Russian State-Backed Campaign Exploits Network Edge Weaknesses to Target Critical Infrastructure
Amazon’s threat intelligence team has revealed a long-running Russian state-sponsored cyber campaign that targeted Western critical infrastructure from 2021 through 2025, with a strong focus on the energy sector. The activity is attributed with high confidence to the GRU-linked group known as APT44, also tracked under several other names, and reflects a notable shift in how these operations gained access to victim environments. Instead of relying heavily on zero-day exploits, the attackers increasingly focused on poorly secured network edge devices with exposed management interfaces. This approach allowed them to quietly position themselves at the perimeter of victim networks, where they could observe traffic and collect credentials over extended periods. Targets included energy providers, telecoms, cloud service organizations, and third-party suppliers that support critical infrastructure across North America, Europe, and parts of the Middle East. Amazon’s telemetry also confirmed that many of these compromised devices were hosted in cloud environments, enabling attackers to maintain persistent access without directly breaching cloud platforms themselves. Once access was established, the attackers used native packet-capture capabilities on compromised edge devices to capture credentials in transit and later attempted to reuse them against victim organizations’ online services. While many credential replay attempts were unsuccessful, the consistent pattern strongly suggests a deliberate strategy focused on long-term access and lateral movement rather than immediate disruption. The campaign evolved over time, combining older vulnerability exploitation with sustained targeting of misconfigured systems, and may involve multiple coordinated subgroups operating within a broader GRU effort. Amazon disrupted active operations, notified affected customers, and shared intelligence with partners, but the activity highlights systemic risk tied to overlooked network infrastructure. Organizations should urgently review and secure all network edge devices, restrict and monitor management access, and watch closely for unusual authentication activity across cloud and online services. Strengthening configuration hygiene, enforcing strong authentication, and improving visibility into credential misuse are critical steps to reduce exposure to this type of persistent, low-noise threat.
AI Accelerates Ransomware Operations Without Changing the Core Playbook
SentinelLABS’ assessment finds that large language models are not fundamentally changing how ransomware works, but they are making threat actors faster, more efficient, and more scalable. The most visible impact is operational acceleration, where tasks that once required time, language expertise, or specialized skills can now be handled quickly through AI-assisted workflows. This shift is lowering the barrier to entry, allowing less-skilled actors to assemble ransomware and extortion operations by breaking malicious objectives into seemingly harmless prompts. At the same time, the ransomware ecosystem is fragmenting, with smaller, short-lived groups replacing large, well-known cartels, making attribution more difficult. Another notable trend is the growing overlap between state-aligned operations and criminal extortion, with ransomware increasingly used as cover rather than a purely financial activity. Overall, AI is amplifying existing tactics rather than introducing entirely new ones, increasing the speed, volume, and global reach of attacks. Operationally, attackers are repurposing the same AI workflows used by legitimate businesses to improve reconnaissance, data analysis, social engineering, and negotiation. LLMs enable threat actors to quickly identify sensitive data across multiple languages, generate convincing, localized phishing or extortion communications, and automate portions of the victim engagement process. More advanced groups are moving toward self-hosted, open-source AI models to avoid monitoring, restrictions, and visibility associated with commercial providers. Researchers have already observed AI-assisted extortion campaigns, early malware that embeds AI-generated code, and stealers that abuse AI tools installed on victim systems to enhance data discovery. Looking ahead, SentinelLABS expects more automated negotiation, increased use of local AI models, and services designed to bypass provider safeguards through prompt routing and aggregation. Organizations should plan for a faster and noisier ransomware environment by strengthening detection of early-stage activity, improving visibility into data theft and extortion workflows, and preparing response teams for attacks that move more quickly and operate across multiple languages and regions.
SantaStealer Emerges as a Stealer-as-a-Service Threat Ahead of 2025 Release
Rapid7 Labs uncovered SantaStealer, a new malware-as-a-service infostealer being marketed through Telegram and underground forums, and expected to launch before the end of 2025 after rebranding from BluelineStealer. The malware is built to steal a wide range of data, including documents, saved credentials, browser data, and cryptocurrency wallet information, while aiming to keep most activity in memory to reduce file-based detection. Rapid7 first spotted it in early December 2025 after a Windows sample triggered generic infostealer detections commonly associated with the Raccoon family. Deeper analysis revealed a 64-bit payload with hundreds of exported function names and many readable strings that plainly describe its capabilities. SantaStealer uses a modular, multi-threaded design with 14 distinct modules that collect data from multiple applications, capture screenshots, and exfiltrate system details. Stolen data is bundled into a ZIP archive, split into 10 MB chunks, and sent to command-and-control infrastructure over plain HTTP, which is risky for operators but still effective for rapid theft. Although the sellers claim the malware is fully undetected and protected by a custom polymorphic engine, the leaked development builds reveal weak operational security and minimal obfuscation, making current samples easier to analyze and track. From a defender's perspective, the most concerning capability is its focus on browser credential theft, including methods intended to bypass Chrome’s AppBound Encryption by embedding an auxiliary component that hijacks browser processes to access protected secrets. Rapid7 observed that anti-analysis features vary across samples, indicating active development, with checks for analysis environments, suspicious host traits, blocked processes, and debugger timing tactics. The malware also includes optional logic to avoid CIS targets by detecting Russian keyboard layouts and terminating, a common sign of operators catering to Russian-speaking markets and trying to reduce local risk. Its business model is structured around an affiliate panel with configurable builds, monthly pricing tiers, and campaign-tracking features, which lowers the friction for criminals to deploy it at scale. Even though the exposed strings and embedded configuration currently make detection easier, those weaknesses often disappear as products mature and operators start encrypting configs, stripping symbols, and tightening delivery tradecraft. Organizations should prioritize blocking common initial infection paths, strengthening endpoint visibility for infostealer behaviors, monitoring outbound HTTP exfiltration patterns, and training users to avoid executing untrusted installers, fake verification prompts, and “support” instructions that pressure them into running unknown code.
