Staying Ahead: Kaspersky Identifies Surge in Anti-Russian Hacker Groups
A new Kaspersky Cyber Threat Intelligence report uncovers 14 hacker groups that have intensified attacks on Russian organizations since 2022, marking a shift toward systemic, politically motivated cyber aggression.
The Kaspersky Cyber Threat Intelligence team has released an extensive technical analysis of 14 hacker groups that most actively target Russian organizations. Since 2022, hackers openly declaring their anti-Russian stance have stepped up activity in the country’s cyberspace. For the first time, this study provides a comprehensive review of these groups’ tactics, techniques, and procedures (TTPs), confirming the existence of links between them.
Systemic Nature of Threats
Kaspersky’s analysis categorizes the attackers into three clusters:
- Hacktivists (ideologically driven, infrastructure sabotage): TWELVE, BlackJack, Head Mare, C.A.S, Crypt Ghouls.
- APT groups (cyber espionage): Awaken Likho, Angry Likho, GOFFEE, Cloud Atlas, Librarian Likho, Mythic Likho, XDSpy.
- Hybrid actors (unique TTPs): BO TEAM, Cyberpartisans.
The groups share infrastructure, tools, and even roles — some provide initial access, others persistence and damage delivery. Since 2022, Russia has become the most targeted country, with hacktivist groups multiplying. Their operations are increasingly systemic: at least seven new groups appeared in 2025. Top targets include the public sector, industry, and telecommunications. Attackers are weaponizing Red Team tools, repurposing them for live operations.
Boosting Defensive Maturity
The release of Kaspersky’s detailed threat intelligence report contributes directly to national cybersecurity readiness. Such comprehensive TTP analysis holds export potential, as international specialists and agencies are eager for insights into hacker and hybrid threats.
The report is expected to accelerate the maturity of reactive cybersecurity solutions. Expanding offensive toolkits force the industry to develop proactive and adaptive defenses — XDR, SOC, threat intelligence sharing, and AI-driven detection. At the same time, adversaries also study open sources and professional research, adapting them for malicious use. This dynamic compels defenders to double their efforts.
Unprecedented Hacker Activity
In May 2024, Russian government agencies faced a sophisticated cyberattack dubbed CloudSorcerer. This espionage tool leveraged cloud services like Microsoft Graph, Yandex Cloud, and Dropbox as command servers for covert data exfiltration. GitHub was also used as an initial command-and-control hub.
By October 2024, Kaspersky tracked APT campaigns against government structures and industry. Unlike the first attack wave in 2021, the latest campaigns deployed a MeshCentral agent instead of UltraVNC, enabling more resilient remote access to systems.
In early 2025, the Russian-speaking ransomware group OldGremlin resurfaced, using drivers and Node.js in attacks on manufacturing, healthcare, and technology firms. First identified five years ago, OldGremlin employs advanced TTPs and can remain undetected in victim networks for an average of 49 days before encrypting files.
Deep Analysis Trend
Cyber threats are becoming more fragmented yet networked. Groups show increasing collaboration and syndication. Hacker activity is expected to intensify further amid geopolitical tensions, placing constant pressure on Russian cybersecurity infrastructure.
Adversaries are expanding their arsenals. Red Team-grade tools are entering mainstream use, raising the technical bar to global APT standards. Going forward, specialized research and detailed reports will be essential. Kaspersky’s work sets a strong precedent, underscoring the need for deeper analysis and integrated solutions — SOC, XDR, and threat intelligence. As attackers adapt quickly, defenders must stay ahead of the curve.
