Silent Push uncovers an alleged Russian intelligence phishing marketing campaign impersonating the CIA, concentrating on Ukraine supporters, anti-war activists and informants.
Cybersecurity researchers at Silent Push have found a posh and intensive phishing operation, allegedly launched by Russian Intelligence Services or a equally motivated entity, concentrating on people who help Ukraine and oppose the Russian authorities.
The marketing campaign, which surfaced in early 2025, employed faux web site lures to collect private info from Russian residents and informants. This was a very delicate endeavour given the illegality of anti-war activities inside the Russian Federation.
The phishing websites collected person enter utilizing a mixture of static HTML and JavaScript. Information exfiltration was usually facilitated via easy POST requests to threat-actor-controlled servers or via the abuse of Google Forms.
Researchers recognized 4 distinct phishing clusters, every impersonating a outstanding group: the US Central Intelligence Company (CIA), the Russian Volunteer Corps (RVC), Legion Liberty, and Hochuzhit, an appeals hotline for Russian service members operated by Ukrainian intelligence.
Regardless of their numerous impersonations, these clusters share a standard goal: the illicit assortment of private information. As famous by the legit Liberty of Russia Legion in a March 14, 2024, X post, “We remind you that the one official telegram channel of the Legion is listed on our web site: hxxps://legionlibertyarmy. Don’t be fooled by fakes. Don’t fall into the traps of the safety forces of the Putin regime!”
The menace actors utilized a bulletproof internet hosting supplier, Nybula LLC (ASN 401116), to host phishing pages designed to imitate the official web sites of those organizations. This tactic, together with the usage of Google Types and web site varieties to collect information, reveals a classy try and deceive and extract delicate info from unsuspecting victims.
The marketing campaign’s infrastructure evaluation revealed interconnectedness throughout the 4 clusters, with shared technicalities such because the WHOIS group title “Semen Gerda,” related metadata, and customary registration via the NiceNIC registrar.
The phishing pages employed numerous ways to lure victims. As an illustration, the rusvolcorpsnet area lured customers with a “Be a part of Right here” button, resulting in a Google Kind requesting detailed private info. Equally, the legionlibertytop area used a blue “Be a part of” button to direct customers to a legit Google Kind, whereas a inexperienced button led to a type managed by the menace actors.
CIA impersonation concerned the creation of domains like ciagovicu and jagotovoffcom, which featured suspicious internet varieties and embedded illegitimate .onion hyperlinks. The menace actors even manipulated YouTube content material, changing official CIA hyperlinks with their phishing domains.
Conversely, the Hochuzhit cluster, concentrating on Russian service members looking for to give up, utilized domains like hochuzhitlifecom and hochuzhitlife. Silent Push Risk Analysts, in collaboration with safety researcher Artem Tamoian, uncovered extra domains and infrastructure, together with legionllbertyarmy, which was hosted on Cloudflare.
Silent Push’s attribution to Russian intelligence companies is predicated on a number of elements, together with the marketing campaign’s deal with targets of strategic curiosity to the Russian authorities, the noticed TTPs that align with identified Russian state-sponsored actor behaviour, and the persistent impersonation of the CIA for intelligence gathering functions.
Researchers concluded that each one domains related to this Russian Intelligence Company marketing campaign pose huge privateness and safety dangers, highlighting the significance of warning and stronger cybersecurity measures.
