APT Groups Increasingly Turning to Phishing

In the second quarter of 2025, specialists at Positive Technologies observed a sharp increase in cybercriminal and hacktivist activity targeting Russian organizations. Phishing emails emerged as the most common initial attack vector, used in both mass campaigns and more sophisticated zero-day operations.

Phishing Tactics on the Rise

Attackers employed several methods to deliver their phishing campaigns:

• Registering domains that closely mimic legitimate ones.
• Hijacking genuine email infrastructure.
• Purchasing ready-made phishing infrastructure from third-party providers, outsourcing the delivery of malicious emails.

Researchers also noted a growing presence of malicious files generated with the help of neural networks. By leveraging publicly available AI services, attackers can now adapt and obfuscate malware modules, making them harder to detect with traditional security solutions.

Notable Campaigns and Groups

• TA Tolik: Distributed phishing emails containing archives disguised as government notifications or official documents. Opening the file deployed scripts to the victim’s hard drive, which:These scripts executed automatically, retrieving encrypted payloads from the registry and loading them directly into memory—an approach that makes detection difficult since the code never appears in plain text.
  • Masqueraded as legitimate software.
  • Created tasks in the system scheduler.
  • Injected malicious code into the Windows registry.
• Sapphire Werewolf: Used a free, legitimate service for sending large files to deliver malicious archives. When opened, the document first checked if it was running inside a sandbox (a virtual environment used for malware analysis). If detected, the malware immediately terminated to avoid exposure.
• PhaseShifters: Deployed phishing emails posing as communications from the Ministry of Science and Higher Education. Their malware checked for the presence of security tools on a victim’s system and adjusted its behavior accordingly.

Hacktivist Activity

Hacktivists were also active during the quarter. The Black Owl community launched a targeted campaign timed with a major transport and logistics forum. They created phishing websites mimicking the event organizers’ pages to distribute malware.

Denis Kazakov, a cyberintelligence specialist at Positive Technologies, noted the broader pattern:

“We consistently observe cases of Russian web resources being compromised. In practice, hacktivists primarily target small websites—online stores, personal blogs, and regional news portals. Attackers then post propaganda materials, redirect traffic to fake pages, or inject malicious code to further their attacks. Some APT groups use compromised resources to conduct multi-stage phishing campaigns, while others sell their illicit gains on the dark web.”