Back

Hacktivist Groups Expand Attacks Beyond Russia to Middle East and Central Asia

Severity: Medium (Score: 59.0)

Sources: Securelist, Technadu, securelist.com

Published: 2026-06-09 · Updated: 2026-06-09

Keywords: their, groups, hacktivist, hakerskii, attack, geography, scope

Summary

Hacktivist groups 4BID, Hakerskii Kit, and C.A.S. have broadened their attack geography, targeting organizations in Kazakhstan, the UAE, Syria, and Egypt, moving beyond their previous focus on Russian and Belarusian entities. The investigation began after indicators of compromise were detected in a breached Russian organization, leading researchers to uncover interconnected actors. Attackers primarily exploited the ProxyShell vulnerability in Microsoft Exchange to gain initial access, deploying the fd.aspx web shell for remote control and reconnaissance. The campaigns also utilized new ransomware samples, including ClearWater, and a previously undocumented backdoor named BlackSalt. Despite the new targets, most compromised systems still belong to Russian and Belarusian organizations. This shift in focus appears to be motivated by a claim from a 4BID member that attacking Russia is no longer profitable. Key Points: • Hacktivist groups 4BID, Hakerskii Kit, and C.A.S. are targeting organizations in Kazakhstan, UAE, Syria, and Egypt. • Initial access is commonly gained through the ProxyShell vulnerability in Microsoft Exchange. • New malware includes the ClearWater ransomware and a backdoor named BlackSalt.

Detailed Analysis

**Impact** Organizations across Russia and Belarus remain the primary victims, with new targets identified in Kazakhstan, the UAE, Syria, and Egypt. The affected sectors include manufacturing and other industries, with at least one Russian factory compromised. The attacks risk operational disruption through ransomware deployment (ClearWater) and data exfiltration, potentially impacting thousands of users, as seen in related campaigns targeting 13,500 Signal accounts. The expansion into the Middle East and Central Asia indicates a broader geographic impact on CIS and neighboring regions. **Technical Details** Attackers exploited the ProxyShell vulnerability (CVE-2021-34473 and related CVEs) in Microsoft Exchange servers to gain initial access. They deployed the fd.aspx ASP.NET web shell for remote control, file transfers, and system reconnaissance, using PowerShell or cmd.exe for command execution. Additional tools include the BlackSalt backdoor, GhostDriver EDR-killing utilities, and updated Blackout Locker ransomware. Custom scripts, often written in Ukrainian, facilitated lateral movement and deployment of AnyDesk for remote access. The kill chain stages observed include initial access, persistence, reconnaissance, lateral movement, and ransomware deployment. **Recommended Response** Immediately apply Microsoft Exchange ProxyShell patches to close initial access vectors. Deploy network and endpoint detections for the fd.aspx web shell, focusing on HTTP requests with unusual AUTH_KEY parameters and Base64-encoded payloads. Monitor for indicators related to BlackSalt, GhostDriver, and ClearWater ransomware activity. Harden PowerShell and cmd.exe execution policies, restrict AnyDesk installations, and review logs for Ukrainian-scripted administrative activity. Maintain vigilance for lateral movement and unusual file modifications consistent with these campaigns.

Source articles (3)

  • Hacktivists are broadening their scope beyond political motivation — Securelist · 2026-06-08
    While tracking the activities of 4BID we uncovered a new string of campaigns that appear to be the work of several interconnected actors. While politically motivated groups generally limit their scope…
  • Hacktivist Groups 4BID, Hakerskii Kit, and C.A.S. Broaden Attack Geography, Report Says — Technadu · 2026-06-09
    Securelist reports that hacktivist groups 4BID, Hakerskii Kit, and C.A.S. have broadened their attack geography, targeting organizations across Kazakhstan, the UAE, Egypt, and Syria, beyond their focu…
  • 114990 — securelist.com · 2026-06-09
    C.A.S (Cyber Anarchy Squad) is a hacktivist group that has been attacking organizations in Russia and Belarus since 2022. Besides data theft, its goal is to inflict maximum damage, including reputatio…

