warp-rat"
      },
      {
        "id": "d9d115e9-0360-475d-9c34-93a3393a032d",
        "name": "ABCDoor",
        "slug": "abcdoor"
      },
      {
        "id": "171688f3-6aed-4fff-9c78-0aaef490f1d3",
        "name": "GhostDriver",
        "slug": "ghostdriver"
      },
      {
        "id": "498f6f2a-f88c-4c65-869e-28af203547b5",
        "name": "Mythic Apollo",
        "slug": "mythic-apollo"
      }
    ],
    "intrusion_sets": [
      {
        "id": "e34ee936-8e12-4f21-bc8d-149989bb5593",
        "name": "4BID",
        "slug": "4bid"
      }
    ],
    "attack_patterns": [
      {
        "id": "c473a756-355a-42ad-a0df-cd3a8fa006d1",
        "name": "T1057"
      },
      {
        "id": "eaff4611-3c78-4127-8745-726f77ed68ba",
        "name": "T1070.004"
      },
      {
        "id": "d9f271ed-7685-4362-b90d-f16a14102f39",
        "name": "T1489"
      },
      {
        "id": "c3af9fd7-d307-4df4-9220-cc627938fb85",
        "name": "T1055"
      },
      {
        "id": "ecaaa4cc-d487-4002-bcb2-f769acfcc38f",
        "name": "T1490"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "beaa4978-0309-438b-a45e-ec566b643811",
        "name": "T1505.003"
      },
      {
        "id": "f1bb7823-4f4b-4565-b472-bf0cfca467b1",
        "name": "T1486"
      },
      {
        "id": "6b2e0999-c7e8-4662-94ac-19aa8520ee46",
        "name": "T1059.003"
      },
      {
        "id": "0c836307-129e-4ff7-a532-180c633cacba",
        "name": "T1027"
      },
      {
        "id": "6c8f8a40-2746-4a37-86bd-81e82afa6e62",
        "name": "T1190"
      },
      {
        "id": "5999052b-e9ae-49e8-9235-d9bf975c22af",
        "name": "T1547.001"
      },
      {
        "id": "5b7c66d1-0466-4ba7-af6f-eb82c2f9d05b",
        "name": "T1033"
      },
      {
        "id": "7364ca96-72bf-4b7f-afef-ce2583b1ed58",
        "name": "T1562.001"
      },
      {
        "id": "b15c00da-c412-4429-900c-659de612baf5",
        "name": "T1543.003"
      },
      {
        "id": "da44e22e-1925-42e4-b30d-ac38860d39bb",
        "name": "T1070.001"
      },
      {
        "id": "195d9773-4de3-4f61-b94d-a2b53cb65608",
        "name": "T1021.001"
      },
      {
        "id": "45082a8e-9c79-470e-ad1b-decac7188e8f",
        "name": "T1083"
      },
      {
        "id": "70616b2f-4019-4963-b758-5d9f6f20e201",
        "name": "T1082"
      }
    ],
    "vulnerabilities": [
      {
        "id": "",
        "name": "CVE-2023-44976"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "United Arab Emirates"
      },
      {
        "id": "",
        "name": "Egypt"
      },
      {
        "id": "",
        "name": "Syrian Arab Republic"
      },
      {
        "id": "",
        "name": "Kazakhstan"
      },
      {
        "id": "",
        "name": "Belarus"
      },
      {
        "id": "",
        "name": "Russian Federation"
      },
      {
        "id": "",
        "name": "Manufacturing"
      },
      {
        "id": "",
        "name": "Aerospace"
      },
      {
        "id": "",
        "name": "Healthcare"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://securelist.com/tr/hacktivists-broaden-attack-geography/120115/",
    "https://otx.alienvault.com/pulse/6a2699c629b0ddee8d84e7b6"
  ]
}