Restless Spirit: New Attacks on Russian Companies
Essential information
- Published
- 23/01/2026 10:12
- Modified
- 23/01/2026 11:03
- Tags
- 2026-01-23 command and control decoy documents multi-stage attack persistent threat phantomcore phantomcore.polldl phishing powershell russian targets scheduled tasks
- Related entities
- 7 observables, 1 intrusion sets (apt), 7 techniques (mitre), 2 malware, 22 others
Description
PhantomCore, a hacking group targeting Russian and Belarusian companies since 2022, launched a new wave of malicious email campaigns on January 19 and 21, 2026. The attacks targeted various sectors including utilities, finance, urban infrastructure, aerospace, consumer digital services, chemical industry, construction, consumer goods manufacturing, and e-commerce. The campaign used phishing emails with malicious attachments, leveraging compromised legitimate email addresses. The malware operates in multiple stages, including downloading decoy documents, executing PowerShell scripts, and establishing persistence through scheduled tasks. The second stage malware, similar to previously known PhantomCore.PollDL, communicates with command and control servers to receive and execute commands.