A new study from Solar 4RAYS explores how cybercrime is changing in our country.
In 2025, the number of cyber incidents investigated by the Solar 4RAYS team remained unchanged, but the threat landscape itself changed significantly. Attacks didn't increase, but they became longer-lasting, quieter, and noticeably more professional. Hacktivist activity subsided, espionage intensified, and contractors became one of the most convenient entry points into enemy infrastructure. While a year ago, the main focus was on high-profile and fairly straightforward attacks, now the focus is increasingly on long-term, hidden presence on the network, building trust relationships, and targeting large organizations in sensitive industries.
Solar 4RAYS's new research is based on data from investigations conducted by the team throughout 2025 at Russian public and private organizations. These investigations primarily concern not random hacks or widespread background noise, but attacks by trained actors. Some of these actors were motivated by profit, while others, the researchers believe, were acting in the interests of foreign governments. In most cases, the causes of compromise are familiar: either the attackers bypassed existing security measures, or the infrastructure simply lacked tools commensurate with the actual threat level.
The most noticeable shift occurred in the target set. In 2025, investigations impacted 10 industries, down from 19 the previous year. This decline doesn't mean attacks have decreased. Rather, attackers have increasingly focused on the most important sectors. Government agencies, industry, IT, healthcare, and energy topped the list. Moreover, for the first time since Solar 4RAYS began monitoring, energy was among the sectors actually attacked. For researchers, this is an important signal: the infrastructure on which the country's basic operations depend is increasingly attracting the attention of groups associated with government and intelligence agencies.
The share of incidents in the public sector increased by 3 percentage points. The number of attacks on industrial and IT companies also increased. For the IT sector, the increase was particularly noticeable. The reason for this is practical: such companies often serve larger clients and serve as an intermediate entry point rather than a final target for attackers. If a contractor has network connections to a client, compromising a smaller partner can open the door to a much more secure environment. This is why the study identified attacks through trust relationships as one of the year's top trends.
The picture has also become more complex in terms of motivation. Espionage in 2025 already accounted for 60% of all investigated incidents, an increase of 2 percentage points compared to the previous year. Financially motivated attacks remained roughly the same, while politically motivated hacktivism declined slightly, from 19% to 16%. The decline doesn't seem dramatic at first glance. When analysts previously compared the incomplete year 2025 with the same period in 2024, the decline was more noticeable. Later, a series of politically motivated attacks in November and December partially narrowed the gap. But the overall trend is still clear: public outcry has diminished, while covert and complex operations have increased. Researchers had already expected at the beginning of 2025 that the share of high-profile attacks aimed at publicity would continue to decline, and the final statistics have generally confirmed this prediction.
The composition of the attackers themselves has also changed. In 2024, approximately 70% of investigated incidents were attributed to pro-Ukrainian groups. In 2025, their share dropped to 24.6%. At the same time, the diversity of the entire malicious ecosystem has increased. While Solar 4RAYS monitored the activity of nine groups in 2024, in 2025, it has grown to 18. Moreover, analysts encountered seven of them for the first time. In other words, the previously prominent clusters no longer define the entire picture. A more diverse and less predictable environment has emerged, featuring a greater number of new or as yet poorly defined players.
Among the initial penetration methods, perhaps the most practical shift for businesses has occurred. Vulnerabilities in web applications remain the primary entry point, but the share of attacks through contractors and other trusted relationships has increased sharply. In 2024, this scenario accounted for 6% of investigated incidents, and in 2025, it reached 24%. Researchers draw a clear conclusion from this: it's important to protect not only your own perimeter, but also the entire chain of connected companies. If a contractor is connected to a client's infrastructure, the contractor's poor security practices quickly become the client's problem.
According to Solar 4RAYS, the rise in trust-based attacks also indicates the increasing maturity of the adversary. Hitting a contractor through a breach requires more than just accidentally stumbling upon an open hole. It requires reconnaissance, understanding the connections between organizations, accumulating access, and patience. This scenario requires time and resources, meaning that defenders are increasingly being targeted not by impulsive groups, but by trained teams.
The same idea is confirmed by the duration of incidents. Every fifth investigated case in 2025 lasted from six months to a year. The share of such attacks increased by 13 percentage points. At the same time, short incidents lasting up to a month also increased. Meanwhile, the "up to two weeks" period has almost completely collapsed. Researchers attribute the increase in long-term campaigns to the strengthening of the espionage component. Groups that hunt for data, rather than immediate noise, try to remain undetected within the network for as long as possible. In 2024, attacks lasting up to a year accounted for 9% of investigations; in 2025, this figure has risen to 22%. We are witnessing a significant shift toward patient operations.
Looking at the groups themselves, the word "diversity" best describes the year. Even at the end of the first half of the year, analysts noted that attribution was difficult. Back then, only 32% of attacks could be reliably linked to known clusters. By the end of the year, that figure had risen to 54%, but more importantly, many new traces emerged that didn't fit into previous patterns. As a result, in 2025, analysts saw artifacts from 18 groups and clusters, up from 8 the previous year.
The most significant change was in the share of incidents associated with the Shedding Zmiy group. While the group had been a constant presence in investigations in the previous two years, accounting for 37% of all attributed incidents, in 2025 that figure dropped to 7%. Solar 4RAYS has a working theory: the group may have decreased its activity after its tools and techniques became too well known to the market. It's also possible that the team simply took a break to update its arsenal. Obstinate Mogwai also became less visible. Erudite Mogwai, on the other hand, has strengthened its position. A new group, which analysts have dubbed Snowy Mogwai, has also emerged.
Snowy Mogwai, also known as UNC5174, belongs to an APT cluster whose activity is generally dated back to 2023. At that time, Mandiant researchers detected the exploitation of vulnerability CVE-2023-46747 for remote code execution via the F5 BIG-IP Traffic Management interface. Solar 4RAYS has observed traces of this group since the fall of 2024. VShell, SNOWLIGHT, and GOREVERSE tools were used in investigations. Based on their target selection, the group appears to be a typical intelligence group: telecom, IT, government and scientific organizations, and the energy sector. Their geography is broad, extending from the US and Canada to Europe, Asia, and Russia. Based on their set of techniques and publicly available data, analysts attribute Snowy Mogwai to an East Asian focus.
Another prominent group, Partisan Zmiy, is associated with the Cyberpartisans group. While the group is often formally classified as a hacktivist, Solar 4RAYS believes this label is too narrow. Researchers assess the group as highly organized and technically sophisticated, and some incidents indicate not only political actions but also espionage. The team first noticed traces of Partisan Zmiy's attacks in Russia in late 2024. The most high-profile incident of 2025, which analysts attribute to the group, was the summer attack on Aeroflot infrastructure. The group's arsenal includes Vasilek, Prianik, 3proxy, Gost proxy, ProcDump, Forklift, and PartisansDNS. According to the report, the primary targets are government agencies, transportation, and telecoms, with a geographic focus on Russia and Belarus.
The report also examines the Silent Zmiy group, also known as XDSpy. Unlike more vocal clusters, the group avoids publicly commenting on its operations and prefers silence. It is this behavior that led Solar 4RAYS to give it its name. The group is associated with activity traced back to 2011. Phishing emails are most often used for initial access. Among the tools, the researchers list XDSpy, CHMDownloader, DSDownloader, XDigo, forfiles, ETDownloader, and NSDownloader. In 2025, Solar 4RAYS observed only phishing emails sent to their clients, without developing into a full-fledged attack, so the team does not yet have a complete TTP profile. Nevertheless, based on the choice of targets and the nature of the emails, the researchers attribute the group with a low degree of certainty to an Eastern European origin.
Among the pro-Ukrainian actors, the report singles out GOFFEE. The group has been active since 2022 and has extensive resources for complex operations. In the investigated incidents, operators gained initial access through compromised VPN accounts and insecure web application configurations. Their arsenal included Mythic Agent, Cobalt Strike, QwakMyAgent, DumpIt, SspiUacBypass, Impacket PsExec, Owowa, PowerTaskel, and VisualTaskel. GOFFEE's industry focus is unclear, as the group's espionage interests are not limited to one sector. At various times, IT companies and government agencies have been targeted. According to Solar 4RAYS, the primary geographic target is Russia.
Among the new clusters, NGC5081 stands out. Solar 4RAYS first detected its activity in October 2025. Researchers describe the group as highly professional and focused on highly secure organizations. Their main distinguishing feature from many other players, they say, is its unique toolset. Specifically, investigations included the IDFKA backdoor, written in Rust and difficult to analyze. TinyShell was also used. The group's behavior was stealthy: operators masqueraded as system processes, legitimate software, and even the victim's contractors at the command-and-control infrastructure level. Telecom companies in Russia were targeted.
The report devotes a special role to Fairy Trickster, also known as Head Mare. Despite the rhetoric of hacktivism, the group operates using a much more pragmatic model. The operators encrypt systems for extortion and collect confidential data for subsequent sale. Solar 4RAYS first observed their traces in Russia in mid-2024. Among the tools listed are MeshAgent, LockBit 3.0, PhantomProxyLite, Rust SOCKS5 Proxy, T1ck3tDump, and PhantomTaskShell. Essentially, this is no longer classic political activism, but a hybrid actor that combines noise, pressure, and direct monetization.
Researchers are also noting the growing number of ransomware attacks using the RaaS (ransomware-as-a-service) model. In this model, ransomware is distributed almost like a commercial product: some develop and support it, while others rent it and use it in real-world attacks. In one of the incidents, Solar 4RAYS discovered LokiLocker, also known as BlackBit. The sample was written in Rust, and publicly available data links the ransomware to groups in the Middle East. The family has an official Black Bit Premium portal, through which operators obtain the malware, and RaaS owners compile builds for the attackers themselves. ELPACO-team ransomware was also encountered in separate investigations. Researchers note its unusually user-friendly graphical interface and support for a configuration file, which helps speed up attack configuration. After encryption, the malware deletes itself from the system, making analysis difficult.
Furthermore, in several cases, worm activity from earlier incidents was detected within the infrastructure. This is an important reminder for response specialists: if they focus only on the current attack during investigation and fail to examine the entire environment for traces of previous compromises, forgotten infections may remain within the network.
In a separate section of the report, Solar 4RAYS examines interesting techniques based on the MITRE ATT&CK matrix. Before an attack, attackers actively prepare resources: purchasing or obtaining access, registering domains, setting up infrastructure, obtaining malicious tools and exploits, and creating accounts, including email accounts. The researchers cite a telling incident where, during an investigation, they discovered several compromised servers that the attackers had prepared as their own command and control servers and proxies. This means that even if the victim didn't lose data or encounter encryption, the hacked server could still become part of someone else's criminal infrastructure. In this case, the organization becomes a tool for attacking others.
At the initial penetration stage, good old phishing remains alive and well. Despite the maturity of security solutions, not all are equally adept at closing all layers of the infrastructure, and a single inattentive user can open the door for an attacker. In 2025, Solar 4RAYS encountered phishing campaigns from Cloud Atlas with VBShower and VBCloud, Fairy Trickster with PhantomRemote, and also identified other groups for whom phishing remains a regular entry method, including Lifting Zmiy with BrokenDoor. Researchers emphasize that phishing protection relies not only on technology but also on the culture of handling emails and links.
Web applications continue to fail companies, not only due to vulnerabilities per se, but also due to poor configuration. In one incident, attackers gained access to the administrative panel using an account with privileges comparable to those of a system administrator. The password turned out to be a dictionary-based password, and access to the interface was granted from an external network. In another case, problems arose on a server running Bitrix. The basic configuration of the web application was incomplete, allowing the attackers to access restore.php, a service file used for restoring from a backup, and use it to plant malicious code on the server.
The report covers the topic of contractors in particular detail. Solar 4RAYS cites a telling case in which attackers used the account of a contractor employee to attack a client. After the first few illegitimate logins, the team recommended blocking the account. The client did so, but was unable to gain access to the contractor's machine for verification, as the contractor claimed it was impossible to compromise. Two weeks later, the client unblocked the account voluntarily, after agreeing with the contractor to change the password, and within 24 hours, the attackers logged in again under the same username. Only after a full investigation of the contractor's system was the compromise confirmed. Furthermore, the machine contained files containing cleartext passwords. The report presents this case not as an exception, but as a typical example of how trust and poor discipline on the part of the contractor undermine the client's security.
