Source: United States Senator for South Carolina Lindsey Graham
WASHINGTON – U.S. Senator Lindsey Graham (R-South Carolina) today spoke on the Senate floor about peace through strength and moral clarity during dangerous times.
On moral clarity during dangerous times:
GRAHAM: “Russia is the aggressor. Russia must end this bloodbath. That is my view of [the Russia-Ukraine war]. Let’s look in history and see what happens when you have moral clarity and see what happens when you lose it.” https://youtu.be/7QdErvIuatE?si=V0-X6tkjJE_8De10&t=566
GRAHAM: “Hitler told [the world] what he was going to do, he wrote a book. But [former UK Prime Minister] Chamberlain obviously didn’t read the book and he didn’t have the moral clarity to confront the Nazi regime, and a lot of people died. September 30, 1938 [Chamberlain said] ‘I believe it is peace for our time.’ … Less than a year later, the world was on fire.” https://youtu.be/7QdErvIuatE?si=9GJNnus0en6x_S6R&t=643
GRAHAM: “‘When all are free, then we can look forward to that day when this city will be joined as one and this country and this great continent of Europe in a peaceful and hopeful globe.’ [President John F. Kennedy] was talking about Berlin. Moral clarity to the Soviet Union. He stood up for freedom and stood against the Soviet empire.” https://youtu.be/7QdErvIuatE?si=V0-X6tkjJE_8De10&t=718
GRAHAM: “Ronald Reagan: ‘Mr. Gorbachev, tear down this wall!’ How clear could you be? On the other side of this wall is an evil empire. That moral clarity, over time, brought the Soviet Union down to its knees.” https://youtu.be/7QdErvIuatE?si=V0-X6tkjJE_8De10&t=749
On President Trump’s leadership:
GRAHAM: “When [President Trump] got in office, one of his top priorities was to fix a broken border. Look what’s happened…He’s turned it all off because he was firm and resolved with Mexico and others. His border policies have worked.” https://youtu.be/7QdErvIuatE?si=BaLGLKsqVGj9HRCd&t=363
GRAHAM: “What has [President Trump] said about Iran? ‘You know it’s not a complicated formula. Iran cannot have a nuclear weapon. That’s all there is.’ That’s moral clarity. You can understand that no matter where you’re at on the planet.” https://youtu.be/7QdErvIuatE?si=sOxbu_x3XKBdCBOm&t=436
GRAHAM: “I appreciate President Trump’s earnest effort to bring the parties together to find a solution we can all live with, to keep an independent sovereign Ukraine, and end this war sooner rather than later. It is clear to me that after all these months, the earnest efforts by President Trump are not being equally met. I think Zelensky is ready to make concessions to end this war. Putin seems to be [doing] more talking and less acting.” https://youtu.be/7QdErvIuatE?si=uQ3IQiEdRV2rPWwG&t=948
On the Graham-Blumenthal Russia sanctions bill reaching over 80 cosponsors:
GRAHAM: “It is now time to increase the cost of this war to Putin. The sanctions package we have put together has [over] 80 cosponsors. Do you know how hard it is to get 80 Senators to agree on anything? Eighty of us – and the number is climbing – are ready to impose sanctions on Russia if Putin does not come to the table and earnestly seek peace.” https://youtu.be/7QdErvIuatE?si=kWOZu-UhJqd0ru3M&t=1009
GRAHAM: “These sanctions are geared toward China. There are tariffs in these sanctions on any nation that buys Russian oil and gas from the shadow fleet. Putin’s war machine is propped up by China and India buying Russian oil at a massive discount…” https://youtu.be/7QdErvIuatE?si=QJy_NDKD5DdPFoUY&t=1036
Click here to watch Graham’s entire speech
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
BEIJING, May 21 (Xinhua) — Chinese Foreign Ministry spokesperson Mao Ning on Wednesday called on the United States to abandon the development and deployment of the Golden Dome global missile defense system and take concrete actions to strengthen strategic mutual trust between the powers and maintain global strategic stability.
Mao Ning made the relevant statements while commenting on the plan to create the Golden Dome missile defense system in the United States.
As the Chinese diplomat noted, the so-called “Golden Dome” plan is aimed at deploying an unlimited, global, multi-layered and multi-dimensional missile defense system. This plan openly envisages a significant increase in space warfare capabilities, including the development and deployment of orbital interception systems.
“This gives this plan a clearly offensive character and violates the principle of peaceful use of outer space, enshrined in the Outer Space Treaty. The implementation of the plan will increase the risks of turning space into a combat zone and the emergence of a space arms race, and will undermine the international security and arms control system,” Mao Ning said.
According to the official representative, the United States, adhering to the “America First” policy, is obsessed with the pursuit of absolute security for itself, which violates the principle of “the security of one state should not be ensured at the expense of the security of others” and undermines the global strategic balance and stability.
“China expresses serious concern over this,” Mao Ning added. -0-
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
BEIJING, May 21 (Xinhua) — Experts from China and Germany called for cooperation to overcome global challenges in an unstable world at a seminar on China-Russia-Europe relations held in Beijing on Tuesday.
The current seminar, organized by the Institute of Russian, East European and Central Asian Studies of the Chinese Academy of Social Sciences (IRESCA AASS), took place in the year of the 50th anniversary of the establishment of diplomatic relations between China and the European Union.
In his opening remarks, Sun Zhuangzhi, Director of the IRECA AONK, noted that in the context of profound global changes unseen for a century, humanity once again found itself at a historical crossroads. Against this background, he stressed, academic discussions on relations between China, Russia and Europe have important practical significance.
Noting that China and Europe have many common interests, Sun said it is crucial to find the “biggest common denominator” for cooperation between the two sides, which is of particular significance both for maintaining security and stability on the Eurasian continent and for promoting prosperity and development worldwide.
Nadine Godehardt, Senior Research Fellow at the Asia Department of the Brussels branch of the German Institute for International and Security Affairs, noted that the world is experiencing new profound changes, and the geopolitical landscape in the Eurasian region is becoming increasingly complex.
As a result, N. Godehard continued, the European Union and the European integration process are creating a new momentum for reform, initiating a whole series of policy adjustments. She added that discussions between Chinese and European think tanks on the relations between China, Russia and Europe and on the situation in the Eurasian region are timely and important.
The seminar participants agreed that in the context of an unstable international situation, countries of the world should adhere to the principles of mutual success and common progress, work together to solve key global and regional problems, and jointly write a new chapter in international governance and multilateral cooperation.
The seminar was attended by experts and scholars from the German Institute for International and Security Affairs, the Bertelsmann Foundation, the Ruhr University Bochum, the AONK and the China Institute of Contemporary International Relations. –0–
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
GENEVA, May 21 (Xinhua) — China, along with Malaysia, Nepal, Saudi Arabia and the Seychelles, co-hosted for the first time a side event on traditional medicine on the sidelines of the 78th World Health Assembly in Geneva on May 20.
The event focused on integrating traditional medicine into national health systems, supporting universal health coverage, advancing towards the Sustainable Development Goals and building a community of hygiene and health for all humanity.
The event brought together more than 100 participants, including high-level health officials from many countries, representatives of the World Health Organization (WHO), renowned experts and scientists, and figures from international academia.
The event featured a keynote speech by Yu Yanhong, Director of the National Administration of Traditional Chinese Medicine of the People’s Republic of China. She noted China’s centuries-long commitment to the development of traditional Chinese medicine, emphasizing the country’s unique path in developing traditional medicine with Chinese characteristics and the significant successes achieved along the way.
Yu Yanhong called on countries to develop traditional medicine systems in accordance with their national characteristics and promote the modernization of traditional medical practices. She also reaffirmed China’s commitment to promoting more effective integration of traditional medicine into national health systems around the world.
Seychelles Health Minister Peggy Vido said traditional medicine and herbalism have a long history and deep cultural roots in her country, with their benefits gaining increasing public recognition every day.
She proposed to pay special attention to ensuring the necessary level of education and standard training of practitioners, disseminating evidence-based practices and creating a framework to guarantee the quality, effectiveness and safety of traditional medicine as its role in health systems continues to grow. P. Vido also expressed her country’s interest in further strengthening cooperation with China and other countries in this area.
WHO Regional Director for the Western Pacific, Saiya Mau Piukala, described traditional medicine as a vital pillar of health systems that has made a significant contribution to global health.
He praised China’s achievements in preserving and updating traditional medicine, stressing that these practices should complement modern medicine rather than compete with it.
The WHO regional head called for stronger international cooperation to ensure the safety, quality and accessibility of traditional medicine. S. M. Piukala also noted that the Western Pacific Region is actively working to integrate traditional medicine into universal health coverage systems so that more people can benefit from such treatment. –0–
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
MINSK, May 21 (Xinhua) — The 12th International Exhibition of Arms and Military Equipment MILEX-2025 opened on Wednesday at the Minsk International Exhibition Center “BelExpo”. More than 150 companies from Belarus, Russia, China, Iran, Pakistan, and India are taking part in the event. They are demonstrating samples of weapons and military equipment that reflect the main trends and development prospects of the global arms market.
President of Belarus Alexander Lukashenko sent a greeting to the participants and guests of the international exhibition. “In the year of the 80th anniversary of the Victory of the Soviet people in the Great Patriotic War, we are holding this representative forum in honor of our common heroes. The generation of victors bequeathed to us to preserve peace and freedom in our native land, won at an unprecedentedly high price. In the name of this goal, we, the allied countries, are increasing our defense potential and strengthening cooperation in the field of security,” A. Lukashenko’s press service quotes him as saying.
The President of Belarus expressed confidence that the international exhibition of weapons and military equipment will allow a wide range of specialists and experts to become familiar with the most advanced achievements of both Belarusian manufacturers and foreign partners.
MILEX-2025 presents more than 750 samples of weapons, military and special equipment of Belarusian production. Among them are the anti-aircraft missile system “Buk-MB-2K” with the first Belarusian anti-aircraft guided missile, the grenade launcher system “Sapfir”, the armored personnel carrier V-2. The total area of the exhibition exceeds 11.5 thousand square meters.
The 11th International Scientific Conference on the Development of Weapons, Military and Special Equipment and Dual-Use Technologies will be held as part of the scientific and business program of the event. The conference will address current issues of creating systems to counter high-precision weapons, electronic warfare, radio-technical and radar reconnaissance, troop and weapon control, and radio communications. A separate section will be devoted to the topic of unmanned systems for various purposes.
The organizers of the 12th International Exhibition of Arms and Military Equipment MILEX-2025 are the State Military-Industrial Committee and the Ministry of Defense of Belarus, as well as the National Exhibition Center “BelExpo”. The event will last until May 24. –0–
As soon as snow melted from Russia’s Zabaykal’skiy Kray in mid-March 2025, satellites began detecting large numbers of wildland fires burning in the grasslands and forests surrounding Chita, the territory’s capital. Two months later, fires continued to rage around the city. The MODIS (Moderate Resolution Imaging Spectroradiometer) on NASA’s Aqua satellite captured this image of smoke streaming from multiple fires near Chita on May 19, 2025. The city, a stop along the Trans-Siberian Railway, has a population of about 350,000. News reports indicate that fires were active on the city’s outskirts on May 20 and were edging closer to the city center as firefighters worked amid dry, windy conditions. On May 20, 2025, Russia’s Aerial Protection Service reported 49 fires burning across nearly 700,000 hectares (2,700 square miles) in six regions of the country. Thirty-three fires were in Zabaykal’skiy (also called Transbaikal) and nine in Buryatiya, both of which border Mongolia. Russian officials reported deploying 2,700 personnel and 13 aircraft to fight the fires, including more than 1,000 paratroopers and airborne troops in Zabaykal’skiy. NASA Earth Observatory image by Michala Garrison, using MODIS data from NASA EOSDIS LANCE and GIBS/Worldview. Story by Adam Voiland.
News In Brief – Source: US Computer Emergency Readiness Team
Executive Summary
This joint cybersecurity advisory (CSA) highlights a Russian state-sponsored cyber campaign targeting Western logistics entities and technology companies. This includes those involved in the coordination, transport, and delivery of foreign assistance to Ukraine. Since 2022, Western logistics entities and IT companies have faced an elevated risk of targeting by the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (85th GTsSS), military unit 26165—tracked in the cybersecurity community under several names (see “Cybersecurity Industry Tracking”). The actors’ cyber espionage-oriented campaign, targeting technology companies and logistics entities, uses a mix of previously disclosed tactics, techniques, and procedures (TTPs). The authoring agencies expect similar targeting and TTP use to continue.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of unit 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise (IOCs), and posture network defenses with a presumption of targeting.
This cyber espionage-oriented campaign targeting logistics entities and technology companies uses a mix of previously disclosed TTPs and is likely connected to these actors’ wide scale targeting of IP cameras in Ukraine and bordering NATO nations.