Timeline

  • 2023-10-02 — Public exploit for CVE-2023-44976 released: A proof-of-concept exploit appeared on GitHub, lowering the barrier for opportunistic attackers.
  • 2026-06-08 — Securelist reports expanded attack geography: Hacktivist groups broadened their targets to include Kazakhstan, UAE, Syria, and Egypt, moving beyond Russia.
  • 2026-06-09 — Technadu covers hacktivist activity: Technadu reports on the findings from Securelist regarding the expanded activities of 4BID and others.
  • Date unkno — Initial access via ProxyShell vulnerability: Attackers exploited the ProxyShell vulnerability in Microsoft Exchange to gain access to compromised systems.
  • Date unkno — Deployment of fd.aspx web shell: The fd.aspx web shell was deployed for remote control and reconnaissance after initial access was achieved.

CVEs

  • CVE-2023-44976

Related entities

  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Ransomware (Attack Type)
  • Trojan (Attack Type)
  • C.a.s Campaign (Campaign)
  • Eriell Group (Company)
  • Belarus (Country)
  • Egypt (Country)
  • Kazakhstan (Country)
  • Russia (Country)
  • Syria (Country)
  • organizations.as (Domain)
  • Government (Industry)
  • Technology (Industry)
  • Telecommunications (Industry)
  • 130.49.155.112 (Ipv4)
  • 138.226.236.52 (Ipv4)
  • 185.117.75.3 (Ipv4)
  • 185.221.153.121 (Ipv4)
  • 212.46.12.182 (Ipv4)
  • 45.112.194.82 (Ipv4)
  • 45.150.109.2 (Ipv4)
  • 77.72.85.62 (Ipv4)
  • 85.137.253.186 (Ipv4)
  • AdaptixC2 (Tool)
  • Akolo.exe (Tool)
  • AnyDesk (Tool)
  • Backupagnt.exe (Tool)
  • Backupsrv.exe (Tool)
  • BrowserThief (Tool)
  • Curl (Tool)
  • Demon.x64.exe (Tool)
  • Donut (Tool)
  • Fd.aspx (Tool)
  • GhostDriver (Tool)
  • Metasploit (Tool)
  • Meterpreter (Tool)
  • Microsoft Dev Tunnels (Tool)
  • Mimikatz (Tool)
  • Msfvenom (Tool)
  • Net.exe (Tool)
  • Panorama9 (Tool)
  • PowerShell (Tool)
  • Update1.exe (Tool)
  • Update.exe (Tool)
  • Upd.exe (Tool)
  • WindowsInternal.UpdateComponent.dll (Tool)
  • Winhost.exe (Tool)
  • WinSW (Tool)
  • XenAllPasswordPro (Tool)
  • Blackout Locker (Malware)
  • BlackSalt (Malware)
  • Havoc (Malware)
  • Mythic Apollo (Malware)
  • Revenge RAT (Malware)
  • Sliver (Malware)
  • Spark RAT (Malware)
  • 09d0517a1f69feff8186655ae3b567e0 (Md5)
  • FC3A8EABD07A221B478A4DDD77DDCE43 (Md5)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1021 - Remote Services (Mitre Attack)
  • T1036 - Masquerading (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1047 - Windows Management Instrumentation (Mitre Attack)
  • T1055 - Process Injection (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1059.003 - Windows Command Shell (Mitre Attack)
  • T1071.001 - Web Protocols (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1136 - Create Account (Mitre Attack)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • T1485 - Data Destruction (Mitre Attack)
  • T1486 - Data Encrypted for Impact (Mitre Attack)
  • T1505.003 - Web Shell (Mitre Attack)
  • T1543.003 - Windows Service (Mitre Attack)
  • T1547.001 - Registry Run Keys / Startup Folder (Mitre Attack)
  • T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
  • T1562.001 - Disable Or Modify Tools (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Asp.net (Platform)
  • Linux (Platform)
  • Microsoft Exchange (Platform)
  • Windows (Platform)
  • Babuk (Ransomware Group)
  • ClearWater (Ransomware Group)
  • Lockbit (Ransomware Group)
  • ProxyShell (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed