The 'Bear' attacks: what we learned about the phishing campaign targeting Russian organizations
· Published 26/11/2025 09:39 · Modified 21/12/2025 18:02
Essential information
- Published
- 26/11/2025 09:39
- Modified
- 21/12/2025 18:02
- Tags
- 2025-11-26 finger protocol infrastructure reuse lnk files lumma stealer netsupport rat phishing powershell russian targets social engineering
- Related entities
- 38 observables, 1 intrusion sets (apt), 18 techniques (mitre), 2 malware, 15 others
Description
A hacking group named NetMedved has been conducting phishing attacks against Russian organizations since October 2025. The campaign uses malicious LNK files disguised as business documents to deliver NetSupport RAT malware. The attackers employ various techniques including PowerShell scripts, finger protocol, and anti-analysis checks. They utilize multiple domains for payload delivery and command and control. The group's infrastructure overlaps with previous campaigns from 2024, suggesting an evolution of tactics rather than a new actor. NetMedved's operations involve social engineering, custom obfuscation, and abuse of legitimate tools to evade detection and maintain persistence on compromised systems.
Related entities
Vulnerabilities, IOCs, intrusion sets, MITRE techniques and other entities referenced in this report.
Observables (38)
185.158.249.54185.158.249.647573e2a6a6a4a5c21bc3f81a53262e3ade3871fd00ab06b9cf9f9a28c45926f2a68b10d3a36423d44d36274dc995a5f11bfb1dd5bba6de81071e9ced8dc780f3cc6219c710d5bd0ee986b479723ab4f42027da0f28a49fad66d9f3280774e65444e29f1e03d3ff663058338363f144326b1e83a63a43caea86e313c3b8bf98a60f430f2772119b62d32b7812b44726f7d1f3ffc9f9f9ca86b7a0a0c8b314215d7ffc177f931c6df8542cc87c9da95d3f3a51b587c237253b6091e83451d7c3a2d3aea6e94151bcbb8ac451c50a3a6a5693162521b7d61c53e57c91e4c91c1eb4ea3d66b8e53cf2475ef89c94d917529360325f3464727a54a3be2aa2ffde0e2b23eb791345d1a125c2c5988fb7a8001824a328a248f0c7588973b045b50bea691027cd7578146cafe39eacf1ed6d2048aa12fc6936d2594d49eb093c56b2d8402e851fcc4eb8e60f350ce68b686cc1ce3c4a0370c28a230a0f3468358907c07525a7dc3f0f16a6f1e69db6e80143f2a8788c5542246966c081a06bf9767264fe8de51b085e9ae644099bebe8e95ec1d5dbe2b854b4d20d8f33c9160458f6c4130c61883da958fb23e03eac577b169d5e7535910b5a12916fe6d2a94f6b40a89eaa666ff1e5276677b9995f86399743aaad38a6b70b53a124062aa69c798760b6b302c16d60f055ec37833e45b091f20b6eae3248be74f389094e69d20f496a7b4fed61b2f93f4ef51777ac2f381a89e564c8ddf941ecef9f3f7f1e9c370ff0a305464b16c6ea40cd93d39b7c0a20c136be2b7921818aa5041b7b98a7cbbf270f2fdabce92c1915556f2e4d5cfdf34f18147d1e09c454c3758a4dcf31431e1e6298a693f412da7b5e5fa790ab54e1c4737ce628ddaedda6cb2359214ec17c11a84546d8fa49836ae06af4df56fca03905afd4d7df60d171cc2c959be03d1d94b2007ec4eadad16fed2361486bbd79ce8491db3aeae615fef9069e274609233e2fa4cf4c55312222dfa5c9e08034377a2efaae3b94213c1283c3e2145d2677c3d3cb2c2f492fd44afa9279ee8d4a8a6e8ca11ab65a9224a18da9ba8b0d8f6bec1451012e5e9ee205efe5025e0a83cce90dca5719268229c91b6777060c1b4578d00c166f4c7475ec6d15ac00b9b7bc9cf0d7bb53eb504e14f153af08dfe05c40e2a55733d4055fe83817b865638b71690fe8f32de77eec04498171fd7e1cb3eb67b69c5134a453d19ddf94967c49dd9ecb825ae2461d491f67d09fb5bda5dd27be59f3acf7a2099899807685c631d8a64af0e784a046a48f45ba2cc40d2e7854445b83e99dfeeb8c30dc72059d369bff0109c40cb5d9aea63245d90a1ca4a362323983a383b532c32dfbab8958ad1b35fc8cb3fc3141b5016dd01fcfbfd3c0cd3be34552a5338872919b3e0f15efc9c27641479750ca2a43ac7cc5c9b15f15ad20dddfc3c5ca754144b430df11a78a048609106f9d12db4b1fec309bb9805743ec340f085668d115b4f0ae586b26ecc3cc5a977449989221e02a13b09decbf9bb976d3a58f3fb14e1d8435eabaac21c84f9d256bcd241da3da44b70c4a606134fdbf0df57d9dac2aafd89f30d818749d3ce15afe488dcdad912e8996bfd3d0b3c1
Intrusion sets (APT) (1)
-
AlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 Published 21/12/2025 19:02 · Modified 21/12/2025 19:02
Techniques (MITRE) (18)
-
Masquerading
-
Non-Standard Port
-
Virtual Private Server
-
Web Protocols
-
Upload Malware
-
PowerShell
-
Malicious File
-
Scheduled Task
-
Spearphishing Attachment
-
Windows Command Shell
-
Ingress Tool Transfer
-
Remote Access Tools
-
Indirect Command Execution
-
System Checks
-
Domains
-
Deobfuscate/Decode Files or Information
-
System Binary Proxy Execution
-
Malware
Malware (2)
-
FamilyPublished 19/05/2026 17:52 · Modified 19/05/2026 17:52
-
FamilyPublished 22/05/2026 13:08 · Modified 22/05/2026 13:08
Others (15)
- Russian Federation
- Finance
- Government and administrations
- nbmovies.net
- x-projectlys.com
- pauldv.com
- nicevn.net
- cdn-reserved.com
- real-fishburger.com
- tvfilia.com
- skillswar.com
- api.metrics-strange.com
- metrics-strange.com
- bspaco.com
- sara.x-projectlys.com