The following authors and co-sealers are releasing this CSA:
United States National Security Agency (NSA)
United States Federal Bureau of Investigation (FBI)
United Kingdom National Cyber Security Centre (NCSC-UK)
Germany Federal Intelligence Service (BND) Bundesnachrichtendienst
Germany Federal Office for Information Security (BSI) Bundesamt für Sicherheit in der Informationstechnik
Germany Federal Office for the Protection of the Constitution (BfV) Bundesamt für Verfassungsschutz
Czech Republic Military Intelligence (VZ) Vojenské zpravodajství
Czech Republic National Cyber and Information Security Agency (NÚKIB) Národní úřad pro kybernetickou a informační bezpečnost
Czech Republic Security Information Service (BIS) Bezpečnostní informační služba
Poland Internal Security Agency (ABW) Agencja Bezpieczeństwa Wewnętrznego
Poland Military Counterintelligence Service (SKW) Służba Kontrwywiadu Wojskowego
United States Cybersecurity and Infrastructure Security Agency (CISA)
United States Department of Defense Cyber Crime Center (DC3)
United States Cyber Command (USCYBERCOM)
Australian Signals Directorate’s Australian Cyber Security Centre (ASD’s ACSC)
Canadian Centre for Cyber Security (CCCS)
Danish Defence Intelligence Service (DDIS) Forsvarets Efterretningstjeneste
Estonian Foreign Intelligence Service (EFIS) Välisluureamet
Estonian National Cyber Security Centre (NCSC-EE) Küberturvalisuse keskus
French Cybersecurity Agency (ANSSI) Agence nationale de la sécurité des systèmes d’information
Netherlands Defence Intelligence and Security Service (MIVD) Militaire Inlichtingen- en Veiligheidsdienst
Download the PDF version of this report:
Russian GRU Targeting Western Logistics Entities and Technology Companies (PDF, 1,081KB)
For a downloadable list of IOCs, visit:
Introduction
For over two years, the Russian GRU 85th GTsSS, military unit 26165—commonly known in the cybersecurity community as APT28, Fancy Bear, Forest Blizzard, BlueDelta, and a variety of other identifiers—has conducted this campaign using a mix of known tactics, techniques, and procedures (TTPs), including reconstituted password spraying capabilities, spearphishing, and modification of Microsoft Exchange mailbox permissions. In late February 2022, multiple Russian state-sponsored cyber actors increased the variety of cyber operations for purposes of espionage, destruction, and influence—with unit 26165 predominately involved in espionage. [1] As Russian military forces failed to meet their military objectives and Western countries provided aid to support Ukraine’s territorial defense, unit 26165 expanded its targeting of logistics entities and technology companies involved in the delivery of aid. These actors have also targeted Internet-connected cameras at Ukrainian border crossings to monitor and track aid shipments. Note: This advisory uses the MITRE ATT&CK® for Enterprise framework, version 17. See Appendix A: MITRE ATT&CK tactics and techniques for a table of the threat actors’ activity mapped to MITRE ATT&CK tactics and techniques. This advisory uses the MITRE D3FEND® framework, version 1.0.
Description of Targets
The GRU unit 26165 cyber campaign against Western logistics providers and technology companies has targeted dozens of entities, including government organizations and private/commercial entities across virtually all transportation modes: air, sea, and rail. These actors have targeted entities associated with the following verticals within NATO member states, Ukraine, and at international organizations:
Defense Industry
Transportation and Transportation Hubs (ports, airports, etc.)
Maritime
Air Traffic Management
IT Services
In the course of the targeting lifecycle, unit 26165 actors identified and conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access [T1199].
The actors also conducted reconnaissance on at least one entity involved in the production of industrial control system (ICS) components for railway management, though a successful compromise was not confirmed [TA0043].
The countries with targeted entities include the following, as illustrated in Figure 1:
Bulgaria
Czech Republic
France
Germany
Greece
Italy
Moldova
Netherlands
Poland
Romania
Slovakia
Ukraine
United States
Figure 1: Countries with Targeted Entities
Initial Access TTPs
To gain initial access to targeted entities, unit 26165 actors used several techniques to gain initial access to targeted entities, including (but not limited to):
The actors abused vulnerabilities associated with a range of brands and models of small office/home office (SOHO) devices to facilitate covert cyber operations, as well as proxy malicious activity via devices with geolocation in proximity to the target [T1665]. [2]
Credential Guessing/Brute Force
Unit 26165 actors’ credential guessing [T1110.001] operations in this campaign exhibit some similar characteristics to those disclosed in the previous CSA “Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments.” [3] Based on victim network investigations, the current iteration of this TTP employs a similar blend of anonymization infrastructure, including the use of Tor and commercial VPNs [T1090.003]. The actors frequently rotated the IP addresses used to further hamper detection. All observed connections were made via encrypted TLS [T1573].
Spearphishing
GRU unit 26165 actors’ spearphishing emails included links [T1566.002] leading to fake login pages impersonating a variety of government entities and Western cloud email providers’ webpages. These webpages were typically hosted on free third-party services or compromised SOHO devices and often used legitimate documents associated with thematically similar entities as lures. The subjects of spearphishing emails were diverse and ranged from professional topics to adult themes. Phishing emails were frequently sent via compromised accounts or free webmail accounts [T1586.002, T1586.003]. The emails were typically written in the target’s native language and sent to a single targeted recipient.
Some campaigns employed multi-stage redirectors [T1104] verifying IP-geolocation [T1627.001] and browser fingerprints [T1627] to protect credential harvesting infrastructure or provide multifactor authentication (MFA) [T1111] and CAPTCHA relaying capabilities [T1056]. Connecting endpoints failing the location checks were redirected to a benign URL [T1627], such as msn.com. Redirector services used include:
Webhook[.]site
FrgeIO
InfinityFree
Dynu
Mocky
Pipedream
Mockbin[.]org
The actors also used spearphishing to deliver malware (including HEADLACE and MASEPIE) executables [T1204.002] delivered via third-party services and redirectors [T1566.002], scripts in a mix of languages [T1059] (including BAT [T1059.003] and VBScript [T1059.005]) and links to hosted shortcuts [T1204.001].
CVE Usage
Throughout this campaign, GRU unit 26165 weaponized an Outlook NTLM vulnerability (CVE-2023-23397) to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations [T1187]. [4],[5] These actors also used a series of Roundcube CVEs (CVE-2020-12641, CVE-2020-35730, and CVE-2021-44026) to execute arbitrary shell commands [T1059], gain access to victim email accounts, and retrieve sensitive data from email servers [T1114].
Since at least fall 2023, the actors leveraged a WinRAR vulnerability (CVE-2023-38831) allowing for the execution of arbitrary code embedded in an archive as a means of initial access [T1659]. The actors sent emails with malicious attachments [T1566.001] or embedded hyperlinks [T1566.002] that downloaded a malicious archive prepared using this CVE.
Post-Compromise TTPs
After an initial compromise using one of the above techniques, unit 26165 actors conducted contact information reconnaissance to identify additional targets in key positions [T1589.002]. The actors also conducted reconnaissance of the cybersecurity department [T1591], individuals responsible for coordinating transport [T1591.004], and other companies cooperating with the victim entity [T1591.002].
The actors used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment [TA0008]. Multiple Impacket scripts were used as .exe files, in addition to the python versions, depending on the victim environment. The actors also moved laterally within the network using Remote Desktop Protocol (RDP) [T1021.001] to access additional hosts and attempt to dump Active Directory NTDS.dit domain databases [T1003.003] using native Active Directory Domain Services commands, such as in Figure 2: Example Active Directory Domain Services command:
C:Windowssystem32ntdsutil.exe "activate instance ntds" ifm "create full C:temp[a-z]{3}" quit quit
Figure 2: Example Active Directory Domain Services command
Additionally, GRU unit 26165 actors used the tools Certipy and ADExplorer.exe to exfiltrate information from the Active Directory. The actors installed python [T1059.006] on infected machines to enable the execution of Certipy. Accessed files were archived in .zip files prior to exfiltration [T1560]. The actors attempted to exfiltrate archived data via a previously dropped OpenSSH binary [T1048].
Incident response investigations revealed that the actors would take steps to locate and exfiltrate lists of Office 365 users and set up sustained email collection. The actors used manipulation of mailbox permissions [T1098.002] to establish sustained email collection at compromised logistics entities, as detailed in a Polish Cybercommand blog. [6]
After initial authentication, unit 26165 actors would change accounts’ folder permissions and enroll compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access [T1556.006]. The actors leveraged python scripts to retrieve plaintext passwords via Group Policy Preferences [T1552.006] using Get-GPPPassword.py and a modified ldap-dump.py to enumerate the Windows environment [T1087.002] and conduct a brute force password spray [T1110.003] via Lightweight Directory Access Protocol (LDAP). The actors would additionally delete event logs through the wevtutil utility [T1070.001].
After gaining initial access to the network, the actors pursued further access to accounts with access to sensitive information on shipments, such as train schedules and shipping manifests. These accounts contained information on aid shipments to Ukraine, including:
sender,
recipient,
train/plane/ship numbers,
point of departure,
destination,
container registration numbers,
travel route, and
cargo contents.
In at least one instance, the actors attempted to use voice phishing [T1566.004] to gain access to privileged accounts by impersonating IT staff.
Malware
Unit 26165’s use of malware in this campaign ranged from gaining initial access to establishing persistence and exfiltrating data. In some cases, the attack chain resulted in multiple pieces of malware being deployed in succession. The actors used dynamic link library (DLL) search order hijacking [T1574.001] to facilitate malware execution. There were a number of known malware variants tied to this campaign against logistics sector victims, including:
HEADLACE [7]
MASEPIE [8]
While other malware variants, such as OCEANMAP and STEELHOOK, [8] were not directly observed targeting logistics or IT entities, their deployment against victims in other sectors in Ukraine and other Western countries suggest that they could be deployed against logistics and IT entities should the need arise.
Persistence
In addition to the abovementioned mailbox permissions abuse, unit 26165 actors also used scheduled tasks [T1053.005], run keys [T1547.001], and placed malicious shortcuts [T1547.009] in the startup folder to establish persistence.
Exfiltration
GRU unit 26165 actors used a variety of methods for data exfiltration that varied based on the victim environment, including both malware and living off the land binaries. PowerShell commands [T1059.001] were often used to prepare data for exfiltration; for example, the actors prepared zip archives [T1560.001] for upload to their own infrastructure.
The actors also used server data exchange protocols and Application Programming Interfaces (APIs) such as Exchange Web Services (EWS) and Internet Message Access Protocol (IMAP) [T1114.002] to exfiltrate data from email servers. In multiple instances, the actors used periodic EWS queries [T1119] to collect new emails sent and received since the last data exfiltration [T1029]. The actors typically used infrastructure in close geographic proximity to the victim. Long gaps between exfiltration, the use of trusted and legitimate protocols, and the use of local infrastructure allowed for long-term collection of sensitive data to go undetected.
Connections to Targeting of IP Cameras
In addition to targeting logistics entities, unit 26165 actors likely used access to private cameras at key locations, such as near border crossings, military installations, and rail stations, to track the movement of materials into Ukraine. The actors also used legitimate municipal services, such as traffic cams.
The actors targeted Real Time Streaming Protocol (RTSP) servers hosting IP cameras primarily located in Ukraine as early as March 2022 in a large-scale campaign, which included attempts to enumerate devices [T1592] and gain access to the cameras’ feeds [T1125]. Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers, primarily hosting IP cameras [T1090.002]. The DESCRIBE requests were crafted to obtain access to IP cameras located on logically distinct networks from that of the routers that received the request. The requests included Base64-encoded credentials for the RTSP server, which included publicly documented default credentials and likely generic attempts to brute force access to the devices [T1110]. An example of an RTSP request is shown in Figure 3.
Successful RTSP 200 OK responses contained a snapshot of the IP camera’s image and IP camera metadata such as video codec, resolution, and other properties depending on the IP camera’s configuration.
From a sample available to the authoring agencies of over 10,000 cameras targeted via this effort, the geographic distribution of victims showed a strong focus on cameras in Ukraine and border countries, as shown in Table 1:
Table 1: Geographic distribution of targeted IP cameras
Country
Percentage of Total Attempts
Ukraine
81.0%
Romania
9.9%
Poland
4.0%
Hungary
2.8%
Slovakia
1.7%
Others
0.6%
Mitigation Actions
General Security Mitigations
Architecture and Configuration
Employ appropriate network segmentation [D3-NI] and restrictions to limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions [D3-AMED].
Consider Zero Trust principles when designing systems. Base product choices on how those products can solve specific risks identified as part of the end-to-end design. [9]
Ensure that host firewalls and network security appliances (e.g., firewalls) are configured to only allow legitimately needed data flows between devices and servers to prevent lateral movement [D3-ITF]. Alert on attempts to connect laterally between host devices or other unusual data flows.
Use automated tools to audit access logs for security concerns and identify anomalous access requests [D3-RAPA].
For organizations using on-premises authentication and email services, block and alert on NTLM/SMB requests to external infrastructure [D3-OTF].
Utilize endpoint, detection, and response (EDR) and other cybersecurity solutions on all systems, prioritizing high value systems with large amounts of sensitive data such as mail servers and domain controllers [D3-PM] first.
Perform threat and attack modeling to understand how sensitive systems may be compromised within an organization’s specific architecture and security controls. Use this to develop a monitoring strategy to detect compromise attempts and select appropriate products to enact this strategy.
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly [D3-SFA].
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques [D3-AH]:
Enable attack surface reduction rules to prevent executable content from email [D3-ABPI].
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA% [D3-EAL].
