Хакерские группы усилили фишинг и скрытность атак

In the first quarter of 2026, analysts examined the activity of multiple hacker groups targeting Russian organizations and identified 808 unique malware samples linked to 11 groups. The report shows that the threat landscape remained highly dynamic: attackers relied on phishing as the primary initial access vector, expanded their use of infrastructure such as GitHub, and increasingly focused on stealth, persistence, and evasion of traditional detection tools.

Rare Werewolf led by volume of samples

The most active group by the number of malware samples was Rare Werewolf, which accounted for 22% of the total — 179 samples. It was followed closely by PhaseShifters and PhantomCore.

According to the report, all tracked groups used phishing to gain initial access. Campaigns typically delivered payloads through:

• Microsoft Word documents with macros;
• password-protected RAR archives;
• NSIS installers with deceptive double file extensions.

Phishing tactics and sector-specific lures

Some actors tailored their campaigns to specific business functions. In particular, Hive0117 used phishing lures with a financial theme, targeting finance departments. The group sent emails that appeared to come from compromised accounts, a tactic that helped bypass security filters and increase the likelihood that recipients would open malicious attachments or links.

This approach underscores a broader trend: attackers are combining social engineering with technical evasion to improve the chances of successful compromise.

Persistence, code injection and registry abuse

On the technical side, the report highlights widespread use of:

• scheduled task abuse;
• process injection;
• registry manipulation.

Many groups relied on Windows Task Scheduler for persistence by creating tasks that executed payloads under the identity of legitimate processes. PhantomCore and Rare Werewolf went further by hiding their tasks from the graphical interface of Task Scheduler, maintaining presence even against system monitoring tools.

Fluffy Wolf used process injection to conceal malicious activity by embedding payloads into legitimate processes such as MsBuild.exe. This method remains one of the most effective ways to blend malicious execution into normal system behavior.

Exploitation of vulnerabilities and file formats

Exploitation of vulnerabilities also remained a common tactic. The group BO used CVE-2026-21509 in Microsoft Office to bypass security defenses, allowing attackers to trigger malicious actions simply by opening a specially crafted document.

File-format exploitation was another important vector. Goffee abused vulnerabilities in RAR archives, enabling code execution during malware unpacking.

These techniques show that attackers continue to target both applications and file-handling mechanisms that users and organizations routinely trust.

Backdoors, RATs and cloud services

The report also notes the use of backdoors and remote access trojans, including WarpPlugin and PureRat. These tools reflect a clear trend toward improved remote command execution and stronger operational stealth.

At the same time, several groups demonstrated adaptation through the use of cloud and developer platforms. GitHub was used not only for payload delivery but also for communication. In one notable example, Rare Werewolf shifted from traditional exfiltration methods to heartbeat channels via GitHub comments.

This type of abuse complicates detection, since legitimate platforms are increasingly used as part of the attack infrastructure.

LLM-related traits and multistage attack chains

Another notable finding was the appearance of structures resembling features associated with large language model generation. According to the analysis, groups including Goffee and PhaseShifters demonstrated the ability to use such characteristics in their malware frameworks.

The report also describes complex multistage chains involving several phases of deployment and environment preparation. For example, campaigns attributed to Tolik used HTA files as loaders at launch, marking a shift away from earlier approaches based on VBS scripts.

Meanwhile, groups such as IAmTheKing relied on advanced social engineering to trick users into enabling malicious macros.

What the findings mean for defenders

Overall, the first quarter of 2026 was marked by increasing sophistication and diversity in attack vectors. The report emphasizes that threat actors are adapting to bypass traditional detection mechanisms and strengthen operational security.

The key defensive priorities highlighted by the analysis include:

• continuous improvement of detection capabilities;
• faster mitigation of phishing-driven intrusions;
• monitoring of Task Scheduler abuse and process injection;
• tight control over document handling, archives and script-based loaders;
• additional scrutiny of abuse of legitimate cloud and collaboration services.

As the report concludes, rapidly changing tactics among these actors make continuous adaptation essential for organizations defending against targeted attacks.

Отчет получен из сервиса CTT Report Hub. Права на отчет принадлежат его владельцу.

Ознакомиться подробнее с отчетом можно по ссылке.