During the execution phase, attackers in 2025 actively used PowerShell, cmd, Unix shell, Python, Visual Basic, WMI, task schedulers, system services, and containers. However, researchers have highlighted a more subtle technique: exploiting legitimate functions of the web application itself to perform malicious tasks. In one recent incident, attackers logged into the application's administrative interface as the root user and used the built-in task scheduler, which allowed them to run scripts within the application's context. Within these scripts, the attackers inserted code that executed commands at the operating system level. They received responses by intercepting web application errors, effectively turning a standard automation function into a reconnaissance tool.
As before, persistence in the system was most often based on mundane but reliable methods: local and domain accounts, web shells, startup scripts, task schedulers, system services, component substitution, DLL hijacking, and modification of SSH authorized_keys. One of the most interesting combinations in the report was persistence through system services with the simultaneous substitution of legitimate scripts. In one incident, the attackers did not target the GitLab service itself, but modified the default startup script for its components. As a result, when the legitimate service started or restarted, the malware was also launched. This approach simultaneously ensures persistence and significantly hinders detection.
Another rare incident involved PostgreSQL and TrueConf Server. Having gained system administrator privileges, the attackers created a backdoor in the database using a function and a trigger. Afterwards, entering a special string in the authentication fields allowed them to execute arbitrary SQL queries and, using the COPY function, save the results to disk files. This method, for example, could have been used to create a web shell. This story is instructive, if only because it reminds us that a database can become not just a storage device, but a hidden control point for an attack.
In most investigations, lateral movement across the network didn't require anything exotic from the attackers. RDP, SSH, and SMB remained the primary tools. They allow full control of the machine, exploiting weak settings, and disguising their actions as routine administration. Solar 4RAYS's conclusion here sounds almost trivial, but that doesn't make it any less important: attackers often avoid complex techniques simply because their basic tools are sufficient.
A separate section of the report is devoted to evading detection. In approximately one in 10 investigated incidents, the attackers attempted to disable or weaken security measures. In one case, the antivirus software failed to detect web shells that were already known and added to signatures. While no direct evidence of tampering with the security software was found, the researchers consider this behavior highly suspicious. In another incident, signs of antivirus removal led to PsExec. Disguising themselves as legitimate processes and components also persisted. According to Solar 4RAYS, groups operating on Unix-like systems are particularly adept at this. As an example, the researchers again cite NGC5081, which carefully adapted to the victim's environment.
The researchers conclude their report with a rather stark conclusion. The first half of 2025 did appear relatively calm, but then the lull ended. The second half of the year saw more significant attacks on transportation and trade, while pressure on manufacturing, IT, and energy intensified. Attackers are changing tactics, more readily exploiting contractor weaknesses, extending their undetected presence, and more actively expanding their toolkit. Solar 4RAYS expects that in 2026, the share of espionage attacks on sectors critical to the Russian economy will at least remain unchanged. In the financially motivated segment, extortion will remain the main risk, and the growing interest in RaaS also suggests a lowering of the barrier to entry. Furthermore, the researchers expect, with moderate confidence, that 2026 will see more signs of the use of AI services in the preparation and execution stages of targeted attacks.
The practical recommendations in the report are quite down-to-earth and therefore particularly important. Solar 4RAYS recommends stricter control over contractors and all remote access, especially if there are direct connections between networks. Don't delay software updates and web application security, as vulnerabilities in them remain the primary entry point for many attacks. Monitor password policies and account leaks, as compromised accounts remain the second most common method of penetration. Take compromise notifications from the National Cybersecurity Coordination Center and private information security companies seriously. Maintain backups according to the 3-2-1 principle. Use not only classic security software but also more advanced tools, including EDR and SIEM. Conduct regular compromise assessments and promptly engage response specialists. Finally, don't forget about the cyber literacy of your employees, as even a strong infrastructure can be destroyed by one successful social engineering attack.
Professional attacks in Russia haven't disappeared, but over the past year they've become more mature, diverse, and cautious. While there are fewer loud, overt attacks, there are, on the contrary, more long-term, quiet penetrations. This means that in 2026, the winners won't be those who simply buy another security product, but those who can spot weak links in their ecosystem before an attacker does.
In 2025, the number of cyber incidents investigated by the Solar 4RAYS team remained unchanged, but the threat landscape itself changed significantly. Attacks didn't increase, but they became longer-lasting, quieter, and noticeably more professional. Hacktivist activity subsided, espionage intensified, and contractors became one of the most convenient entry points into enemy infrastructure. While a year ago, the main focus was on high-profile and fairly straightforward attacks, now the focus is increasingly on long-term, hidden presence on the network, building trust relationships, and targeting large organizations in sensitive industries.
Solar 4RAYS's new research is based on data from investigations conducted by the team throughout 2025 at Russian public and private organizations. These investigations primarily concern not random hacks or widespread background noise, but attacks by trained actors. Some of these actors were motivated by profit, while others, the researchers believe, were acting in the interests of foreign governments. In most cases, the causes of compromise are familiar: either the attackers bypassed existing security measures, or the infrastructure simply lacked tools commensurate with the actual threat level.
The most noticeable shift occurred in the target set. In 2025, investigations impacted 10 industries, down from 19 the previous year. This decline doesn't mean attacks have decreased. Rather, attackers have increasingly focused on the most important sectors. Government agencies, industry, IT, healthcare, and energy topped the list. Moreover, for the first time since Solar 4RAYS began monitoring, energy was among the sectors actually attacked. For researchers, this is an important signal: the infrastructure on which the country's basic operations depend is increasingly attracting the attention of groups associated with government and intelligence agencies.
The share of incidents in the public sector increased by 3 percentage points. The number of attacks on industrial and IT companies also increased. For the IT sector, the increase was particularly noticeable. The reason for this is practical: such companies often serve larger clients and serve as an intermediate entry point rather than a final target for attackers. If a contractor has network connections to a client, compromising a smaller partner can open the door to a much more secure environment. This is why the study identified attacks through trust relationships as one of the year's top trends.
The picture has also become more complex in terms of motivation. Espionage in 2025 already accounted for 60% of all investigated incidents, an increase of 2 percentage points compared to the previous year. Financially motivated attacks remained roughly the same, while politically motivated hacktivism declined slightly, from 19% to 16%. The decline doesn't seem dramatic at first glance. When analysts previously compared the incomplete year 2025 with the same period in 2024, the decline was more noticeable. Later, a series of politically motivated attacks in November and December partially narrowed the gap. But the overall trend is still clear: public outcry has diminished, while covert and complex operations have increased. Researchers had already expected at the beginning of 2025 that the share of high-profile attacks aimed at publicity would continue to decline, and the final statistics have generally confirmed this prediction.
The composition of the attackers themselves has also changed. In 2024, approximately 70% of investigated incidents were attributed to pro-Ukrainian groups. In 2025, their share dropped to 24.6%. At the same time, the diversity of the entire malicious ecosystem has increased. While Solar 4RAYS monitored the activity of nine groups in 2024, in 2025, it has grown to 18. Moreover, analysts encountered seven of them for the first time. In other words, the previously prominent clusters no longer define the entire picture. A more diverse and less predictable environment has emerged, featuring a greater number of new or as yet poorly defined players.
Among the initial penetration methods, perhaps the most practical shift for businesses has occurred. Vulnerabilities in web applications remain the primary entry point, but the share of attacks through contractors and other trusted relationships has increased sharply. In 2024, this scenario accounted for 6% of investigated incidents, and in 2025, it reached 24%. Researchers draw a clear conclusion from this: it's important to protect not only your own perimeter, but also the entire chain of connected companies. If a contractor is connected to a client's infrastructure, the contractor's poor security practices quickly become the client's problem.
According to Solar 4RAYS, the rise in trust-based attacks also indicates the increasing maturity of the adversary. Hitting a contractor through a breach requires more than just accidentally stumbling upon an open hole. It requires reconnaissance, understanding the connections between organizations, accumulating access, and patience. This scenario requires time and resources, meaning that defenders are increasingly being targeted not by impulsive groups, but by trained teams.