Unless users are involved in the development of scripts, limit the local execution of scripts (such as batch scripts, VBScript, JScript/JavaScript, and PowerShell [10]) to known scripts [D3-EI], and audit execution attempts.
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode [D3-ACH].
Where feasible, implement allowlisting for applications and scripts to limit execution to only those needed for authorized activities, blocking all others by default [D3-EAL].
Consider using open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters [D3-PSA].
Use services that provide enhanced browsing services and safe link checking [D3-URA]. Significant reductions in successful spearphishing attempts were noted when email providers began offering link checking and automatic file detonation to block malicious content.
Where possible, block logins from public VPNs, including exit nodes in the same country as target systems, or, if they need to be allowed, alert on them for further investigation. Most organizations should not need to allow incoming traffic, especially logins to systems, from VPN services [D3-NAM].
Educate users to only use approved corporate systems for relevant government and military business and avoid the use of personal accounts on cloud email providers to conduct official business. Network administrators should also audit both email and web request logs to detect such activity.
Many organizations may not need to allow outgoing traffic to hosting and API mocking services, which are frequently used by GRU unit 26165. Organizations should consider alerting on or blocking the following services, with exceptions allowlisted for legitimate activity [D3-DNSDL].
*.000[.]pe
*.1cooldns[.]com
*.42web[.]io
*.4cloud[.]click
*.accesscan[.]org
*.bumbleshrimp[.]com
*.camdvr[.]org
*.casacam[.]net
*.ddnsfree[.]com
*.ddnsgeek[.]com
*.ddnsguru[.]com
*.dynuddns[.]com
*.dynuddns[.]net
*.free[.]nf
*.freeddns[.]org
*.frge[.]io
*.glize[.]com
*.great-site[.]net
*.infinityfreeapp[.]com
*.kesug[.]com
*.loseyourip[.]com
*.lovestoblog[.]com
*.mockbin[.]io
*.mockbin[.]org
*.mocky[.]io
*.mybiolink[.]io
*.mysynology[.]net
*.mywire[.]org
*.ngrok[.]io
*.ooguy[.]com
*.pipedream[.]net
*.rf[.]gd
*.urlbae[.]com
*.webhook[.]site
*.webhookapp[.]com
*.webredirect[.]org
*.wuaze[.]com
Heuristic detections for web requests to new subdomains, including of the above providers, may uncover malicious phishing activity [D3-DNRA]. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Identity and Access Management
Organizations should take measures to ensure strong access controls and mitigate against common credential theft techniques:
Use MFA with strong factors, such as passkeys or PKI smartcards, and require regular re-authentication [D3-MFA]. [11], [12] Strong authentication factors are not guessable using dictionary techniques, so they resist brute force attempts.
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts [D3-JFAPA].
Separate privileged accounts by role and alert on misuse of privileged accounts [D3-UAP]. For example, email administrator accounts should be different from domain administrator accounts.
Reduce reliance on passwords; instead, consider using services like single sign-on [D3-TBA].
For organizations using on-premises authentication and email services, plan to disable NTLM entirely and migrate to more robust authentication processes such as PKI certificate authentication.
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts [D3-CH]. [13]
Use account throttling or account lockout [D3-ANET]:
Throttling is preferred to lockout. Throttling progressively increases time delay between successive login attempts.
Account lockout can leave legitimate users unable to access their accounts and requires access to an account recovery process.
Account lockout can provide a malicious actor with an easy way to launch a Denial of Service (DoS).
If using lockout, then allowing 5 to 10 attempts before lockout is recommended.
Use a service to check for compromised passwords before using them [D3-SPP]. For example, “Have I Been Pwned” can be used to check whether a password has been previously compromised without disclosing the potential password.
Change all default credentials [D3-CRO] and disable protocols that use weak authentication (e.g., clear-text passwords or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication [D3-ACH] [D3-ET]. Always configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access. [13]
IP Camera Mitigations
The following mitigation techniques for IP cameras can be used to defend against this type of malicious activity:
Ensure IP cameras are currently supported. Replace devices that are out of support.
Apply security patches and firmware updates to all IP cameras [D3-SU].
Disable remote access to the IP camera, if unnecessary [D3-ITF].
Ensure cameras are protected by a security appliance, if possible, such as by using a firewall to prevent communication with the camera from IP addresses not on an allowlist [D3-NAM].
If remote access to IP camera feeds is required, ensure authentication is enabled [D3-AA] and use a VPN to connect remotely [D3-ET]. Use MFA for management accounts if supported [D3-MFA].
Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers [D3-NI].
Turn off other ports/services not in use (e.g., FTP, web interface, etc.) [D3-ACH].
If supported, enable authenticated RTSP access only [D3-AA].
Review all authentication activity for remote access to make sure it is valid and expected [D3-UBA]. Investigate any unexpected or unusual activity.
Audit IP camera user accounts to ensure they are an accurate reflection of your organization and that they are being used as expected [D3-UAP].
Configure, tune, and monitor logging—if available—on the IP camera.
Indicators of Compromise (IOCs)
Note: Specific IoCs may no longer be actor controlled, may themselves be compromised infrastructure or email accounts, or may be shared infrastructure such as public VPN or Tor exit nodes. Care should be taken when basing triaging logs or developing detection rules on these indicators. GRU unit 26165 almost certainly uses extensive further infrastructure and TTPs not specifically listed in this report.
Utilities and scripts
Legitimate utilities
Unauthorized or unusual use of the following legitimate utilities can be an indication of a potential compromise:
ntdsutil – A legitimate Windows executable used by threat actors to export contents of Active Directory
wevtutil – A legitimate Windows executable used by threat actors to delete event logs
vssadmin – A legitimate Windows executable possibly used by threat actors to make a copy of the server’s C: drive
ADexplorer – A legitimate window executable to view, edit, and backup Active Directory Certificate Services
OpenSSH – The Windows version of a legitimate open source SSH client
schtasks – A legitimate Windows executable used to create persistence using scheduled tasks
whoami – A legitimate Windows executable used to retrieve the name of the current user
tasklist – A legitimate Windows executable used to retrieve the list of running processes
hostname – A legitimate Windows executable used to retrieve the device name
arp – A legitimate Windows executable used to retrieve the ARP table for mapping the network environment
systeminfo – A legitimate Windows executable used to retrieve a comprehensive summary of device and operating system information
net – A legitimate Windows executable used to retrieve detailed user information
wmic – A legitimate Windows executable used to interact with Windows Management Instrumentation (WMI), such as to retrieve letters assigned to logical partitions on storage drives
cacls – A legitimate Windows executable used to modify permissions on files
icacls – A legitimate Windows executable used to modify permissions to files and handle integrity levels and ownership
ssh – A legitimate Windows executable used to establish network shell connections
reg – A legitimate Windows executable used to add to or modify the system registry
Note: Additional heuristics are needed for effective hunting for these and other living off the land (LOTL) binaries to avoid being overwhelmed by false positives if these legitimate management tools are used regularly. See the joint guide, Identifying and Mitigating Living Off the Land Techniques, for guidance on developing a multifaceted cybersecurity strategy that enables behavior analytics, anomaly detection, and proactive hunting, which are part of a comprehensive approach to mitigating cyber threats that employ LOTL techniques.
Malicious scripts
Certipy – An open source python tool for enumerating and abusing Active Directory Certificate Services
Get-GPPPassword.py – An open source python script for finding insecure passwords stored in Group Policy Preferences
ldap-dump.py – A script for enumerating user accounts and other information in Active Directory
Hikvision backdoor string: “YWRtaW46MTEK”
Suspicious command lines
While the following utilities are legitimate, and using them with the command lines shown may also be legitimate, these command lines are often used during malicious activities and could be an indication of a compromise:
edge.exe “-headless-new -disable-gpu”
ntdsutil.exe “activate instance ntds” ifm “create full C:temp[a-z]{3}” quit quit
Disclaimer: These IP addresses date June 2024 through August 2024. The authoring agencies recommend organizations investigate or vet these IP addresses prior to taking action, such as blocking.
June 2024
July 2024
August 2024
192[.]162[.]174[.]94
207[.]244[.]71[.]84
31[.]135[.]199[.]145
79[.]184[.]25[.]198
91[.]149[.]253[.]204
103[.]97[.]203[.]29
162[.]210[.]194[.]2
31[.]42[.]4[.]138
79[.]185[.]5[.]142
91[.]149[.]254[.]75
209[.]14[.]71[.]127
46[.]112[.]70[.]252
83[.]10[.]46[.]174
91[.]149[.]255[.]122
109[.]95[.]151[.]207
46[.]248[.]185[.]236
83[.]168[.]66[.]145
91[.]149[.]255[.]19
64[.]176[.]67[.]117
83[.]168[.]78[.]27
91[.]149[.]255[.]195
64[.]176[.]69[.]196
83[.]168[.]78[.]31
91[.]221[.]88[.]76
64[.]176[.]70[.]18
83[.]168[.]78[.]55
93[.]105[.]185[.]139
64[.]176[.]70[.]238
83[.]23[.]130[.]49
95[.]215[.]76[.]209
64[.]176[.]71[.]201
83[.]29[.]138[.]115
138[.]199[.]59[.]43
70[.]34[.]242[.]220
89[.]64[.]70[.]69
147[.]135[.]209[.]245
70[.]34[.]243[.]226
90[.]156[.]4[.]204
178[.]235[.]191[.]182
70[.]34[.]244[.]100
91[.]149[.]202[.]215
178[.]37[.]97[.]243
70[.]34[.]245[.]215
91[.]149[.]203[.]73
185[.]234[.]235[.]69
70[.]34[.]252[.]168
91[.]149[.]219[.]158
192[.]162[.]174[.]67
70[.]34[.]252[.]186
91[.]149[.]219[.]23
194[.]187[.]180[.]20
70[.]34[.]252[.]222
91[.]149[.]223[.]130
212[.]127[.]78[.]170
70[.]34[.]253[.]13
91[.]149[.]253[.]118
213[.]134[.]184[.]167
70[.]34[.]253[.]247
91[.]149[.]253[.]198
70[.]34[.]254[.]245
91[.]149[.]253[.]20
Detections
Customized NTLM listener
rule APT28_NTLM_LISTENER {
meta:
description = "Detects NTLM listeners including APT28's custom one"
( any of ($sysinternals_*) and any of ($psexec_*) )
or
( 2 of ($network_*) and 2 of ($psexec_*))
)
}
The cybersecurity industry provides overlapping cyber threat intelligence, IOCs, and mitigation recommendations related to GRU unit 26165 cyber actors. While not all encompassing, the following are the most notable threat group names related under MITRE ATT&CK G0007 and commonly used within the cybersecurity community:
APT28 [14]
Fancy Bear [14]
Forest Blizzard [14]
Blue Delta [15]
Note: Cybersecurity companies have different methods of tracking and attributing cyber actors, and this may not be a 1:1 correlation to the U.S. government’s understanding for all activity related to these groupings.
Further Reference
To search for the presence of malicious email messages targeting CVE-2023-23397, network defenders may consider using the script published by Microsoft: https://aka.ms/CVE-2023-23397ScriptDoc.
For the Impacket TTP, network defenders may consider using the following publicly available Impacket YARA detection rule: https://github.com/Neo23x0/signature-base/blob/master/yara/gen_impacket_tools.yar
Works Cited
[1] Microsoft. Defending Ukraine: Early Lessons from the Cyber War. 2022. https://blogs.microsoft.com/on-the-issues/2022/06/22/defending-ukraine-early-lessons-from-the-cyber-war/ [2] FBI et al. Russian Cyber Actors Use Compromised Routers to Facilitate Cyber Operations. 2024. https://media.defense.gov/2024/Feb/27/2003400753/-1/-1/0/CSA-Russian-Actors-Use-Routers-Facilitate-Cyber_Operations.PDF [3] NSA et al. Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. 2021. https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/0/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF [4] ANSSI. Campagnes d'attaques du mode opératoire APT28 depuis 2021. 2023. https://cert.ssi.gouv.fr/cti/CERTFR-2023-CTI-009/ [5] ANSSI. Targeting and compromise of french entities using the APT28 intrusion set. 2025. https://cert.ssi.gouv.fr/cti/CERTFR-2025-CTI-007/ [6] Polish Cyber Command. Detecting Malicious Activity Against Microsoft Exchange Servers. 2023. https://www.wojsko-polskie.pl/woc/articles/aktualnosci-w/detecting-malicious-activity-against-microsoft-exchange-servers/ [7] IBM. Israel-Hamas Conflict Lures to Deliver Headlace Malware. 2023. https://securityintelligence.com/x-force/itg05-ops-leverage-israel-hamas-conflict-lures-to-deliver-headlace-malware/ [8] CERT-UA. APT28: From Initial Attack to Creating Domain Controller Threats in an Hour. 2023. https://cert.gov.ua/article/6276894 [9] NSA. Embracing a Zero Trust Security Model. 2021. https://media.defense.gov/2021/Feb/25/2002588479/-1/-1/0/CSI_EMBRACING_ZT_SECURITY_MODEL_UOO115131-21.PDF [10] NSA et al. Keeping PowerShell: Security Measures to Use and Embrace. 2022. https://media.defense.gov/2022/Jun/22/2003021689/-1/-1/0/CSI_KEEPING_POWERSHELL_SECURITY_MEASURES_TO_USE_AND_EMBRACE_20220622.PDF [11] National Institute of Standards and Technology (NIST). Special Publication 800-63B: Digital Identity Guidelines – Authentication and Lifecycle Management. 2020. https://pages.nist.gov/800-63-3/sp800-63b.html [12] NSA. Selecting Secure Multi-factor Authentication Solutions. October 16, 2020. https://media.defense.gov/2024/Jul/31/2003515137/-1/-1/0/MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF [13] NSA and CSA. NSA and CISA Red and Blue Teams Share Top Ten Cybersecurity Misconfigurations. 2023. https://media.defense.gov/2023/Oct/05/2003314578/-1/-1/0/JOINT_CSA_TOP_TEN_MISCONFIGURATIONS_TLP-CLEAR.PDF
[14] Department of Justice. Justice Department Conducts Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate of the General Staff (GRU). 2024. https://www.justice.gov/archives/opa/pr/justice-department-conducts-court-authorized-disruption-botnet-controlled-russian [15] Recorded Future. GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns. 2024. https://go.recordedfuture.com/hubfs/reports/CTA-RU-2024-0530.pdf
Disclaimer of endorsement
The information and opinions contained in this document are provided "as is" and without any warranties or guarantees. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by the United States Government, and this guidance shall not be used for advertising or product endorsement purposes.
