CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 23, 2026

Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access

Cybersecurity News Archived May 23, 2026 ✓ Full text saved

Russian state-sponsored threat groups significantly stepped up their cyber operations in 2025, using a range of methods to break into targeted systems. From exploiting remote desktop tools and virtual private networks to manipulating trusted supply chains and deceiving employees through social engineering, these actors have built a dangerous and versatile toolkit for gaining initial access. […] The post Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security News Russian Threat Groups Use RDP, VPN, Supply Chain Attacks, and Social Engineering for Initial Access By Tushar Subhra Dutta May 22, 2026 Russian state-sponsored threat groups significantly stepped up their cyber operations in 2025, using a range of methods to break into targeted systems. From exploiting remote desktop tools and virtual private networks to manipulating trusted supply chains and deceiving employees through social engineering, these actors have built a dangerous and versatile toolkit for gaining initial access. The attacks are not random. They are well-planned, persistent campaigns aimed at government bodies, defense organizations, energy infrastructure, and other critical sectors, particularly in Ukraine and across Europe. Threat actors under designations such as UAC-0002 (Sandworm), UAC-0001 (APT28), UAC-0010 (Gamaredon), and UAC-0190 (Void Blizzard) have each played an active role throughout the year. Analysts from the National Security and Defense Council of Ukraine said in a report shared with Cyber Security News (CSN) that they identified that in 2025, the volume and complexity of these attacks grew considerably, with CERT-UA recording approximately 5,927 cyber incidents, a 37.4% rise compared to 2024. The report confirms that RDP exploitation, VPN vulnerabilities, and phishing through platforms like Signal, WhatsApp, and Telegram are among the most common methods used to gain a foothold inside targeted networks. The consequences of these breaches extend beyond data theft. Several intrusions led to the deployment of destructive wiper malware, ransomware, and long-running espionage tools designed to silently collect and exfiltrate sensitive information. The scale of this activity signals that these groups operate not just as cybercriminals but as instruments of a broader geopolitical strategy. In at least one case, attackers used stolen credentials purchased from access brokers on darknet forums to move directly into targeted environments. This approach cuts the time between initial access and active exploitation, bypassing traditional phishing entirely. RDP, VPN, and Supply Chain as Entry Points Remote Desktop Protocol remains one of the most abused entry vectors in 2025. Groups including UAC-0238 exploited exposed RDP services to push ransomware variants such as X2anylock, Warlock, and LockBit 3.0 into compromised environments. VPN appliances were targeted through vulnerabilities including CVE-2025-20333 and CVE-2025-20362, giving attackers a direct tunnel into internal networks. Supply chain intrusions added another serious layer of risk. Actors targeted software update mechanisms, third-party tools, and IT service providers to plant backdoors where scrutiny is typically lower. Once inside, groups deployed malware families like Remcos RAT, DarkCrystal RAT, XWorm, and Lumma Stealer to maintain persistent access. Vulnerabilities in widely used platforms were also exploited, including flaws in Roundcube (CVE-2024-42009, CVE-2025-49113), Fortinet appliances (CVE-2024-55591, CVE-2024-21762), and archiving tools like WinRAR and 7-Zip. Older Microsoft Office flaws (CVE-2017-11882, CVE-2017-0199) that remain unpatched in many organizations were also leveraged, proving legacy vulnerabilities still carry very real consequences. Payloads arrived through file types including SVG, PNG, LNK, JS, and HTA files, often hosted on legitimate services like Dropbox, Google Drive, and Cloudflare Tunnels to bypass network defenses. Living off the Land techniques using built-in tools such as PowerShell, certutil, mshta.exe, and rundll32 helped attackers blend into normal system activity and evade detection. Social Engineering and Phishing Campaigns Social engineering remained one of the most reliable methods Russian threat groups used to break in during 2025. Phishing lures were sent through email platforms including Microsoft O365, Roundcube, and Zimbra, as well as messaging apps like Signal, WhatsApp, and Telegram. Techniques such as ClickFix, fake CAPTCHA prompts, and PowerShell-based execution tricks helped attackers deliver malware without triggering immediate alerts. OAuth phishing, Device Code phishing targeting Microsoft Teams, and App-Specific Password phishing against Google accounts were observed targeting over a thousand individuals. QR-code session hijacking through a method called GhostPairing was also deployed, and fake Android APK files spread outside Google Play to infect devices with tools including CamelSpy. To counter these threats, organizations are advised to enforce multi-factor authentication, adopt Zero Trust architecture, and use Protective DNS to block malicious domains. Patch management across both new and legacy vulnerabilities is essential, and staff should receive regular training to spot social engineering attempts. Security teams should restrict RDP access and monitor for unusual use of built-in system tools that attackers frequently repurpose. Indicators of Compromise (IoCs):- Type Indicator Description CVE CVE-2025-20333 Cisco ASA/AnyConnect VPN vulnerability used for initial access CVE CVE-2025-20362 Cisco ASA/AnyConnect VPN vulnerability used for initial access CVE CVE-2024-42009 Roundcube webmail vulnerability exploited by Russian APT groups CVE CVE-2024-37383 Roundcube webmail vulnerability exploited in campaigns CVE CVE-2025-49113 Roundcube webmail vulnerability used in 2025 campaigns CVE CVE-2025-48700 Roundcube webmail vulnerability exploited in 2025 CVE CVE-2024-55591 Fortinet appliance vulnerability exploited for initial access CVE CVE-2024-21762 Fortinet appliance vulnerability exploited for initial access CVE CVE-2025-24472 Fortinet appliance vulnerability exploited for initial access CVE CVE-2017-11882 Legacy Microsoft Office flaw still actively exploited CVE CVE-2017-0199 Legacy Microsoft Office flaw still actively exploited CVE CVE-2025-6218 WinRAR vulnerability used by Gamaredon/Sandworm/RomCom CVE CVE-2025-8088 WinRAR vulnerability used by UAC-0180 (RomCom) CVE CVE-2025-0411 7-Zip vulnerability exploited by UAC-0006 CVE CVE-2024-38213 Exploited by Sandworm (UAC-0212) CVE CVE-2025-43300 Apple iOS/macOS vulnerability CVE CVE-2025-49844 Redis vulnerability (1010 instances targeted) CVE CVE-2025-49090 Matrix platform vulnerability CVE CVE-2025-54315 Matrix platform vulnerability Malware Remcos RAT Remote access trojan used for persistent access Malware DarkCrystal RAT Remote access trojan deployed post-compromise Malware XWorm Malware used in multiple Russian-linked campaigns Malware Lumma Stealer Credential and data stealer deployed by multiple groups Malware LameHug Malware used by UAC-0001 (APT28) Malware HomeSteel Data exfiltration tool targeting Ukrainian organizations Malware WreckSteel Destructive/exfiltration malware in 2025 campaigns Malware FileMess Malware used in Ukrainian-targeted campaigns Malware GiftedCrook Stealer targeting VPN credentials and Telegram data Malware CamelSpy Android spyware distributed via fake APKs Malware ZEROLOT Wiper malware linked to Sandworm Malware PathWiper Wiper malware targeting Ukrainian organizations Malware Sting Malware deployed by Sandworm in 2025 Malware Snake Keylogger Keylogger deployed in phishing-based campaigns Malware PicassoLoader Loader used by UAC-0057 (Ghostwriter) Malware SmokeLoader Loader malware used in multiple campaigns Malware NetSupport RAT Legitimate RMM tool abused as malware Malware Pterodo Backdoor associated with UAC-0010 (Gamaredon) Malware AgentTesla Credential-stealing malware used in phishing campaigns Malware FormBook Infostealer deployed via phishing Malware Rhadamanthys Stealer malware distributed in 2025 campaigns Malware RedLine Credential stealer observed in 2025 campaigns Malware LokiBot Infostealer deployed via legacy Office exploit chains Malware X2anylock Ransomware variant pushed via RDP exploitation Malware Warlock Ransomware variant used by UAC-0238 Technique GhostPairing QR-code based account hijacking technique Technique ClickFix Social engineering trick used to execute malicious scripts Technique Device Code Phishing OAuth/device code abuse targeting Microsoft 365 Tool Cloudflare Tunnels Abused for C2 communication and payload hosting Tool Telegram Used as C2 channel by UAC-0010 and others Tool Telegraph Used for IP-based C2 routing by UAC-0010 Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Tushar Subhra Dutta Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics. Trending News Linus Torvalds Says AI Bug Reports Have Made Linux Security Mailing List Unmanageable Android Malware Silently Subscribes Victims to Premium Services Without Consent Hackers Use Fake Income Tax Assessment Pages to Infect Windows Systems Grafana GitHub Breach Linked to TanStack npm Supply Chain Ransomware Android 16 VPN Bypass Lets Malicious Apps Reveal Users Real IP Address Latest News Cyber Security News Hackers Use Six-Layer Persistence to Maintain Access on Compromised FreePBX Systems Cyber Security News Hackers Use NF-e Invoice Lures to Deliver Banana RAT Through Malicious Batch Files Cyber Security News Ubiquiti Patches Critical UniFi OS Vulnerabilities Allowing Remote Privilege Escalation Cyber Security LiteSpeed cPanel Plugin 0-Day Exploited in the wild to Gain Server Root Access Cyber Security News CISA adds Langflow Origin Validation Flaw to Known Exploited Vulnerabilities Catalog
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 23, 2026
    Archived
    May 23, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