Cyber Security News

BadPilot Attacking Network Devices to Expand Russian Seashell Blizzard’s Attacks

A newly uncovered cyber campaign, dubbed “BadPilot,” has been linked to a subgroup of the Russian state-sponsored hacking collective Seashell Blizzard, also known as Sandworm.

This operation, active since at least 2021, represents a significant expansion in Russia’s cyber activities, targeting critical infrastructure globally.

According to Microsoft Threat Intelligence, the campaign focuses on compromising internet-facing systems to establish long-term persistence and enable tailored network operations.

The BadPilot subgroup employs both opportunistic and targeted techniques to infiltrate high-value sectors such as energy, oil and gas, telecommunications, shipping, arms manufacturing, and government entities.

The campaign has leveraged vulnerabilities in widely used software systems, including Microsoft Exchange (CVE-2021-34473), Zimbra Collaboration (CVE-2022-41352), ConnectWise ScreenConnect (CVE-2024-1709), and Fortinet FortiClient EMS (CVE-2023-48788).

Exploitation of these flaws has allowed the group to scale its operations horizontally across various regions, including North America, Europe, Central Asia, and the Middle East.

Persistence and Lateral Movement

The BadPilot campaign utilizes a range of sophisticated tactics to maintain persistence within compromised networks.

These include deploying Remote Management and Monitoring (RMM) tools like Atera Agent and Splashtop Remote Services for command-and-control (C2) functions.

Seashell Blizzard’s AttacksSeashell Blizzard’s Attacks
Use of ScreenConnect to install Atera Agent

Such tools mimic legitimate software, enabling the attackers to remain undetected while executing credential theft, data exfiltration, and lateral movement.

In some cases, the subgroup has implemented ShadowLink, a bespoke utility that leverages Tor hidden services for covert access to compromised systems.

How ShadowLink avoids discovery

Additionally, the group employs web shells such as LocalOlive for command execution and secondary payload deployment.

These tools facilitate further network compromise by enabling tunneling utilities like Chisel and rsockstun.

Another notable tactic involves modifying Outlook Web Access portals with malicious JavaScript to harvest credentials in real-time.

This approach underscores the subgroup’s focus on exploiting internet-facing infrastructure for scalable yet stealthy intrusions.

Evolving Geopolitical Objectives

Initially concentrated on Ukraine and Eastern Europe, BadPilot’s scope has expanded significantly since 2022.

The campaign now targets entities in the United States, United Kingdom, Canada, and Australia.

Analysts suggest this shift reflects Russia’s evolving geopolitical priorities amid ongoing military conflicts.

The subgroup’s opportunistic “spray-and-pray” approach ensures widespread compromises that can later be tailored to meet strategic objectives.

Seashell Blizzard’s operations have historically supported Russian military intelligence objectives through espionage, information operations, and destructive cyberattacks.

The BadPilot campaign continues this trend by enabling persistent access to critical sectors that could be leveraged for future disruptions or intelligence gathering.

Organizations are urged to prioritize patch management for known vulnerabilities exploited by BadPilot.

Implementing multi-factor authentication (MFA), monitoring RMM tool usage, and employing advanced threat detection systems can help mitigate risks associated with this campaign.

Strengthening network defenses against lateral movement through endpoint detection and response solutions is also critical.

As Seashell Blizzard continues to refine its tactics for global cyber operations, vigilance remains essential for safeguarding critical infrastructure against these state-sponsored threats.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

20 hours ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

20 hours ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

20 hours ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

20 hours ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

24 hours ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

1 day ago