Purpose
This document was developed in furtherance of the authoring agencies’ cybersecurity missions, including their responsibilities to identify and disseminate threats and to develop and issue cybersecurity specifications and mitigations. This information may be shared broadly to reach all appropriate stakeholders.
Contact
United States organizations
National Security Agency (NSA)
Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI)
U.S. organizations are encouraged to reporting suspicious or criminal activity related to information in this advisory to CISA via the agency’s Incident Reporting System, its 24/7 Operations Center (report@cisa.gov or 888-282-0870), or your local FBI field office. When available, please include the following information regarding the incident: date, time, and location of the incident; type of activity; number of people affected; type of equipment user for the activity; the name of the submitting company or organization; and a designated point of contact.
Department of Defense Cyber Crime Center (DC3)
United Kingdom organizations
Germany organizations
Czech Republic organizations
Poland organizations
Australian organizations
Visit cyber.gov.au or call 1300 292 371 (1300 CYBER 1) to report cybersecurity incidents and access alerts and advisories.
Canadian organizations
Estonia organizations
French organizations
French organizations are encouraged to report suspicious activity or incident related to information found in this advisory by contacting ANSSI/CERT-FR by email at cert-fr@ssi.gouv.fr or by phone at: 3218 or +33 9 70 83 32 18.
See Table 2 through Table 14 for all the threat actor tactics and techniques referenced in this advisory.
Table 2: Reconnaissance
Tactic/Technique Title
ID
Use
Reconnaissance
TA0043
Conducted reconnaissance on at least one entity involved in the production of ICS components for railway management.
Conducted contact information reconnaissance to identify additional targets in key positions.
Gather Victim Org Information
T1591
Conducted reconnaissance of the cybersecurity department.
Gather Victim Org Information: Identify Roles
T1591.004
Conducted reconnaissance of individuals responsible for coordinating transport.
Gather Victim Org Information: Business Relationships
T1591.002
Conducted reconnaissance of other companies cooperating with the victim entity.
Gather Victim Host Information
T1592
Attempted to enumerate Real Time Streaming Protocol (RTSP) servers hosting IP cameras.
Table 3: Resource development
Tactic/Technique Title
ID
Use
Compromise Accounts: Email Accounts
T1586.002
Sent phishing emails using compromised accounts.
Compromise Accounts: Cloud Accounts
T1586.003
Sent phishing emails using compromised accounts.
Table 4: Initial Access
Tactic/Technique Title
ID
Use
Trusted Relationship
T1199
Conducted follow-on targeting of additional entities in the transportation sector that had business ties to the primary target, exploiting trust relationships to attempt to gain additional access.
Phishing
T1566
Used spearphishing for credentials and delivering malware to gain initial access to targeted entities.
Phishing: Spearphishing Attachment
T1566.001
Sent emails with malicious attachments.
Phishing: Spearphishing Link
T1566.002
Used spearphishing with included links to fake login pages. Sent emails with embedded hyperlinks that downloaded a malicious archive.
Phishing: Spearphishing Voice
T1566.004
Attempted to use voice phishing to gain access to privileged accounts by impersonating IT staff.
External Remote Services
T1133
Exploited Internet-facing infrastructure, including corporate VPNs, to gain initial access to targeted entities.
Exploit Public-Facing Application
T1190
Exploited public vulnerabilities and SQL injection to gain initial access to targeted entities.
Content Injection
T1659
Leveraged a WinRAR vulnerability allowing for the execution of arbitrary code embedded in an archive.
Table 5: Execution
Tactic/Technique Title
ID
Use
User Execution: Malicious Link
T1204.001
Used malicious links to hosted shortcuts in spearphishing.
User Execution: Malicious File
T1204.002
Delivered malware executables via spearphishing.
Scheduled Task/Job: Scheduled Task
T1053.005
Used scheduled tasks to establish persistence.
Command and Scripting Interpreter
T1059
Delivered scripts in spearphishing. Executed arbitrary shell commands.
Command and Scripting Interpreter: PowerShell
T1059.001
PowerShell commands were often used to prepare data for exfiltration.
Command and Scripting Interpreter: Windows Command Shell
T1059.003
Used BAT script in spearphishing.
Command and Scripting Interpreter: Visual Basic
T1059.005
Used VBScript in spearphishing.
Command and Scripting Interpreter: Python
T1059.006
Installed python on infected machines to enable the execution of Certipy.
Enrolled compromised accounts in MFA mechanisms to increase the trust-level of compromised accounts and enable sustained access.
Hijack Execution Flow: DLL Search Order Hijacking
T1574.001
Used DLL search order hijacking to facilitate malware execution.
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
T1547.001
Used run keys to establish persistence.
Boot or Logon Autostart Execution: Shortcut Modification
T1547.009
Placed malicious shortcuts in the startup folder to establish persistence.
Table 7: Defense Evasion
Tactic/Technique Title
ID
Use
Indicator Removal: Clear Windows Event Logs
T1070.001
Deleted event logs through the wevtutil utility.
Table 8: Credential access
Tactic/Technique Title
ID
Use
Brute Force
Sent requests with Base64-encoded credentials for the RTSP server, which included publicly documented default credentials, and likely were generic attempts to brute force access to the devices.
Brute Force: Password Guessing
T1110.001
Used credential guessing to gain initial access to targeted entities.
Brute Force: Password Spraying
T1110.003
Used brute force to gain initial access to targeted entities. Conducted a brute force password spray via LDAP.
Multi-Factor Authentication Interception
Used multi-stage redirectors to provide MFA relaying capabilities in some campaigns.
Input Capture
Used multi-stage redirectors to provide CAPTCHA relaying capabilities in some campaigns.
Forced Authentication
Used an Outlook NTLM vulnerability to collect NTLM hashes and credentials via specially crafted Outlook calendar appointment invitations.
OS Credential Dumping: NTDS
T1003.003
Attempted to dump Active Directory NTDS.dit domain databases.
Unsecured Credentials: Group Policy Preferences
T1552.006
Retrieved plaintext passwords via Group Policy Preferences using Get-GPPPassword.py.
Table 9: Discovery
Tactic/Technique Title
ID
Use
Account Discovery: Domain Account
T1087.002
Used a modified ldap-dump.py to enumerate the Windows environment.
Table 10: Command and Control
Tactic/Technique Title
ID
Use
Hide Infrastructure
T1665
Abused SOHO devices to facilitate covert cyber operations, as well as proxy malicious activity, via devices with geolocation in proximity to the target.
Proxy: External Proxy
T1090.002
Actor-controlled servers sent RTSP DESCRIBE requests destined for RTSP servers.
Proxy: Multi-hop Proxy
T1090.003
Used Tor and commercial VPNs as part of their anonymization infrastructure
Encrypted Channel
T1573
Connected to victim infrastructure using encrypted TLS.
Multi-Stage Channels
T1104
Used multi-stage redirectors for campaigns.
Table 11: Defense evasion (mobile framework)
Tactic/Technique Title
ID
Use
Execution Guardrails
Used multi-stage redirectors to verify browser fingerprints in some campaigns.
Execution Guardrails: Geofencing
T1627.001
Used multi-stage redirectors to verify IP-geolocation in some campaigns.
Table 12: Lateral movement
Tactic/Technique Title
ID
Use
Lateral Movement
Used native commands and open source tools, such as Impacket and PsExec, to move laterally within the environment.
Remote Services: Remote Desktop Protocol
T1021.001
Moved laterally within the network using RDP.
Table 13: Collection
Tactic/Technique Title
ID
Use
Email Collection
Retrieved sensitive data from email servers.
Email Collection: Remote Email Collection
T1114.002
Used server data exchange protocols and APIs such as Exchange Web Services (EWS) and IMAP to exfiltrate data from email servers.
Automated Collection
Used periodic EWS queries to collect new emails.
Video Capture
Attempted to gain access to the cameras’ feeds.
Archive Collected Data
Accessed files were archived in .zip files prior to exfiltration.
Archive Collected Data: Archive via Utility
T1560.001
Prepared zip archives for upload to the actors’ infrastructure.
Table 14: Exfiltration
Tactic/Technique Title
ID
Use
Exfiltration Over Alternative Protocol
Attempted to exfiltrate archived data via a previously dropped OpenSSH binary.
Scheduled Transfer
Used periodic EWS queries to collect new emails sent and received since the last data exfiltration.
Appendix B: CVEs exploited
Table 15: Exploited CVE information
CVE
Vendor/Product
Details
CVE-2023-38831
RARLAB WinRAR
Allows execution of arbitrary code when a user attempts to view a benign file within a ZIP archive.
CVE-2023-23397
Microsoft Outlook
External actors could send specially crafted emails that cause a connection from the victim to an untrusted location of the actor’s control, leaking the Net-NTLMv2 hash of the victim that the actor could then relay to another service to authenticate as the victim.
CVE-2021-44026
Roundcube Webmail
Roundcube before 1.3.17 and 1.4.x before 1.4.12 is prone to a potential SQL injection via search or search params.
CVE-2020-35730
Roundcube Webmail
An XSS issue was discovered in Roundcube Webmail before 1.2.13, 1.3.x before 1.3.16 and 1.4.x before 1.4.10, where a plaintext email message with JavaScript in a link reference element is mishandled by linkref_addindex in rcube_string_replacer.php.
CVE-2020-12641
Roundcube Webmail
Roundcube Webmail before 1.4.4 allows arbitrary code execution via shell metacharacters in a configuration setting for im_convert_path or im_identify_path in rcube_image.php.
Appendix C: MITRE D3FEND Countermeasures
Table 16: MITRE D3FEND countermeasures
Countermeasure Title
ID
Details
Network Isolation
Employ appropriate network segmentation. Disable Universal Plug and Play (UPnP), Peer-to-Peer (P2P), and Anonymous Visit features on IP cameras and routers.
Access Mediation
Limit access and utilize additional attributes (such as device information, environment, and access path) when making access decisions. Configure access controls carefully to ensure that only well-maintained and well-authenticated accounts have access.
Inbound Traffic Filtering
Implement host firewall rules to block connections from other devices on the network, other than from authorized management devices and servers, to prevent lateral movement.
Resource Access Pattern Analysis
Use automated tools to audit access logs for security concerns and identify anomalous access requests.
Outbound Traffic Filtering
Block NTLM/SMB requests to external infrastructure.
Platform Monitoring
Install EDR/logging/cybersecurity solutions onto high value systems with large amounts of sensitive data such as mail servers and domain controllers.
System File Analysis
Collect and monitor Windows logs for certain events, especially for events that indicate that a log was cleared unexpectedly.
Application Hardening
Enable optional security features in Windows to harden endpoints and mitigate initial access techniques.
Application-based Process Isolation
Enable attack surface reduction rules to prevent executable content from email.
Executable Allowlisting
Enable attack surface reduction rules to prevent execution of files from globally writeable directories, such as Downloads or %APPDATA%.
Execution Isolation
Unless users are involved in the development of scripts, limit the execution of scripts (such as batch, JavaScript, and PowerShell) to known scripts.
Application Configuration Hardening
Disable Windows Host Scripting functionality and configure PowerShell to run in Constrained mode. Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols) or do not support multi-factor authentication. Turn off other ports/services not in use (e.g., FTP, web interface, etc.).
Process Spawn Analysis
Use open source SIGMA rules as a baseline for detecting and alerting on suspicious file execution or command parameters.
URL Reputation Analysis
Use services that provide enhanced browsing services and safe link checking.
Network Access Mediation
Do not allow incoming traffic, especially logins to systems, from public VPN services. Where possible, logins from public VPNs, including exit nodes in the same country as target systems, should be blocked or, if allowed, alerted on for further investigation. Ensure cameras and other Internet of Things devices are protected by a security appliance, if possible.
DNS Denylisting
D3-DNSDL
Do not allow outgoing traffic to hosting and API mocking services frequently used by malicious actors.
Domain Name Reputation Analysis
Heuristic detections for web requests to new subdomains may uncover malicious phishing activity. Logging the requests for each sub-domain requested by users on a network, such as in DNS or firewall logs, may enable system administrators to identify new targeting and victims.
Multi-factor Authentication
Use MFA with strong factors and require regular re-authentication, especially for management accounts.
Job Function Access Pattern Analysis
D3-JFAPA
Implement other mitigations for privileged accounts: including limiting the number of admin accounts, considering using hardware MFA tokens, and regularly reviewing all privileged user accounts.
User Account Permissions
Separate privileged accounts by role and alert on misuse of privileged accounts. Audit user accounts on all devices to ensure they are an accurate reflection of your organization and that they are being used as expected.
Token-based Authentication
Reduce reliance on passwords; instead, consider using services like single sign-on.
Credential Hardening
Do not store passwords in Group Policy Preferences (GPP). Remove all passwords previously included in GPP and change all passwords on the corresponding accounts.
Authentication Event Threshholding
Use account throttling or account lockout. Throttling progressively increases time delay between successive login attempts. If using account lockout, allow between 5 to 10 attempts before lockout.
Strong Password Policy
Use a service to check for compromised passwords before using them.
Credential Rotation
Change all default credentials.
Encrypted Tunnels
Disable protocols that use weak authentication (e.g., clear-text passwords, or outdated and vulnerable authentication or encryption protocols). Use a VPN for remote connections to devices.
Software Update
Apply security patches and firmware updates to all devices. Ensure devices are currently supported. Replace devices that are end-of-life.
Agent Authentication
Ensure authentication is enabled for remote access to devices. If supported on IP cameras, enable authenticated RTSP access only.
User Behavior Analysis
Review all authentication activity for remote access to make sure it is valid and expected. Investigate any unexpected or unusual activity.
News In Brief – Source: US Computer Emergency Readiness Team
Today, CISA, the National Security Agency, the Federal Bureau of Investigation, and other U.S. and international partners released a joint Cybersecurity Advisory, Russian GRU Targeting Western Logistics Entities and Technology Companies.
This advisory details a Russian state-sponsored cyber espionage-oriented campaign targeting technology companies and logistics entities, including those involved in the coordination, transport, and delivery of foreign assistance to Ukraine.
Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center, military unit 26165 cyber actors are using a mix of previously disclosed tactics, techniques, and procedures (TTPs) and are likely connected to these actors’ widescale targeting of IP cameras in Ukraine and bordering NATO nations.
Executives and network defenders at logistics entities and technology companies should recognize the elevated threat of until 26165 targeting, increase monitoring and threat hunting for known TTPs and indicators of compromise, and posture network defenses with a presumption of targeting. For more information on Russian state-sponsored threat actor activity, see CISA’s Russia Cyber Threat Overview and Advisories page.
Deliberations of the Committee on Petitions in 2023 Gheorghe Falcă (A10-0063/2025)
–
Amendments
Wednesday, 14 May 2025, 13:00
11
Amending Regulation (EU) 2023/956 as regards simplifying and strengthening the carbon border adjustment mechanism Antonio Decaro (A10-0085/2025)
–
Amendments; rejection
Monday, 19 May 2025, 13:00
8
Modification of customs duties applicable to imports of certain goods originating in or exported from the Russian Federation and the Republic of Belarus Inese Vaidere (A10-0087/2025)
–
Amendments; rejection
Monday, 19 May 2025, 13:00
27
Granting equivalence to Moldova and Ukraine for field inspections and seed production Veronika Vrecionová (A10-0043/2025)
–
Amendments; rejection
Wednesday, 14 May 2025, 13:00
28
Amendments to the Capital Requirements Regulation as regards securities financing transactions under the net stable funding ratio
A delegation of eight Members of the Committee on Foreign Affairs (AFET), led by Chair David McAllister, will travel to Uruguay and Argentina from 26 to 29 May. Members will engage in high-level discussions regarding the EU-Mercosur Partnership Agreement which was concluded last December in Montevideo, Uruguay. The findings from this visit will contribute to the preparatory work for the consent procedure on the political and cooperation aspects of the Agreement, for which AFET is responsible.
More broadly, this mission will allow to exchange views on bilateral, regional and multilateral cooperation, as well as geopolitical issues such as Russia’s war of aggression against Ukraine, the situation in the Middle East, and China’s expanding influence in Latin America.
Question for written answer E-001908/2025 to the Commission Rule 144 Anna Maria Cisint (PfE), Aldo Patriciello (PfE), Silvia Sardone (PfE), Isabella Tovaglieri (PfE), Roberto Vannacci (PfE)
In 2021, in response to China’s belt and road initiative, the Commission launched the global gateway strategy, with the aim of making up to EUR 300 billion available by 2027 to promote sustainable infrastructure in partner countries. To date, it remains unclear how much has actually been disbursed, what projects have started and whether changes have been made to the initial strategy.
In January 2024, within the framework of the EU-Central Asia Forum, a joint pledge of EUR 10 billion was made with a view to developing the Trans-Caspian International Transport Route (TITR), a strategic corridor connecting Europe with Central Asia and avoiding Russian territory.
In the light of the above:
1.How much of the EUR 300 billion goal has actually been disbursed to date?
2.Has the plan moved on from what was set out in the original strategy (in geographical, sectoral or partnership terms)?
3.Are further investments along the TITR corridor planned? If so, what funds will be used, what will the time frame be and who will be involved?
116 leading UK and Irish creatives have urged Keir Starmer to act over Israel’s escalating atrocities in Gaza, criticising UK arms exports, settlement trade, and lack of ICC support – open letter
Riz Ahmed, Dame Harriet Walker, Maxine Peake, Nish Kumar, Paloma Faith and others condemn UK government inaction on Gaza
The Prime Minister must ‘stand up for justice and human rights’ and ‘words are no longer enough; we need to see action’ – Creatives
Artists gather outside Downing Street to hold placards urging the PM to act to stop the genocide and human rights abuses in Gaza
Over 100 leading voices from across the UK and Ireland’s film, television, and creative industries including Riz Ahmed, Dame Harriet Walker, Maxine Peake, Nish Kumar, Paloma Faith, Juliet Stevenson and many more have united to call on Prime Minister Keir Starmer to take urgent action in response to Israel’s escalating atrocities in Gaza and the wider Occupied Palestinian Territory (OPT).
In a public letter, the group condemn “all attacks on civilians” but emphasise that as well as Israel’s decades-long military occupation, expansion of illegal settlements, and system of apartheid, Israel is committing genocide against Palestinians in Gaza, as described by Amnesty International in its report “You feel Like You Are Subhuman”.
“We are deeply troubled by your lack of meaningful action to help deter Israel’s horrifying and calculated violations of Palestinian rights,” the letter states to the Prime Minister.
Since October 2023, more than 20,000 children have reportedly been killed in Gaza. The group point to the use of 2,000lb bombs dropped from F-35 fighter jets – supplied with UK-made components – as part of a devastating campaign that includes siege tactics blocking access to food, water, electricity, and medicine for over two million civilians.
“You know what is happening,” they write to the Prime Minister, and state “your Government is failing to fulfil its obligation to prevent the ongoing genocide in Gaza.”
The letter also highlights a stark double standard in UK policy: banning imports from Russian-occupied Crimea, while allowing trade with Israeli settlements in the illegally Occupied Palestinian Territory. The International Court of Justice has made clear that countries must not support illegal occupations – including through trade.
In addition to arms and trade, the group call on the UK government to fully support the International Criminal Court’s investigation into alleged war crimes and crimes against humanity in the region.
Their demands include:
An immediate suspension of all UK arms exports to Israel
A ban on trade with illegal Israeli settlements in the Occupied Palestinian Territory
Compliance with international legal rulings, including those of the ICJ and ICC
The group implores the Prime Minister “to stand up for justice and human rights” and that “words are no longer enough; we need to see action”.
Artists gather outside Downing Street to deliver the letter and hold placards urging the PM to act to stop Israel’s genocide and human rights abuses in Gaza.
The artists held placards bearing messages from residents of Gaza that capture the urgency and human toll of the crisis:
“I don’t want my child to die hungry”– Gaza Resident, Occupied Gaza
“You may send your child to bring water only for him to return in a body bag”– Gaza Resident, Occupied Gaza
These statements are a stark reminder of the daily reality for civilians under Israel’s illegal blockade.
About the Signatories
This statement by Amnesty International has been endorsed by a coalition of UK-based professionals across the creative industries – filmmakers, actors, writers, artists and cultural leaders – who believe in the power of art, law, and collective voice in the face of injustice.
Ahmed Masoud; Aisling Bea; Aiysha Hart; Alan Moore; Alexander McKinnon; Alexei Sayle; Alice Roberts; Alisdair Beckett; King Amrita Acharia; Andrea Arnold Anjli; Mohindra Anneika; Rose Annie Mac; Sir Anish Kapoor CBE; Anoushka Shankar; Dr Ariel Caine; Bernadette O’Brien; Bertie Carvel; President of the Bianca Jagger Human Rights Foundation; Brian Eno; Briony Hannah; Brona C Titley; Charlotte Church; Chipo Chung; David Morrissey; Deborah Frances-White; Declan McKenna; Denise Gough; Emma D’Arcy; Esther Freud; Esther Manito; Fionn O’Loinsigh; Francesca Martinez; Frankie Boyle; Frederico Gaggio; Grace Petrie; Dame Harriet Walter; Himesh Patel; Ian Rickson; Imran Yusuf; Indeyarna Donaldson-Holness; Inua Ellams MBE; Ivor Graeme; Jackie Clune; James Acaster; Jan Pearson; Janie Dee; Jason Fleming; Jay Griffiths; Jen Brister; Jessica Fostekew; Jim Loach; John Higgs; Josie Long; Jolyon Rubinstein; Juliet Stevenson CBE; Kathy Lette; Kerry Godliman; Khalid Abdalla; Ken Loach; Lise Meyer; Lolly Adefope; Louisa Young; Love Ssegga; Mae Martin; Mahtab Hussain; Manjinder Virk; Mariam Haque; Marnie Dickens; Max Porter; Maxine Peake; Dr Michael Hrebeniak; Misan Harriman; Mystery Jets; Nadia Sawalha; Nicola Thorp; Nikesh Patel; Nikesh Shukla; Nikita Gill; Nimmi Harasgama; Nish Kumar; Paapa Essiedu; Paloma Faith; Paul Laverty; Penny Woolcock; Peter Wyer; Rebecca O’Brien; Rida Hamidou; Riz Ahmed; Robin Ince; Robin Morrissey; Roger Hartley; Roisin O’Loughlin; Ruth Lass; Salena Godden; Sam Spruell; Sara Masry; Sarah Agha; Sasha Behar; Selma Dabbagh; Shazia Mirza; Simon Rix; Sonali Bhattacharyya; Stewart Lee; Steve Coogan; Susan Lynch; Suzi Ruffell; Thomas Browne; Thomas Combes; Thusitha Jayasundera; Tobias Menzies; Dame Tracey Emin; Tracey Seaward; Vijay Mistry; Vivian Munn; Young Fathers (all members); Zainab Hassan
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
ULAN BATOR, May 21 (Xinhua) — A three-day event dedicated to Chinese tea culture, titled “Yaqi Culture Salon: Tea and the World,” kicked off at the China Cultural Center in Ulan Bator on Wednesday.
The event program includes stories about tea drinking culture in China, exhibitions, and lectures on making ceramics from Yixing clay “zisha”.
Speaking at the opening of the event, Li Zhi, Counselor of the Chinese Embassy in Mongolia and Director of the Chinese Cultural Center in Ulaanbaatar, noted that tea has long embodied the wisdom and philosophy of Eastern civilization. “From the ancient Great Silk Road to the Great Tea Road, tea crossed mountains and seas and became a link in the dialogue between different civilizations,” he said.
According to Li Zhi, the event participants will be able to get acquainted with the process of making ceramics from Yixing clay “zisha” and the exquisite culture of tea drinking. The diplomat expressed hope that the event’s rich program will demonstrate to the Mongolian public the deep meaning of Chinese tea culture and allow them to understand the Eastern concept of “harmonious coexistence.”
The event “Yaqi Cultural Salon: Tea and the World”, organized by the Ministry of Culture and Tourism of the People’s Republic of China and the Chinese Embassy in Mongolia, is timed to coincide with International Tea Day, which is celebrated annually on May 21. –0–
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
MINSK, May 21 (Xinhua) — Belarus spent 14.8 billion Belarusian rubles (1 U.S. dollar is equal to 3.01 Belarusian rubles) in fixed capital investments from January to April 2025, the Belarusian National Statistical Committee reported on Tuesday.
The share of Minsk region in the total volume of used investments in fixed capital amounted to 24.9%. In Minsk, 21.1% of investments were used, in Brest region – 12.9%, Gomel – 13.8%, Grodno – 9.6%, Vitebsk – 8.9%, Mogilev – 8.7%.
The structure of investments in fixed capital was as follows: construction and installation works – 47.6 percent, machinery, equipment, vehicles – 37.9 percent, other works and costs – 12.1 percent, intellectual property – 2.4 percent. In terms of ownership, 37.6 percent were state investments, 55.8 percent were private, and 6.6 percent were foreign. –0–
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
Yerevan, May 21 (Xinhua) — Armenian Prime Minister Nikol Pashinyan on Wednesday received a Russian delegation led by Russian Foreign Minister Sergey Lavrov, the press service of the head of the Armenian government reported.
During the meeting, N. Pashinyan touched upon the current state of relations between Armenia and Russia. S. Lavrov, for his part, emphasized Russia’s readiness to develop relations with Armenia.
The interlocutors discussed issues of the Armenian-Russian bilateral agenda, cooperation within the framework of the Eurasian Economic Union, regional and international security.
Earlier that day, S. Lavrov met with Armenian Foreign Minister Ararat Mirzoyan, following which the parties signed a program of consultations between the Foreign Ministries of the two countries for 2025-2026.
S. Lavrov was also received by the President of Armenia Vahagn Khachaturyan. –0–
Source: United States Senator for South Carolina Lindsey Graham
WASHINGTON – U.S. Senators Lindsey Graham (R-South Carolina) and Richard Blumenthal (D-Connecticut) today made this joint statement after their legislation to impose primary and secondary sanctions against Russia and actors supporting Russia’s aggression in Ukraine reached 81 cosponsors in the U.S. Senate.
These sanctions would be imposed if Russia refuses to engage in good faith negotiations for a lasting peace with Ukraine or initiates another effort, including military invasion, that undermines the sovereignty of Ukraine after peace is negotiated. The legislation also imposes a 500 percent tariff on imported goods from countries that buy Russian oil, gas, uranium and other products.
“As Secretary Rubio indicated yesterday to the Senate Appropriations Subcommittee on State and Foreign Operations, Russia has agreed to provide its term sheet for a ceasefire in the next few days. Its contents will speak volumes as to whether or not Russia is serious about peace. We suspect it will be more of the same.
“If it is more of the same, Russia can expect decisive action from the United States Senate. To that end, we are beyond pleased that we now have 81 cosponsors for legislation to sanction Russia for its barbaric invasion of Ukraine. Our legislation will isolate Russia – putting it on a trade island by imposing stiff tariffs on other countries that support these atrocities. One of the main priorities of our legislation is to hold China accountable for propping up Putin’s war machine by buying cheap Russian oil from the shadow fleet. Without China’s economic support, Putin’s war machine would come to a grinding halt.
“While we yearn for peace, it is increasingly clear to us – and a supermajority of the Senate – that Putin is playing games. The United States Senate stands ready to act if these games continue.”
Background on the Sanctioning Russia Act of 2025 is available HERE.
Bill text is available HERE.
MEPs added a debate on “the Hungarian government’s drift towards Russia-style repression” to today’s agenda.
Changes to the agenda
Wednesday
Council and Commission statements on the Hungarian government’s drift towards Russia-style repression and legislative threats to freedom of expression and democratic participation are added to the agenda later on Wednesday, following the debate on the EU’s response to the Israeli government’s plan to seize the Gaza Strip. As a result of this addition, the sitting is extended to 23:00.
Thursday
The President announced a request from the Committee on Agriculture and Rural Development to fast-track a file under Rule 170(6) of the EP’s Rules of Procedure for the Commission proposal on additional assistance and further flexibility to outermost regions affected by severe natural disasters and in the context of cyclone Chido devastating Mayotte.
The vote on this request will take place on Thursday. If approved, the file will be added to the June plenary agenda.
Interinstitutional negotiations
The Committee on Economic and Monetary Affairs has decided to enter into interinstitutional negotiations, in accordance with Rule 72(1) of Parliament’s Rules of Procedure, on the basis of the report available on the plenary website.
Targeting the so-called Russian shadow fleet has been an integral part of several sanctions packages against Russia adopted by the Council. The most recent 16th package of sanctions against Russia, adopted by the Council 24 February 2025, which was designed to further ramp up pressure on the aggressor, touches upon vital sectors of the Russian economy such as energy, trade, transport, infrastructure and financial services and introduces further measures aimed at tackling circumvention. In this latter respect, the 16th package adds further vessels to the list of those subject to a port access ban and a ban on the provision of a broad range of services related to maritime transport. This concerns non-EU tankers which are part of Russia’s shadow fleet circumventing the oil price cap mechanism while conducting irregular and high-risk shipping practices — thus possibly posing safety and/or environmental risks –, support the energy sector of Russia, or vessels that are responsible for transporting military equipment for Russia or stolen Ukrainian grain. In total, 153 vessels from third countries are currently listed.
The Council explicitly acknowledges the environmental risks posed by Russia’s shadow fleet. Those risks have in particular been flagged by the International Maritime Organisation in its General Assembly resolution A.1192(33), adopted on 6 December 2023. Recital 6 of Council Decision (CFSP) 2025/388 of 24 February 2025 indicates that ‘for the purposes of those oil exports, Russia is increasingly reliant on a fleet of vessels involved in substandard and high-risk shipping practices such as operating with inadequate or inexistent insurance (“shadow fleet”). Those vessels pose significant maritime safety and environmental risks for the Union, its coastal Member States and third-country coastal states. […] Discouraging persons and entities from undertaking and facilitating high-risk shipping practices when transporting Russian-origin oil and disrupting shadow
fleet operations therefore contribute to undermining revenue generation for the Russian war efforts while at the same time supporting international measures to preserve and improve the quality of the environment’. This is why the Council introduced a new listing criterion as part of the 16th package targeting those who support the operations of tankers transporting Russian oil while conducting irregular and high-risk shipping practices as set out in the International Maritime Organisation General Assembly resolution A.1192(33). The objective is to disrupt the network behind the too-often unsafe oil tankers that now widely support Russian oil exports, which will help in turn to address circumvention of the oil price cap and environmental risks linked to the shadow fleet.
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
URUMQI, May 21 (Xinhua) — A cargo plane carrying 51 tonnes of e-commerce goods took off from northwest China’s Xinjiang Uygur Autonomous Region on Wednesday and arrived in Estonia’s capital Tallinn, marking the launch of the first direct cargo air route from Xinjiang to the Baltic region.
The new route will be operated once a week by a Boeing 767 cargo aircraft, with a one-way flight time of approximately 11 hours. Compared with conventional aircraft, this aircraft offers 30 percent more cargo capacity, primarily transporting light industry products such as clothing and daily necessities, effectively reducing logistics costs.
According to Feng Liang, general manager of Xinjiang Wanshengtong Supply Chain Management Co, Ltd., the air route will provide Chinese merchants with the opportunity to directly interact with e-commerce platforms in Northern Europe and help improve the shopping experience of consumers in the region.
To date, 20 international cargo air routes have been launched from Xinjiang’s capital Urumqi to 20 cities, including 12 routes covering key hubs in Northern, Eastern and Western Europe.
From January to April 2025, the customs office of Urumqi Diwopu International Airport handled 1,584 cargo flights, a whopping 1,157.1 percent increase year-on-year, and the cargo turnover of this airport reached 26,000 tons, an increase of 522.2 percent compared with the same period last year.
The regular operation of multiple international air cargo routes will help Xinjiang-based cross-border e-commerce companies expand their presence in overseas markets, boosting exports of textiles, electronics and other competitive products and promoting the quality and efficiency of trade among Belt and Road Initiative participants, said Zhao Beijing, an official with Diwopu Customs. –0–
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
BEIJING, May 21 (Xinhua) — China’s trade-in program for electric bicycles has driven steady sales growth since early 2025, with about 6.08 million new electric bicycles sold as replacements under the program as of Tuesday, the Ministry of Commerce said Wednesday.
According to the department, new electric bicycles worth a total of 17.82 billion yuan (about 2.48 billion US dollars) were sold during the reporting period.
The trade-in program for e-bikes received a new boost after five government departments, including the Ministry of Commerce, issued a joint notice in January to expand the program.
To date, approximately 79,000 retail outlets, primarily individual and small businesses, have taken part in the initiative, indicating growing market interest.
The Ministry of Commerce said the program is gaining momentum across the country, with sales of new electric bicycles in Jiangsu and Hebei provinces each exceeding 1 million units. –0–
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
Moscow, May 21 /Xinhua/ — Leading Chinese researcher of Russia, professor at the University of the Chinese Academy of Social Sciences Li Yongquan has become an honorary doctor of the Institute of China and Modern Asia of the Russian Academy of Sciences (ICSA RAS). The corresponding sign was presented to him by the director of ICSA RAS Kirill Babaev.
Director of the Institute of European and Asian Social Development of the Development Research Center of the State Council of the People’s Republic of China, Vice Chairman of the China-Russia Friendship Society, Professor Li Yongquan has been researching modern Russia, Chinese-Russian relations, Eurasian integration, development of the Commonwealth of Independent States and the Shanghai Cooperation Organization for over 50 years. He is the author of over 200 scientific and journalistic works, and a translator of Russian book publications. He also worked as a journalist in Moscow and led numerous important applied studies at the level of ministries and departments.
In an interview with Xinhua, Professor Li Yongquan said he was flattered to be awarded the title of Honorary Doctor of the Institute of Oriental Studies of the Russian Academy of Sciences. “The importance of the healthy development of Chinese-Russian relations for the multipolarity of the world, the stability of the Eurasian region and the development of both sides cannot be overestimated. Chinese and Russian scientists should make their contribution to this,” he emphasized.
Director of the Institute of Crystallographic Analysis of the Russian Academy of Sciences K. Babaev noted the contribution of Professor Li Yongquan to the development of mutual understanding and friendship between Russia and China. “We hope that this event will become an incentive for further expansion of our cooperation in research, exchange of experience and training of new generations of specialists capable of building strong and mutually beneficial relations between Russia and China. We are confident that Professor Li’s contribution and dedication will serve as an inspiration for future joint projects and initiatives that will contribute to the deepening of our strategic partnership,” said K. Babaev. –0–
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
BEIJING, May 21 (Xinhua) — China will further boost financial support for small and micro enterprises by expanding supply and reducing financing costs, and improving the effectiveness and targeting of support measures, according to a directive issued by eight departments on Wednesday.
The document, jointly released by the State Financial Supervision Administration, the People’s Bank of China, the National Development and Reform Commission and other departments, includes 23 specific measures to strengthen financing for small and micro enterprises.
To expand the supply of financing for such companies, the country’s authorities are stepping up the issuance of first-time loans, unsecured loans, medium- and long-term loans, loans for legal entities and for private enterprises.
According to the document, financial support for small and micro enterprises in the agricultural sector will be strengthened through the use of structural monetary instruments, including refinancing.
It is indicated that China will also support small and micro enterprises in obtaining financing through the issuance of shares.
To reduce the cost of financing small and micro enterprises, the authorities will guide banks to reasonably determine loan rates for such companies, while reducing additional fees.
The directive also notes that the authorities will encourage banks to improve the efficiency of financing, simplify loan applications and streamline loan approval procedures. Additional support will be provided to small and micro enterprises of scientific, technical and innovative types, as well as those implementing new business models in the field of foreign trade. –0–
Headline: Microsoft leads global action that’s disrupting a favored cybercrime tool
Microsoft’s Digital Crimes Unit (DCU) and international partners are disrupting the leading tool used to indiscriminately steal sensitive personal and organizational information to facilitate cybercrime. On Tuesday, May 13, Microsoft’s DCU filed a legal action against Lumma Stealer (“Lumma”), which is the favored info-stealing malware used by hundreds of cyber threat actors. Lumma steals passwords, credit cards, bank accounts, and cryptocurrency wallets and has enabled criminals to hold schools for ransom, empty bank accounts, and disrupt critical services.
Via a court order granted in the United States District Court of the Northern District of Georgia, Microsoft’s DCU seized and facilitated the takedown, suspension, and blocking of approximately 2,300 malicious domains that formed the backbone of Lumma’s infrastructure. The Department of Justice (DOJ) simultaneously seized the central command structure for Lumma and disrupted the marketplaces where the tool was sold to other cybercriminals. Europol’s European Cybercrime Center (EC3) and Japan’s Cybercrime Control Center (JC3) facilitated the suspension of locally based Lumma infrastructure.
Between March 16, 2025, and May 16, 2025, Microsoft identified over 394,000 Windows computers globally infected by the Luma malware. Working with law enforcement and industry partners, we have severed communications between the malicious tool and victims. Moreover, more than 1,300 domains seized by or transferred to Microsoft, including 300 domains actioned by law enforcement with the support of Europol, will be redirected to Microsoft sinkholes. This will allow Microsoft’s DCU to provide actionable intelligence to continue to harden the security of the company’s services and help protect online users. These insights will also assist public- and private-sector partners as they continue to track, investigate, and remediate this threat. This joint action is designed to slow the speed at which these actors can launch their attacks, minimize the effectiveness of their campaigns, and hinder their illicit profits by cutting a major revenue stream.
Heat map detailing global spread of Lumma Stealer malware infections and encounters across Windows devices.Splash page displayed on 900+ domains seized by Microsoft.
What is Lumma?
Lumma is a Malware-as-a-Service (MaaS), marketed and sold through underground forums since at least 2022. Over the years, the developers released multiple versions to continually improve its capabilities. Microsoft Threat Intelligence shares more details around the delivery techniques and capabilities of Lumma in a recent blog.
Typically, the goal of Lumma operators is to monetize stolen information or conduct further exploitation for various purposes. Lumma is easy to distribute, difficult to detect, and can be programmed to bypass certain security defenses, making it a go-to tool for cybercriminals and online threat actors, including prolific ransomware actors such as Octo Tempest (Scattered Spider). The malware impersonates trusted brands, including Microsoft, and is deployed via spear-phishing emails and malvertising, among other vectors.
For example, in March 2025, Microsoft Threat Intelligence identified a phishing campaign impersonating online travel agency Booking.com. The campaign used multiple credential-stealing malware, including Lumma, to conduct financial fraud and theft. Lumma has also been used to target gaming communities and education systems and poses an ongoing risk to global security, with reports from multiple cybersecurity companies outlining its use in attacks against critical infrastructure, such as the manufacturing, telecommunications, logistics, finance, and healthcare sectors.
Example of phishing email impersonating Booking.com and fake CAPTCHA verification prompt. (Source:Microsoft – Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware)
The primary developer of Lumma is based in Russia and goes by the internet alias “Shamel.” Shamel markets different tiers of service for Lumma via Telegram and other Russian-language chat forums. Depending on what service a cybercriminal purchases, they can create their own versions of the malware, add tools to conceal and distribute it, and track stolen information through an online portal.
Different tiers of service for Lumma, as well as Lumma’s logo used on marketing material. (Source:Darktrace – The Rise of MaaS & Lumma Info Stealer)
In an interview with cybersecurity researcher “g0njxa” in November 2023, Shamel shared that he had “about 400 active clients.” Demonstrating the evolution of cybercrime to incorporate established business practices, he effectively created a Lumma brand, using a distinctive logo of a bird to market his product, calling it a symbol of “peace, lightness, and tranquility,” and adding the slogan “making money with us is just as easy.”
Shamel’s ability to operate openly underscores the importance for countries worldwide to address the issue of safe havens and to advocate for the rigorous enforcement of due diligence obligations under international law.
Continuing to work together to disrupt prolific cybercrime tools
Disrupting the tools cybercriminals frequently use can create a significant and lasting impact on cybercrime, as rebuilding malicious infrastructure and sourcing new exploit tools takes time and costs money. By severing access to mechanisms cybercriminals use, such as Lumma, we can significantly disrupt the operations of countless malicious actors through a single action.
Continued collaboration across industry and government remains imperative. We are grateful for the partnership with others across government and industry, including cybersecurity companies ESET, Bitsight, Lumen, Cloudflare, CleanDNS, and GMO Registry. Each company provided valuable assistance by quickly taking down online infrastructure.
Finally, we know cybercriminals are persistent and creative. We, too, must evolve to identify new ways to disrupt malicious activities. Microsoft’s DCU will continue to adapt and innovate to counteract cybercrime and help ensure the safety of critical infrastructure, customers, and online users.
Organizations and individuals can protect themselves from malware like Lumma by using multi-factor authentication, running the latest anti-malware software, and being cautious with attachments and email links. More information for security professionals can be foundhere.
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
BEIJING, May 21 (Xinhua) — Chinese Foreign Minister Wang Yi, a member of the Political Bureau of the Communist Party of China Central Committee and a member of the Political Bureau of the Communist Party of China (CPC) Central Committee, will chair the third China-Pacific Island Countries Foreign Ministers’ Meeting to be held in Xiamen, east China’s Fujian Province, from May 28 to 29, Foreign Ministry spokesperson Mao Ning said on Wednesday.
As noted by the official representative, the heads of the Ministries of Foreign Affairs and representatives of 11 Pacific island states that have diplomatic relations with China have been invited to take part in the event, namely: the President and Minister of Foreign Affairs of Kiribati Taneti Maamau, the Prime Minister and Minister of Foreign Affairs of Niue Dalton Tagelagi, the Crown Prince and Minister of Foreign Affairs of Tonga Tupoutoa Ulukalala, the Minister of Foreign Affairs and Trade of Nauru Lionel Aingimea, the Minister of Foreign Affairs of the Federated States of Micronesia Lorin Robert, the Minister of Foreign Affairs and Foreign Trade of the Solomon Islands Peter Chanel Agovaka, the Minister of Foreign Affairs, International Cooperation and Foreign Trade of Vanuatu Mark Ati, the Minister of Foreign Affairs and Immigration of Papua New Guinea Justin Tkachenko, the Minister of Foreign Affairs and Immigration of the Cook Islands Tingika Elikana, the Assistant Minister of Foreign Affairs and Deputy Speaker of the Parliament of Fiji Lenora Kerekeretabua, the representative of the Government of Samoa, the Ambassador of Samoa to China Luamanuvae Mariner, as well as the Deputy Secretary General of the Forum Pacific islands of Esala Nayashi.
At a regular press briefing, Mao Ning said China and the Pacific island countries are comprehensive strategic partners committed to mutual respect and common development, adding that the two sides have continuously deepened and developed friendly ties and cooperation in recent years.
Mao Ning noted that the upcoming meeting will be held in China for the first time in an offline format. According to her, the parties will discuss in detail the comprehensive exchanges and cooperation between China and the Pacific island countries, as well as international and regional issues of mutual interest.
China attaches great importance to relations with the Pacific island countries and hopes that this event will contribute to the active implementation of the important consensus reached by the leaders of the two sides, strengthening cohesion and cooperation, joining efforts for development and prosperity, and jointly building an even closer community with a shared future for China and the Pacific island countries, the official representative of the Chinese Foreign Ministry added. –0–
Source: People’s Republic of China – State Council News
BEIJING, May 21 (Xinhua) — Chinese Foreign Minister Wang Yi, Pakistani Deputy Prime Minister and Foreign Minister Muhammad Ishaq Dar and Afghan Acting Foreign Minister Amir Khan Muttaqi held an informal meeting in Beijing on Wednesday.
The meeting was chaired by Wang Yi, who is also a member of the Politburo of the CPC Central Committee.
The foreign ministers of the three countries positively assessed the achieved results of the China-Afghanistan-Pakistan trilateral dialogue and held an in-depth discussion on issues of further using the potential of the trilateral mechanism and promoting mutually beneficial cooperation.
As Wang Yi noted, summing up the meeting, the foreign ministers agreed that the three countries should strengthen political mutual trust and firmly adhere to the principles of good-neighborliness and friendship.
China supports Afghanistan and Pakistan in pursuing development paths that suit their national conditions and safeguarding their sovereignty, security and national dignity, he said.
Wang Yi said that the ministers agreed to hold the 6th trilateral dialogue of the foreign ministers of China, Afghanistan and Pakistan in Kabul in the near future.
As the Chinese diplomat emphasized, Afghanistan and Pakistan expressed their desire to raise the level of their bilateral diplomatic relations and agreed in principle to mutually appoint ambassadors as soon as possible.
Wang Yi said China welcomes this progress and is willing to make further contributions to improving Afghan-Pakistani relations.
Discussing the deepening of the joint construction of the Belt and Road, the ministers agreed to promote the expansion of the China-Pakistan Economic Corridor to Afghanistan and strengthen the development of regional infrastructure connectivity.
Wang Yi also said that China and Pakistan have voiced their support for Afghanistan’s reconstruction and development, as well as their intention to expand trade with Afghanistan to help strengthen the country’s capacity for independent development.
According to the head of the Chinese Foreign Ministry, the three countries agreed to counter terrorism in all its forms, cooperate in law enforcement and security, jointly combat terrorist forces that are of concern to each side, remain vigilant against external interference in the internal affairs of states in the region and prevent such interference.
The ministers also called for efforts to safeguard peace and stability in the region to create a positive external environment conducive to the development and rise of the three countries. –0–
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
BEIJING, May 21 (Xinhua) — China strongly dissatisfied with and firmly opposed the European Union’s groundless sanctions against Chinese enterprises, Foreign Ministry spokesperson Mao Ning said Wednesday.
Mao Ning made the statement at a regular briefing for journalists, commenting on a new package of restrictions against Russia announced by the European Union and Great Britain. This time, the sanctions list also includes companies from China and the United Arab Emirates.
Speaking about the Ukrainian crisis, the official representative of the Chinese Foreign Ministry noted that China is firmly committed to advancing peace talks. China has never provided lethal weapons to the parties to the conflict and strictly controls the export of dual-use goods, she recalled.
Normal exchanges and cooperation between Chinese and Russian enterprises should not be disrupted or affected, Mao Ning stressed, noting that most countries, including European countries and the United States, continue to trade with Russia.
The European side must stop applying double standards to trade and economic cooperation with Russia and harming the legitimate interests of Chinese companies. China will take all necessary measures to resolutely protect its legitimate rights and interests, the Chinese diplomat added. –0–
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
BEIJING, May 21 (Xinhua) — Chinese authorities have released an action plan to protect and develop beautiful rivers and lakes for the 2025-2027 period, focusing on improving the quality of aquatic ecosystems.
A document jointly released Wednesday by China’s Ministry of Ecology and Environment and other government agencies sets targets to make significant progress in developing beautiful rivers and lakes by 2030 and to generally complete the process by 2035.
The plan aims to promote targeted, science-based and legal pollution control, coordinate water resources management, aquatic environment and aquatic ecology, and establish an integrated environmental management system in the upper and lower reaches of key river basins to improve the health of river and lake ecosystems.
The national list of beautiful rivers and lakes to be protected and developed includes 2,573 rivers and water bodies, including main channels of large rivers, important tributaries, key lakes and reservoirs that perform important ecological functions, have sensitive and fragile ecological environments or attract wide public attention.
The plan contains 19 specific measures aimed at strengthening and deepening the management of the aquatic environment, ensuring basic environmentally safe water use, and comprehensively promoting efforts for protection and development. –0–
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
HANOI, May 21 (Xinhua) — Former Vietnamese President Tran Duc Luong died on Tuesday at the age of 88 after a long illness, the Vietnam News Agency reported on Wednesday.
Tran Duc Luong was born in the central Vietnamese province of Quang Ngai in 1937. He served as President of Vietnam from September 1997 to June 2006. –0–
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) are releasing this joint advisory to disseminate known tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) associated with threat actors deploying the LummaC2 information stealer (infostealer) malware. LummaC2 malware is able to infiltrate victim computer networks and exfiltrate sensitive information, threatening vulnerable individuals’ and organizations’ computer networks across multiple U.S. critical infrastructure sectors. According to FBI information and trusted third-party reporting, this activity has been observed as recently as May 2025. The IOCs included in this advisory were associated with LummaC2 malware infections from November 2023 through May 2025.
The FBI and CISA encourage organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of LummaC2 malware.
Download the PDF version of this report:
For a downloadable copy of IOCs, see:
Technical Details
Note: This advisory uses the MITRE ATT&CK® Matrix for Enterprise framework, version 17. See the MITRE ATT&CK Tactics and Techniques section of this advisory for threat actor activity mapped to MITRE ATT&CK tactics and techniques.
Overview
LummaC2 malware first appeared for sale on multiple Russian-language speaking cybercriminal forums in 2022. Threat actors frequently use spearphishing hyperlinks and attachments to deploy LummaC2 malware payloads [T1566.001, T1566.002]. Additionally, threat actors rely on unsuspecting users to execute the payload by clicking a fake Completely Automated Public Turing Test to tell Computers and Humans Apart (CAPTCHA). The CAPTCHA contains instructions for users to then open the Windows Run window (Windows Button + R) and paste clipboard contents (“CTRL + V”). After users press “enter” a subsequent Base64-encoded PowerShell process is executed.
To obfuscate their operations, threat actors have embedded and distributed LummaC2 malware within spoofed or fake popular software (i.e., multimedia player or utility software) [T1036]. The malware’s obfuscation methods allow LummaC2 actors to bypass standard cybersecurity measures, such as Endpoint Detection and Response (EDR) solutions or antivirus programs, designed to flag common phishing attempts or drive-by downloads [T1027].
Once a victim’s computer system is infected, the malware can exfiltrate sensitive user information, including personally identifiable information, financial credentials, cryptocurrency wallets, browser extensions, and multifactor authentication (MFA) details without immediate detection [TA0010, T1119]. Private sector statistics indicate there were more than 21,000 market listings selling LummaC2 logs on multiple cybercriminal forums from April through June of 2024, a 71.7 percent increase from April through June of 2023.
File Execution
Upon execution, the LummaC2.exe file will enter its main routine, which includes four sub-routines (see Figure 1).
Figure 1. LummaC2 Main Routine
The first routine decrypts strings for a message box that is displayed to the user (see Figure 2).
Figure 2. Message Box
If the user selects No, the malware will exit. If the user selects Yes, the malware will move on to its next routine, which decrypts its callback Command and Control (C2) domains [T1140]. A list of observed domains is included in the Indicators of Compromise section.
After each domain is decoded, the implant will attempt a POST request [T1071.001] (see Figure 3).
Figure 3.PostRequest
If the POST request is successful, a pointer to the decoded domain string is saved in a global variable for later use in the main C2 routine used to retrieve JSON formatted commands (see Figure 4).
Figure 4. Code Saving Successful Callback Request
Once a valid C2 domain is contacted and saved, the malware moves on to the next routine, which queries the user’s name and computer name utilizing the Application Programming Interfaces (APIs) GetUserNameW and GetComputerNameW respectively [T1012]. The returned data is then hashed and compared against a hard-coded hash value (see Figure 5).
Figure 5. User and Computer Name Check
The hashing routine was not identified as a standard algorithm; however, it is a simple routine that converts a Unicode string to a 32-bit hexadecimal value.
If the username hash is equal to the value 0x56CF7626, then the computer name is queried. If the computer name queried is seven characters long, then the name is hashed and checked against the hard-coded value of 0xB09406C7. If both values match, a final subroutine will be called with a static value of the computer name hash as an argument. If this routine is reached, the process will terminate. This is most likely a failsafe to prevent the malware from running on the attacker’s system, as its algorithms are one-way only and will not reveal information on the details of the attacker’s own hostname and username.
If the username and hostname check function returns zero (does not match the hard-coded values), the malware will enter its main callback routine. The LummaC2 malware will contact the saved hostname from the previous check and send the following POST request (see Figure 6).
Figure 6. SecondPOSTRequest
The data returned from the C2 server is encrypted. Once decoded, the C2 data is in a JSON format and is parsed by the LummaC2 malware. The C2 uses the JSON configuration to parse its browser extensions and target lists using the ex key, which contains an array of objects (see Figure 7).
Figure 7. Parsing ofexJSON Value
Parsing the c key contains an array of objects, which will give the implant its C2 (see Figure 8).
Figure 8. Parsing ofcJSON Value
C2 Instructions
Each array object that contains the JSON key value of t will be evaluated as a command opcode, resulting in the C2 instructions in the subsections below.
1. Opcode0– Steal Data Generic
This command allows five fields to be defined when stealing data, offering the most flexibility. The Opcode O command option allows LummaC2 affiliates to add their custom information gathering details (see Table 1).
Table 2. Opcode1Options
Key
Value
p
Path to steal from
m
File extensions to read
z
Output directory to store stolen data
d
Depth of recursiveness
fs
Maximum file size
2. Opcode1– Steal Browser Data
This command only allows for two options: a path and the name of the output directory. This command, based on sample configuration downloads, is used for browser data theft for everything except Mozilla [T1217] (see Table 2).
Table 2. Opcode1Options
Key
Value
p
Path to steal from
z
Name of Browser – Output
3. Opcode2– Steal Browser Data (Mozilla)
This command is identical to Opcode 1; however, this option seems to be utilized solely for Mozilla browser data (see Table 3).
Table 3. Opcode2Options
Key
Value
p
Path to steal from
z
Name of Browser – Output
4. Opcode3– Download a File
This command contains three options: a URL, file extension, and execution type. The configuration can specify a remote file with u to download and create the extension specified in the ft key [T1105] (see Table 4).
Table 4. Opcode3Options
Key
Value
u
URL for Download
ft
File Extension
e
Execution Type
The e value can take two values: 0 or 1. This specifies how to execute the downloaded file either with the LoadLibrary API or via the command line with rundll32.exe [T1106] (see Table 5).
Table 5. Execution Types
Key
Value
e=0
Execute with LoadLibraryW()
e=1
Executive with rund1132.exe
5. Take Screenshot
If the configuration JSON file has a key of “se” and its value is “true,” the malware will take a screenshot in BMP format and upload it to the C2 server.
6. Delete Self
If the configuration JSON file has a key of “ad” and its value is “true,” the malware will enter a routine to delete itself.
The command shown in Figure 9 will be decoded and executed for self-deletion.
Figure 9. Self-Deletion Command Line
Figure 10 depicts the above command line during execution.
Figure 10. Decoded Command Line in Memory
Host Modifications
Without any C2 interactions, the LummaC2 malware does not create any files on the infected drive. It simply runs in memory, gathers system information, and exfiltrates it to the C2 server [T1082]. The commands returned from the C2 server could indicate that it drops additional files and/or saves data to files on the local hard drive. This is variable, as these commands come from the C2 server and are mutable.
Decrypted Strings
Below is a list of hard-coded decrypted strings located in the binary (see Figure 11).
Figure 11. Decoded Strings
Indicators of Compromise
See Table 6 and Table 7 for LummaC2 IOCs obtained by the FBI and trusted third parties.
Disclaimer: The authoring agencies recommend organizations investigate and vet these indicators of compromise prior to taking action, such as blocking.
Table 6. LummaC2 Executable Hashes
Executables
Type
4AFDC05708B8B39C82E60ABE3ACE55DB (LummaC2.exe from November 2023)
MD5
E05DF8EE759E2C955ACC8D8A47A08F42 (LummaC2.exe from November 2023)
MD5
C7610AE28655D6C1BCE88B5D09624FEF
MD5
1239288A5876C09D9F0A67BCFD645735168A7C80 (LummaC2.exe from November 2023)
SHA1
B66DA4280C6D72ADCC68330F6BD793DF56A853CB (LummaC2.exe from November 2023)
The following are domains observed deploying LummaC2 malware.
Disclaimer: The domains below are historical in nature and may not currently be malicious.
Pinkipinevazzey[.]pw
Fragnantbui[.]shop
Medicinebuckerrysa[.]pw
Musicallyageop[.]pw
stogeneratmns[.]shop
wallkedsleeoi[.]shop
Tirechinecarpet[.]pw
reinforcenh[.]shop
reliabledmwqj[.]shop
Musclefarelongea[.]pw
Forbidstow[.]site
gutterydhowi[.]shop
Fanlumpactiras[.]pw
Computeryrati[.]site
Contemteny[.]site
Ownerbuffersuperw[.]pw
Seallysl[.]site
Dilemmadu[.]site
Freckletropsao[.]pw
Opposezmny[.]site
Faulteyotk[.]site
Hemispheredodnkkl[.]pw
Goalyfeastz[.]site
Authorizev[.]site
ghostreedmnu[.]shop
Servicedny[.]site
blast-hubs[.]com
offensivedzvju[.]shop
friendseforever[.]help
blastikcn[.]com
vozmeatillu[.]shop
shiningrstars[.]help
penetratebatt[.]pw
drawzhotdog[.]shop
mercharena[.]biz
pasteflawwed[.]world
generalmills[.]pro
citywand[.]live
hoyoverse[.]blog
nestlecompany[.]pro
esccapewz[.]run
dsfljsdfjewf[.]info
naturewsounds[.]help
travewlio[.]shop
decreaserid[.]world
stormlegue[.]com
touvrlane[.]bet
governoagoal[.]pw
paleboreei[.]biz
calmingtefxtures[.]run
foresctwhispers[.]top
tracnquilforest[.]life
sighbtseeing[.]shop
advennture[.]top
collapimga[.]fun
holidamyup[.]today
pepperiop[.]digital
seizedsentec[.]online
triplooqp[.]world
easyfwdr[.]digital
strawpeasaen[.]fun
xayfarer[.]live
jrxsafer[.]top
quietswtreams[.]life
oreheatq[.]live
plantainklj[.]run
starrynsightsky[.]icu
castmaxw[.]run
puerrogfh[.]live
earthsymphzony[.]today
weldorae[.]digital
quavabvc[.]top
citydisco[.]bet
steelixr[.]live
furthert[.]run
featureccus[.]shop
smeltingt[.]run
targett[.]top
mrodularmall[.]top
ferromny[.]digital
ywmedici[.]top
jowinjoinery[.]icu
rodformi[.]run
legenassedk[.]top
htardwarehu[.]icu
metalsyo[.]digital
ironloxp[.]live
cjlaspcorne[.]icu
navstarx[.]shop
bugildbett[.]top
latchclan[.]shop
spacedbv[.]world
starcloc[.]bet
rambutanvcx[.]run
galxnetb[.]today
pomelohgj[.]top
scenarisacri[.]top
jawdedmirror[.]run
changeaie[.]top
lonfgshadow[.]live
liftally[.]top
nighetwhisper[.]top
salaccgfa[.]top
zestmodp[.]top
owlflright[.]digital
clarmodq[.]top
piratetwrath[.]run
hemispherexz[.]top
quilltayle[.]live
equatorf[.]run
latitudert[.]live
longitudde[.]digital
climatologfy[.]top
starofliught[.]top
MITRE ATT&CK Tactics and Techniques
See Table 8 through Table 13 for all referenced threat actor tactics and techniques in this advisory. For assistance with mapping malicious cyber activity to the MITRE ATT&CK framework, see CISA and MITRE ATT&CK’s Best Practices for MITRE ATT&CK Mapping and CISA’s Decider Tool.
Threat actors used LummaC2 malware to exfiltrate sensitive user information, including traditional credentials, cryptocurrency wallets, browser extensions, and MFA details without immediate detection.
Threat actors used LummaC2 malware to download files with native OS APIs.
Mitigations
The FBI and CISA recommend organizations implement the mitigations below to reduce the risk of compromise by LummaC2 malware. These mitigations align with the Cross-Sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. Visit CISA’s CPGs webpage for more information on the CPGs, including additional recommended baseline protections. These mitigations apply to all critical infrastructure organizations.
Separate User and Privileged Accounts: Allow only necessary users and applications access to the registry [CPG 2.E].
Monitor and detect suspicious behavior during exploitation [CPG 3.A].
Monitor and detect suspicious behavior, creation and termination events, and unusual and unexpected processes running.
Monitor API calls that may attempt to retrieve system information.
Analyze behavior patterns from process activities to identify anomalies.
Implement application controls to manage and control execution of software, including allowlisting remote access programs. Application controls should prevent installation and execution of portable versions of unauthorized remote access and other software. A properly configured application allowlisting solution will block any unlisted application execution. Allowlisting is important because antivirus solutions may fail to detect the execution of malicious portable executables when the files use any combination of compression, encryption, or obfuscation.
Log Collection: Regularly monitoring and reviewing registry changes and access logs can support detection of LummaC2 malware [CPG 2.T].
Implement authentication, authorization, and accounting (AAA) systems [M1018] to limit actions users can perform and review logs of user actions to detect unauthorized use and abuse. Apply principles of least privilege to user accounts and groups, allowing only the performance of authorized actions.
Audit user accounts and revoke credentials for departing employees, removing those that are inactive or unnecessary on a routine basis [CPG 2.D]. Limit the ability for user accounts to create additional accounts.
Keep systems up to date with regular updates, patches, hot fixes, and service packs that may minimize vulnerabilities. Learn more by visiting CISA’s webpage: Secure our World Update Software.
Secure network devices to restrict command line access.
Use segmentation to prevent access to sensitive systems and information, possibly with the use of Demilitarized Zone (DMZ) or virtual private cloud (VPC) instances to isolate systems [CPG 2.F].
Monitor and detect API usage, looking for unusual or malicious behavior.
Validate Security Controls
In addition to applying mitigations, the FBI and CISA recommend exercising, testing, and validating your organization’s security program against threat behaviors mapped to the MITRE ATT&CK Matrix for Enterprise framework in this advisory. The FBI and CISA recommend testing your existing security controls inventory to assess performance against the ATT&CK techniques described in this advisory.
To get started:
Select an ATT&CK technique described in this advisory (see Table 8 through Table 13).
Align your security technologies against the technique.
Test your technologies against the technique.
Analyze your detection and prevention technologies’ performance.
Repeat the process for all security technologies to obtain a set of comprehensive performance data.
Tune your security program, including people, processes, and technologies, based on the data generated by this process.
The FBI and CISA recommend continually testing your security program, at scale, in a production environment to ensure optimal performance against the MITRE ATT&CK techniques identified in this advisory.
Reporting
Your organization has no obligation to respond or provide information to the FBI in response to this joint advisory. If, after reviewing the information provided, your organization decides to provide information to the FBI, reporting must be consistent with applicable state and federal laws.
The FBI is interested in any information that can be shared, to include the status and scope of infection, estimated loss, date of infection, date detected, initial attack vector, and host- and network-based indicators.
To report information, please contact the FBI’s Internet Crime Complaint Center (IC3), your local FBI field office, or CISA’s 24/7 Operations Center at report@cisa.gov or (888) 282-0870.
Disclaimer
The information in this report is being provided “as is” for informational purposes only. The FBI and CISA do not endorse any commercial entity, product, company, or service, including any entities, products, or services linked within this document. Any reference to specific commercial entities, products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply endorsement, recommendation, or favor by the FBI and CISA.
Source: People’s Republic of China in Russian – People’s Republic of China in Russian –
Source: People’s Republic of China – State Council News
BEIJING, May 21 (Xinhua) — China’s foreign trade has maintained steady growth despite high tariff barriers, demonstrating China’s full readiness, ability and confidence to face various risks and challenges, Foreign Ministry spokesperson Mao Ning said Wednesday.
The diplomat made the statement at a regular briefing, commenting on the impact of external factors such as tariffs on the Chinese economy following a recent UN report that global economic growth could slow to 2.4 percent in 2025 due to escalating trade tensions and political uncertainty.
As Mao Ning noted, international media called China’s economic performance in the first four months of this year “exceeding expectations” and “resilient.”
According to her, in the first four months, the total volume of imports and exports of goods increased by 2.4 percent year-on-year, while exports grew by 7.5 percent, which indicates China’s high international competitiveness.
China continues to expand its opening up, giving foreign businesses more development opportunities and more stable expectations, Mao Ning added.
“All this demonstrates China’s full readiness, ability and confidence in confronting various risks and challenges,” the official representative of the Chinese Foreign Ministry emphasized. –0–