Hackers are using Russian domains to launch complex document-based phishing attacks

Russian flag on a laptop
(Image credit: Shutterstock)

  • Data exfiltration tactics are shifting toward Russian domains
  • Remote Access Trojans see a 59% rise in phishing emails
  • Malicious emails now bypass secure gateways every 45 seconds

New research has found there is a significant increase in malicious email activity as well as a shift in attack strategies.

On average, at least one malicious email bypasses Secure Email Gateways (SEGs), such as Microsoft and Proofpoint, every 45 seconds, marking a notable rise from the previous year’s rate of one every 57 seconds, the Cofense Intelligence's third-quarter Trends Report showed.

There is a sharp increase in the use of Remote Access Trojans (RATs) which allows attackers to gain unauthorized access to a victim’s system, often leading to data theft or further exploitation.

Rise in Remote Access Trojan (RAT) usage

Remcos RAT, a widely used tool among cybercriminals is a major culprit in the rise of RAT attacks. It allows remote control of infected systems which enables the attacker to exfiltrate data, deploy additional malware, and gain persistent access to compromised networks.

Open redirects as a technique in phishing campaigns are also gaining prominence as the report reveals a 627% increase in its use. These attacks exploit the functionality of legitimate websites to redirect users to malicious URLs, often masking the threat behind well-known and trusted domains.

TikTok and Google AMP are often used to carry out these attacks, taking advantage of their global reach and frequent use by unsuspecting individuals.

The use of malicious Office documents, especially those in .docx format, rose dramatically by nearly 600%. These documents often contain phishing links or QR codes that direct victims to harmful websites.

Microsoft Office documents remain a popular attack vector because of their widespread use in business environments, making them ideal for targeting organizations through spear-phishing campaigns.

Furthermore, there is a significant shift in data exfiltration tactics, with increased usage of .ru and .su top-level domains (TLDs). Domains using the .ru (Russia) and .su (Soviet Union) extensions saw usage spikes of more than fourfold and twelvefold, respectively, indicating cybercriminals are turning to less common and geographically associated domains to evade detection and make it harder for victims and security teams to track data theft activities.

You may also like

Efosa Udinmwen
Freelance Journalist

Efosa has been writing about technology for over 7 years, initially driven by curiosity but now fueled by a strong passion for the field. He holds both a Master's and a PhD in sciences, which provided him with a solid foundation in analytical thinking. Efosa developed a keen interest in technology policy, specifically exploring the intersection of privacy, security, and politics. His research delves into how technological advancements influence regulatory frameworks and societal norms, particularly concerning data protection and cybersecurity. Upon joining TechRadar Pro, in addition to privacy and technology policy, he is also focused on B2B security products. Efosa can be contacted at this email: udinmwenefosa@gmail.com