Unknown hacker group targeted Russian maritime universities, diplomats for nearly two years

A previously unknown hacking group has spent nearly two years quietly targeting Russian maritime universities, energy facilities, diplomatic missions and government agencies, according to new research.

The campaign, which researchers at Russian cybersecurity firm Kaspersky said dates back to at least 2024, remained undetected for years and featured long periods of inactivity that helped conceal the group's operations.

Kaspersky said the hackers would sometimes go dormant for three to four months before launching bursts of activity that included up to 10 attacks in a single month. The company did not describe what post-compromise activity was observed after these attacks.

The group's latest wave of compromises began in January and relied on a newly released penetration-testing framework called Ravage. The tool, published on GitHub in September 2025, allows operators to upload, download, copy and delete files, execute commands, launch processes, and capture screenshots from compromised systems.

More than half of the attacks observed over the past year targeted educational institutions, particularly maritime universities and schools that train personnel for Russia's shipping, inland waterway and fishing industries, according to Kaspersky.

The hackers also targeted organisations in the energy sector, diplomatic missions, government agencies and financial institutions. Kaspersky did not say how many organisations were affected in total.

The attacks began with phishing emails containing ZIP archives. The archives included a malicious file disguised as a legitimate Microsoft Excel configuration file. When opened, the file launched Excel and triggered the execution of malicious code, researchers said.

"By tracking the threat actors' recent activities, we uncovered previously undetected attacks that began nearly two years ago, suggesting the existence of an established group whose operations were carefully concealed," Kaspersky said.

The cybersecurity company did not attribute the campaign to any known group nor suggest its motive or nation of origin.