Unknown Hacker Group Conducts Two‑Year Phishing Campaign Against Russian Maritime Universities, Energy, Diplomatic and Financial Entities
What Happened – A previously unknown threat actor ran a stealthy, multi‑year campaign (2024‑2025) targeting Russian maritime universities, energy facilities, diplomatic missions, government agencies and financial institutions. The attackers used phishing emails with malicious Excel‑configuration files and, from January 2025, leveraged a new open‑source framework “Ravage” to move laterally, exfiltrate files and capture screenshots.
Why It Matters for TPRM –
- Persistent, low‑and‑slow attacks can evade traditional monitoring, exposing third‑party risk for education, energy and government suppliers.
- Use of publicly released tooling (Ravage) demonstrates that adversaries can quickly adopt off‑the‑shelf resources, raising the bar for detection.
- Lack of attribution and unknown post‑compromise activity increase uncertainty for downstream partners.
Who Is Affected – Higher‑education (maritime universities), energy sector operators, diplomatic missions, government agencies, and financial institutions in Russia.
Recommended Actions –
- Review security posture of any Russian‑based education, energy or government vendors; verify phishing‑resilience training.
- Ensure endpoint detection and response (EDR) solutions can detect malicious Excel configuration files and the Ravage framework’s behaviors.
- Conduct threat‑intel monitoring for similar tool‑based activity in your supply chain.
Technical Notes – Attack vector: phishing emails with ZIP archives containing a malicious Excel‑config file that launches code execution. Later stages employed the “Ravage” penetration‑testing framework (GitHub Sep 2025) for file operations, command execution and screenshot capture. No specific CVEs were cited; post‑compromise actions remain undisclosed. Source: The Record