The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

Fancy Bear's SpyPress Malware

May 23, 2025 1:41:42 PM / by The Hivemind posted in Russia, Threat Bulletin, Espionage, Fancy Bear, SpyPress, Operation RoundPress

0 Comments

Verticals Targeted: Government, Defense
Regions Targeted: Ukraine, Bulgaria, Romania, Africa, EU, South America
Related Families: None specified

Executive Summary

Operation RoundPress, a Russia-aligned cyberespionage campaign attributed to Fancy Bear, deploys SpyPress malware via cross-site scripting (XSS) vulnerabilities to steal sensitive email data from high-value webmail servers. Active since 2023 and expanding in 2024, the campaign primarily targets Ukrainian government entities and Eastern European defense contractors, exploiting zero-day and known vulnerabilities across platforms like Roundcube, Horde, MDaemon, and Zimbra.

Read More

Star Blizzard’s LOSTKEYS Malware

May 19, 2025 1:20:19 PM / by The Hivemind posted in Russia, Threat Bulletin, Star Blizzard, LOSTKEYS

0 Comments

Verticals Targeted: NGOs, Diplomats, Government  
Regions Targeted: Western countries, Eastern Europe, Ukraine  
Related Families: Spica

Executive Summary

Star Blizzard, a Russian state-sponsored threat actor, has deployed a malware family named LOSTKEYS to steal sensitive documents and system information from NGOs, diplomats, and government officials in Western countries and Eastern Europe.

Read More

Cozy Bear Uses GRAPELOADER in Recent Phishing Campaign

Apr 21, 2025 2:15:53 PM / by The Hivemind posted in Russia, Threat Bulletin, Cozy Bear, GRAPELOADER

0 Comments

Verticals Targeted: Government, Diplomatic Entities
Regions Targeted: Europe, Middle East 
Related Families: WINELOADER, ROOTSAW

Executive Summary

A sophisticated phishing campaign by Cozy Bear, a Russia-linked threat actor, was recently observed targeting European diplomatic entities with GRAPELOADER and WINELOADER malware.

Read More

Primitive Bear Using LNK Files to Deploy Remcos Backdoor Against Ukrainian Targets

Apr 4, 2025 2:48:44 PM / by The Hivemind posted in Ukraine, Russia, Threat Bulletin, Primitive Bear, LNK, Gamaredon, Remcos

0 Comments

Related Families: Remcos

Executive Summary

Primitive Bear has been observed targeting Ukrainian users with malicious LNK files since at least November 2024. This operation employs a PowerShell downloader and DLL side-loading techniques to deliver the Remcos RAT, exploiting war-related themed lures to deceive victims.

Read More

2024 Recap - Russian Threat Actor Activity

Dec 19, 2024 12:38:53 PM / by The Hivemind posted in Russia, Threat Bulletin, Europe, 2024, Recap

0 Comments

Executive Summary

This Threat Bulletin is part of PolySwarm’s 2024 Recap series. This report provides highlights of activity perpetrated by Russia-based threat actors in 2024.

Read More

Venomous Bear’s Lunar Toolset

May 28, 2024 1:05:05 PM / by The Hivemind posted in Russia, Threat Bulletin, Government, Venomous Bear, Turla, LunarMail, LunarWeb, LunarLoader

0 Comments

Related Families: LunarMail, LunarLoader, LunarWeb
Verticals Targeted: Government 

Executive Summary

Venomous Bear was observed targeting a European Ministry of Foreign Affairs using a new toolset, dubbed the Lunar toolset.

Read More

AcidPour Wiper Targets Linux x86 Devices

Mar 29, 2024 12:44:53 PM / by The Hivemind posted in Ukraine, Russia, Threat Bulletin, Linux, AcidRain, AcidPour, x86

0 Comments

Related Families: AcidRain
Verticals Targeted: Telecommunications 

Executive Summary

AcidPour, a variant of AcidRain, was recently observed targeting entities in Ukraine. The targets likely included telecommunications entities.

Read More

ColdRiver Using Spica Backdoor

Feb 2, 2024 1:06:16 PM / by The Hivemind posted in Russia, Threat Bulletin, Backdoor, Spica, ColdRiver

0 Comments

Executive Summary

Russia nexus threat actor group ColdRiver was recently observed using Spica backdoor in an espionage campaign.

Read More

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts