Hacktivist Groups 4BID, Hakerskii Kit, and C.A.S. Broaden Attack Geography, Report Says
Published
Key Takeaways
- Geographic Expansion: Securelist found hacktivist groups 4BID, Hakerskii Kit, and C.A.S. striking organizations in Kazakhstan, the UAE, Egypt, and Syria.
- Initial Access: Attackers mostly exploited ProxyShell in Microsoft Exchange, then deployed a web shell across compromised environments.
- Tooling Shift: The campaigns leaned on ClearWater ransomware, Blackout Locker, and a broad mix of commercial remote monitoring and management tools.
Securelist reports that hacktivist groups 4BID, Hakerskii Kit, and C.A.S. have broadened their attack geography, targeting organizations across Kazakhstan, the UAE, Egypt, and Syria, beyond their previous focus on Russian and occasional Belarusian targets. The investigation began after researchers spotted indicators of compromise inside a breached Russian organization, then traced the activity to several interconnected actors.
Initial Access and Toolkit
In most cases, attackers gained initial access by exploiting ProxyShell in Microsoft Exchange before deploying the fd.aspx web shell for remote control, file transfers, and reconnaissance. The campaigns combined custom scripts, new ransomware samples, and commercially available remote monitoring and management tools, according to Securelist by Kaspersky.
Among the software identified were:
- BlackReaperRAT,
- ClearWater ransomware,
- Warp RAT,
- AnyDesk,
- Panorama9,
- Dev Tunnels,
- Tactical RMM,
- Post-exploitation frameworks:
- Sliver,
- Havoc,
- Apollo Mythic,
- AdaptixC2.
Researchers also documented a previously undocumented backdoor named BlackSalt, EDR-killing utilities including GhostDriver, and an updated version of Blackout Locker.
ClearWater ransomware surfaced across multiple compromised infrastructures. Securelist mentions that public sources reported Hakerskii Kit claimed an attack on a Russian factory where ClearWater was also detected, with the attackers publicly thanking the C.A.S. group for their contribution.
A Pivot Toward New Regions
Securelist noted that the majority of compromised infrastructures still belong to Russian and Belarusian organizations. However, for the first time, it identified victims in Kazakhstan, the UAE, Syria, and Egypt.
The report assesses that these actors appear to be pivoting toward the wider CIS region and the Middle East, a shift that correlated with a statement from an alleged 4BID member claiming that attacking Russia is no longer profitable.
Last week, an RAlord affiliate was allegedly banned for violating the CIS ransomware rule by infecting the Eriell Group. In May, Russian hackers targeted 13,500 Signal accounts in a hijacking campaign.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular