Unidentified Hacker Group Targets Russian Maritime Universities, Diplomatic Missions for Nearly Two Years
A previously unknown hacking group has been quietly targeting Russian maritime universities, energy facilities, diplomatic missions, and government agencies for nearly two years, researchers at Kaspersky revealed.
A previously unknown hacking group has spent nearly two years quietly targeting Russian maritime universities, energy facilities, diplomatic missions, and government agencies, Kaspersky researchers disclosed. The campaign, which dates back to at least 2024, remained undetected for long periods due to the operators' careful operational security — including extended dormant phases that helped conceal their activities.
Kaspersky reported that the hackers would sometimes go silent for three to four months before launching bursts of activity that included up to 10 attacks in a single month. The company did not describe what post-compromise actions were observed after these intrusions, leaving the ultimate motive — espionage, sabotage, or both — unclear.
The group's latest wave of compromises, which began in January 2026, relied on a recently released penetration-testing framework called Ravage. Published on GitHub in September 2025, Ravage allows operators to upload, download, copy, and delete files, execute commands, launch processes, and capture screenshots from compromised systems. Its use suggests the threat actors are leveraging open-source tooling to reduce development overhead and complicate attribution.
More than half of the attacks observed over the past year targeted educational institutions, particularly maritime universities and schools that train personnel for Russia's shipping, inland waterway, and fishing industries, according to Kaspersky. This focus on maritime workforce training infrastructure points to a strategic interest in undermining Russia's critical maritime workforce pipeline.
The hackers also targeted organizations in the energy sector, diplomatic missions, government agencies, and financial institutions. Kaspersky did not disclose how many organizations were affected in total.
The attacks began with phishing emails containing ZIP archives. Each archive included a malicious file disguised as a legitimate Microsoft Excel configuration file. When opened, the file launched Excel and triggered the execution of malicious code, the researchers said.
"By tracking the threat actors' recent activities, we uncovered previously undetected attacks that began nearly two years ago, suggesting the existence of an established group whose operations were carefully concealed," Kaspersky stated. The cybersecurity company did not attribute the campaign to any known group or suggest its motive or nation of origin.
The discovery underscores the persistent risk to critical national infrastructure sectors from stealthy, long-duration cyber campaigns. Russia, which has been a target of sustained cyber operations by Ukrainian and NATO-aligned groups since the 2022 invasion, is also a victim of increasingly sophisticated espionage efforts — this time from an actor that remains unidentified even by one of the country's premier cybersecurity firms.