The same idea is confirmed by the duration of incidents. Every fifth investigated case in 2025 lasted from six months to a year. The share of such attacks increased by 13 percentage points. At the same time, short incidents lasting up to a month also increased. Meanwhile, the "up to two weeks" period has almost completely collapsed. Researchers attribute the increase in long-term campaigns to the strengthening of the espionage component. Groups that hunt for data, rather than immediate noise, try to remain undetected within the network for as long as possible. In 2024, attacks lasting up to a year accounted for 9% of investigations; in 2025, this figure has risen to 22%. We are witnessing a significant shift toward patient operations.
Looking at the groups themselves, the word "diversity" best describes the year. Even at the end of the first half of the year, analysts noted that attribution was difficult. Back then, only 32% of attacks could be reliably linked to known clusters. By the end of the year, that figure had risen to 54%, but more importantly, many new traces emerged that didn't fit into previous patterns. As a result, in 2025, analysts saw artifacts from 18 groups and clusters, up from 8 the previous year.
The most significant change was in the share of incidents associated with the Shedding Zmiy group. While the group had been a constant presence in investigations in the previous two years, accounting for 37% of all attributed incidents, in 2025 that figure dropped to 7%. Solar 4RAYS has a working theory: the group may have decreased its activity after its tools and techniques became too well known to the market. It's also possible that the team simply took a break to update its arsenal. Obstinate Mogwai also became less visible. Erudite Mogwai, on the other hand, has strengthened its position. A new group, which analysts have dubbed Snowy Mogwai, has also emerged.
Snowy Mogwai, also known as UNC5174, belongs to an APT cluster whose activity is generally dated back to 2023. At that time, Mandiant researchers detected the exploitation of vulnerability CVE-2023-46747 for remote code execution via the F5 BIG-IP Traffic Management interface. Solar 4RAYS has observed traces of this group since the fall of 2024. VShell, SNOWLIGHT, and GOREVERSE tools were used in investigations. Based on their target selection, the group appears to be a typical intelligence group: telecom, IT, government and scientific organizations, and the energy sector. Their geography is broad, extending from the US and Canada to Europe, Asia, and Russia. Based on their set of techniques and publicly available data, analysts attribute Snowy Mogwai to an East Asian focus.
Another prominent group, Partisan Zmiy, is associated with the Cyberpartisans group. While the group is often formally classified as a hacktivist, Solar 4RAYS believes this label is too narrow. Researchers assess the group as highly organized and technically sophisticated, and some incidents indicate not only political actions but also espionage. The team first noticed traces of Partisan Zmiy's attacks in Russia in late 2024. The most high-profile incident of 2025, which analysts attribute to the group, was the summer attack on Aeroflot infrastructure. The group's arsenal includes Vasilek, Prianik, 3proxy, Gost proxy, ProcDump, Forklift, and PartisansDNS. According to the report, the primary targets are government agencies, transportation, and telecoms, with a geographic focus on Russia and Belarus.
The report also examines the Silent Zmiy group, also known as XDSpy. Unlike more vocal clusters, the group avoids publicly commenting on its operations and prefers silence. It is this behavior that led Solar 4RAYS to give it its name. The group is associated with activity traced back to 2011. Phishing emails are most often used for initial access. Among the tools, the researchers list XDSpy, CHMDownloader, DSDownloader, XDigo, forfiles, ETDownloader, and NSDownloader. In 2025, Solar 4RAYS observed only phishing emails sent to their clients, without developing into a full-fledged attack, so the team does not yet have a complete TTP profile. Nevertheless, based on the choice of targets and the nature of the emails, the researchers attribute the group with a low degree of certainty to an Eastern European origin.
Among the pro-Ukrainian actors, the report singles out GOFFEE. The group has been active since 2022 and has extensive resources for complex operations. In the investigated incidents, operators gained initial access through compromised VPN accounts and insecure web application configurations. Their arsenal included Mythic Agent, Cobalt Strike, QwakMyAgent, DumpIt, SspiUacBypass, Impacket PsExec, Owowa, PowerTaskel, and VisualTaskel. GOFFEE's industry focus is unclear, as the group's espionage interests are not limited to one sector. At various times, IT companies and government agencies have been targeted. According to Solar 4RAYS, the primary geographic target is Russia.
Among the new clusters, NGC5081 stands out. Solar 4RAYS first detected its activity in October 2025. Researchers describe the group as highly professional and focused on highly secure organizations. Their main distinguishing feature from many other players, they say, is its unique toolset. Specifically, investigations included the IDFKA backdoor, written in Rust and difficult to analyze. TinyShell was also used. The group's behavior was stealthy: operators masqueraded as system processes, legitimate software, and even the victim's contractors at the command-and-control infrastructure level. Telecom companies in Russia were targeted.
The report devotes a special role to Fairy Trickster, also known as Head Mare. Despite the rhetoric of hacktivism, the group operates using a much more pragmatic model. The operators encrypt systems for extortion and collect confidential data for subsequent sale. Solar 4RAYS first observed their traces in Russia in mid-2024. Among the tools listed are MeshAgent, LockBit 3.0, PhantomProxyLite, Rust SOCKS5 Proxy, T1ck3tDump, and PhantomTaskShell. Essentially, this is no longer classic political activism, but a hybrid actor that combines noise, pressure, and direct monetization.
Researchers are also noting the growing number of ransomware attacks using the RaaS (ransomware-as-a-service) model. In this model, ransomware is distributed almost like a commercial product: some develop and support it, while others rent it and use it in real-world attacks. In one of the incidents, Solar 4RAYS discovered LokiLocker, also known as BlackBit. The sample was written in Rust, and publicly available data links the ransomware to groups in the Middle East. The family has an official Black Bit Premium portal, through which operators obtain the malware, and RaaS owners compile builds for the attackers themselves. ELPACO-team ransomware was also encountered in separate investigations. Researchers note its unusually user-friendly graphical interface and support for a configuration file, which helps speed up attack configuration. After encryption, the malware deletes itself from the system, making analysis difficult.
Furthermore, in several cases, worm activity from earlier incidents was detected within the infrastructure. This is an important reminder for response specialists: if they focus only on the current attack during investigation and fail to examine the entire environment for traces of previous compromises, forgotten infections may remain within the network.
In a separate section of the report, Solar 4RAYS examines interesting techniques based on the MITRE ATT&CK matrix. Before an attack, attackers actively prepare resources: purchasing or obtaining access, registering domains, setting up infrastructure, obtaining malicious tools and exploits, and creating accounts, including email accounts. The researchers cite a telling incident where, during an investigation, they discovered several compromised servers that the attackers had prepared as their own command and control servers and proxies. This means that even if the victim didn't lose data or encounter encryption, the hacked server could still become part of someone else's criminal infrastructure. In this case, the organization becomes a tool for attacking others.
At the initial penetration stage, good old phishing remains alive and well. Despite the maturity of security solutions, not all are equally adept at closing all layers of the infrastructure, and a single inattentive user can open the door for an attacker. In 2025, Solar 4RAYS encountered phishing campaigns from Cloud Atlas with VBShower and VBCloud, Fairy Trickster with PhantomRemote, and also identified other groups for whom phishing remains a regular entry method, including Lifting Zmiy with BrokenDoor. Researchers emphasize that phishing protection relies not only on technology but also on the culture of handling emails and links.
Web applications continue to fail companies, not only due to vulnerabilities per se, but also due to poor configuration. In one incident, attackers gained access to the administrative panel using an account with privileges comparable to those of a system administrator. The password turned out to be a dictionary-based password, and access to the interface was granted from an external network. In another case, problems arose on a server running Bitrix. The basic configuration of the web application was incomplete, allowing the attackers to access restore.php, a service file used for restoring from a backup, and use it to plant malicious code on the server.
The report covers the topic of contractors in particular detail. Solar 4RAYS cites a telling case in which attackers used the account of a contractor employee to attack a client. After the first few illegitimate logins, the team recommended blocking the account. The client did so, but was unable to gain access to the contractor's machine for verification, as the contractor claimed it was impossible to compromise. Two weeks later, the client unblocked the account voluntarily, after agreeing with the contractor to change the password, and within 24 hours, the attackers logged in again under the same username. Only after a full investigation of the contractor's system was the compromise confirmed. Furthermore, the machine contained files containing cleartext passwords. The report presents this case not as an exception, but as a typical example of how trust and poor discipline on the part of the contractor undermine the client's security.
During the execution phase, attackers in 2025 actively used PowerShell, cmd, Unix shell, Python, Visual Basic, WMI, task schedulers, system services, and containers. However, researchers have highlighted a more subtle technique: exploiting legitimate functions of the web application itself to perform malicious tasks. In one recent incident, attackers logged into the application's administrative interface as the root user and used the built-in task scheduler, which allowed them to run scripts within the application's context. Within these scripts, the attackers inserted code that executed commands at the operating system level. They received responses by intercepting web application errors, effectively turning a standard automation function into a reconnaissance tool.
As before, persistence in the system was most often based on mundane but reliable methods: local and domain accounts, web shells, startup scripts, task schedulers, system services, component substitution, DLL hijacking, and modification of SSH authorized_keys. One of the most interesting combinations in the report was persistence through system services with the simultaneous substitution of legitimate scripts. In one incident, the attackers did not target the GitLab service itself, but modified the default startup script for its components. As a result, when the legitimate service started or restarted, the malware was also launched. This approach simultaneously ensures persistence and significantly hinders detection.
Another rare incident involved PostgreSQL and TrueConf Server. Having gained system administrator privileges, the attackers created a backdoor in the database using a function and a trigger. Afterwards, entering a special string in the authentication fields allowed them to execute arbitrary SQL queries and, using the COPY function, save the results to disk files. This method, for example, could have been used to create a web shell. This story is instructive, if only because it reminds us that a database can become not just a storage device, but a hidden control point for an attack.
In most investigations, lateral movement across the network didn't require anything exotic from the attackers. RDP, SSH, and SMB remained the primary tools. They allow full control of the machine, exploiting weak settings, and disguising their actions as routine administration. Solar 4RAYS's conclusion here sounds almost trivial, but that doesn't make it any less important: attackers often avoid complex techniques simply because their basic tools are sufficient.
A separate section of the report is devoted to evading detection. In approximately one in 10 investigated incidents, the attackers attempted to disable or weaken security measures. In one case, the antivirus software failed to detect web shells that were already known and added to signatures. While no direct evidence of tampering with the security software was found, the researchers consider this behavior highly suspicious. In another incident, signs of antivirus removal led to PsExec. Disguising themselves as legitimate processes and components also persisted. According to Solar 4RAYS, groups operating on Unix-like systems are particularly adept at this. As an example, the researchers again cite NGC5081, which carefully adapted to the victim's environment.
The researchers conclude their report with a rather stark conclusion. The first half of 2025 did appear relatively calm, but then the lull ended. The second half of the year saw more significant attacks on transportation and trade, while pressure on manufacturing, IT, and energy intensified. Attackers are changing tactics, more readily exploiting contractor weaknesses, extending their undetected presence, and more actively expanding their toolkit. Solar 4RAYS expects that in 2026, the share of espionage attacks on sectors critical to the Russian economy will at least remain unchanged. In the financially motivated segment, extortion will remain the main risk, and the growing interest in RaaS also suggests a lowering of the barrier to entry. Furthermore, the researchers expect, with moderate confidence, that 2026 will see more signs of the use of AI services in the preparation and execution stages of targeted attacks.
The practical recommendations in the report are quite down-to-earth and therefore particularly important. Solar 4RAYS recommends stricter control over contractors and all remote access, especially if there are direct connections between networks. Don't delay software updates and web application security, as vulnerabilities in them remain the primary entry point for many attacks. Monitor password policies and account leaks, as compromised accounts remain the second most common method of penetration. Take compromise notifications from the National Cybersecurity Coordination Center and private information security companies seriously. Maintain backups according to the 3-2-1 principle. Use not only classic security software but also more advanced tools, including EDR and SIEM. Conduct regular compromise assessments and promptly engage response specialists. Finally, don't forget about the cyber literacy of your employees, as even a strong infrastructure can be destroyed by one successful social engineering attack.
Professional attacks in Russia haven't disappeared, but over the past year they've become more mature, diverse, and cautious. While there are fewer loud, overt attacks, there are, on the contrary, more long-term, quiet penetrations. This means that in 2026, the winners won't be those who simply buy another security product, but those who can spot weak links in their ecosystem before an attacker does.
