Russia-Linked Malware Targets Email Accounts for Espionage

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 
July 19, 2025 3 min read

Russia Linked to New Malware Targeting Email Accounts for Espionage

Russian military intelligence (GRU)-linked hackers are employing a new malware called “Authentic Antics” to target Microsoft cloud email accounts, according to the UK’s National Cyber Security Centre (NCSC). This malware is designed for persistent endpoint access by mimicking legitimate Microsoft Outlook activity.

Authentic Antics
Image courtesy of NCSC

The malware prompts users with a login window, capturing credentials and OAuth authentication tokens. Moreover, it exfiltrates data by sending emails from the victim’s account to a controlled email address, leaving no trace in the “sent” folder. Notably, there is no traditional command-and-control structure, reducing detection likelihood.

Paul Chichester, NCSC Director of Operations, remarked, “The use of Authentic Antics malware demonstrates the persistence and sophistication of the cyber threat posed by Russia’s GRU.” The malware was revealed following an incident investigated by Microsoft and NCC Group.

For further details, read more about APT28's activities and the UK's sanctions against Russian GRU officers.

Google Links New LostKeys Data Theft Malware to Russian Cyberspies

The ColdRiver hacking group, backed by the Russian state, has been using a new malware, LostKeys, for espionage targeting Western governments and organizations. This malware was first observed by Google Threat Intelligence Group in January as part of social engineering attacks known as ClickFix, which mislead victims into executing harmful PowerShell scripts.

LostKeys attack flow
Image courtesy of Google

LostKeys is capable of stealing files from predefined extensions and directories, sending system information to attackers, and executing processes. ColdRiver has also been linked to prior campaigns against NATO and U.S. facilities. In December 2023, the U.S. State Department sanctioned two ColdRiver operators, highlighting the ongoing threat posed by state-sponsored cyber activity.

Read more about ColdRiver's tactics and the U.S. sanctions on Russian hackers.

UK Sanctions Russian Intelligence Officers Linked to Mariupol Theater Bombing

The UK has imposed sanctions on 18 GRU officers and three military intelligence units for their involvement in a 2022 bombing that resulted in civilian casualties in Ukraine. The Foreign, Commonwealth and Development Office highlighted that these units have been linked to various destabilization activities across Europe.

People of war-torn towns in Ukraine's Donetsk region aim to rebuild lives
Image courtesy of AP

The GRU's cyber operations include accessing CCTV cameras and conducting online reconnaissance on civilian locations. U.K. Foreign Secretary David Lammy stated, “GRU spies are running a campaign to destabilize Europe.” The sanctions aim to raise awareness about Russia’s ongoing cyber threat and to impose consequences on individuals associated with its intelligence services.

Learn more about the Mariupol theater bombing investigation.

New “LameHug” Malware Deploys AI-Generated Commands

CERT-UA has identified a new malware, "LameHug," that utilizes AI-generated commands to target Windows systems in Ukraine. This malware is believed to be linked to APT28 and has been disseminated through emails masquerading as official communications from government entities.

LameHug leverages the Hugging Face API along with an open-source AI model to generate execution commands, making it adaptable and potentially harder to detect. The malware is designed to execute commands without needing new payloads, which poses a severe security risk.

LameHug Malware
Image courtesy of Infosecurity Magazine

APT28 has a history of targeting Ukraine since at least 2004, and its operations have included cyber-attacks against critical infrastructure. For more insights into APT28's activities, read about APT28’s cyber-espionage campaigns.

Gopher Security specializes in AI-powered, post-quantum Zero-Trust cybersecurity architecture. Our platform converges networking and security across various environments, employing advanced technologies like peer-to-peer encrypted tunnels and quantum-resistant cryptography. Explore our services or contact us at Gopher Security here.

Alan V Gutnov
Alan V Gutnov

Director of Strategy

 

MBA-credentialed cybersecurity expert specializing in Post-Quantum Cybersecurity solutions with proven capability to reduce attack surfaces by 90%.

Related Articles

Ransomware Attacks Target Russian Vodka and Healthcare Sectors

The Novabev Group, parent company of the Beluga vodka brand, experienced a ransomware attack on July 14, 2025, causing significant disruptions. The attack affected WineLab, the company's liquor store chain, leading to a three-day closure of over 2,000 locations in Russia. The company reported that the attack crippled its IT infrastructure, particularly point-of-sale systems and online services. Novabev Group stated, "The company maintains a principled position of rejecting any interaction with cybercriminals and refuses to fulfill their demands."

By Alan V Gutnov July 19, 2025 3 min read
Read full article

Retail Sector Faces Surge in Ransomware Attacks: A 2025 Analysis

Publicly disclosed ransomware attacks on the retail sector globally surged by 58% in Q2 2025 compared to Q1, with UK-based firms being particularly targeted, according to a report by BlackFog. This spike in attacks follows high-profile breaches affecting retailers like Marks & Spencer (M&S), The Co-op, and Harrods, attributed to the threat actor known as Scattered Spider.

By Alan V Gutnov July 19, 2025 2 min read
Read full article

AI-Driven Lcryx Ransomware Emerges in Cryptomining Botnet

A cryptomining botnet active since 2019 has incorporated a likely AI-generated ransomware known as Lcryx into its operations. Recent analysis by the FortiCNAPP team at FortiGuard Labs identified the first documented incident linking H2miner and Lcryx ransomware. This investigation focused on a cluster of virtual private servers (VPS) utilized for mining Monero.

By Edward Zhou July 19, 2025 3 min read
Read full article

Preventing ClickFix Attacks: Safeguarding Against Human Error

ClickFix is an emerging social engineering technique utilized by threat actors to exploit human error. This technique involves misleading users into executing malicious commands under the guise of providing "quick fixes" for common computer issues. Threat actors use familiar platforms and deceptive prompts to encourage victims to paste and run harmful scripts.

By Alan V Gutnov July 19, 2025 3 min read
Read full article