A previously unknown hacking group quietly targeted Russian maritime schools, diplomatic missions, energy facilities, government agencies and financial institutions for nearly two years. Kaspersky says the campaign dates back to at least 2024 and used phishing emails with ZIP attachments containing a malicious file disguised as a Microsoft Excel configuration file; recent attacks starting in January 2026 used the Ravage post-compromise framework from GitHub to run commands, move files and capture screenshots. The company did not name the group, provide victim totals, or attribute the activity to a known state or criminal actor.
Why it matters: This is a sustained espionage-style campaign against sensitive Russian sectors, showing that simple phishing attachments are still effective and that publicly available offensive tools are being folded into real operations. Organizations in similar sectors should review email defenses, hunt for Ravage-related activity, and investigate suspicious Excel-launched processes and dormant compromises.
2026.05.31
100% relevant
This article appears to be the first tracked report establishing this specific, previously unreported multi-year campaign and its targeting pattern.
← Back to all stories