HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Unknown Hacker Group Conducts Two‑Year Phishing Campaign Against Russian Maritime Universities, Energy, Diplomatic and Financial Entities

A newly identified threat actor has been running a stealthy, two‑year phishing campaign against Russian maritime universities, energy facilities, diplomatic missions, government agencies and financial institutions. The group leveraged malicious Excel configuration files and a publicly released framework called Ravage to gain footholds and execute commands, raising significant third‑party risk for suppliers in these sectors.

LiveThreat™ Intelligence · 📅 June 01, 2026· 📰 therecord.media
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
3 recommended
📰
Source
therecord.media

Unknown Hacker Group Conducts Two‑Year Phishing Campaign Against Russian Maritime Universities, Energy, Diplomatic and Financial Entities

What Happened – A previously unknown threat actor ran a stealthy, multi‑year campaign (2024‑2025) targeting Russian maritime universities, energy facilities, diplomatic missions, government agencies and financial institutions. The attackers used phishing emails with malicious Excel‑configuration files and, from January 2025, leveraged a new open‑source framework “Ravage” to move laterally, exfiltrate files and capture screenshots.

Why It Matters for TPRM

  • Persistent, low‑and‑slow attacks can evade traditional monitoring, exposing third‑party risk for education, energy and government suppliers.
  • Use of publicly released tooling (Ravage) demonstrates that adversaries can quickly adopt off‑the‑shelf resources, raising the bar for detection.
  • Lack of attribution and unknown post‑compromise activity increase uncertainty for downstream partners.

Who Is Affected – Higher‑education (maritime universities), energy sector operators, diplomatic missions, government agencies, and financial institutions in Russia.

Recommended Actions

  • Review security posture of any Russian‑based education, energy or government vendors; verify phishing‑resilience training.
  • Ensure endpoint detection and response (EDR) solutions can detect malicious Excel configuration files and the Ravage framework’s behaviors.
  • Conduct threat‑intel monitoring for similar tool‑based activity in your supply chain.

Technical Notes – Attack vector: phishing emails with ZIP archives containing a malicious Excel‑config file that launches code execution. Later stages employed the “Ravage” penetration‑testing framework (GitHub Sep 2025) for file operations, command execution and screenshot capture. No specific CVEs were cited; post‑compromise actions remain undisclosed. Source: The Record

📰 Original Source
https://therecord.media/unknown-hacking-group-targeting-russia-for-nearly-two-years

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →