Cyber Security News

Russian Hackers Hijacked Pakistani Actor Servers For C2 Communication

Secret Blizzard, a Russian threat actor, has infiltrated 33 command-and-control (C2) servers belonging to the Pakistani group Storm-0156, which allows Secret Blizzard to access networks of Afghan government entities and Pakistani operators. 

They have deployed their own malware, TwoDash and Statuezy, and leveraged Storm-0156’s malware, Waiscot and CrimsonRAT, to gather intelligence on targeted networks, which demonstrates Secret Blizzard’s sophisticated techniques and their ability to exploit vulnerabilities in other threat actor’s infrastructure.

It is a sophisticated nation-state actor that leverages the infrastructure of other threat actors to conduct stealthy and persistent cyberattacks.

By compromising C2 servers and workstations, they gain unauthorized access to sensitive data and expand their operational reach. 

It allows them to bypass detection and attribution mechanisms, enabling them to target critical infrastructure and government networks, as their ability to exploit trust relationships and leverage stolen tools highlights the evolving threat landscape and the need for robust cybersecurity measures.

Logical Connections between Storm-0156’s Hak5 Cloud C2 and known C2s.

Storm-0156, a Pakistani nation-state actor, has been observed using Hak5 hardware-based tools to compromise targets in India and Afghanistan, which are deployed via physical access, bypass traditional security measures, and enable data exfiltration and script execution. 

Free Webinar on Best Practices for API vulnerability & Penetration Testing:  Free Registration

The campaign, initiated in late 2022 and continuing into early 2023, targeted government organizations, including the Ministry of Foreign Affairs and defense entities, highlighting Storm-0156’s adaptability and persistent focus on compromising critical infrastructure. 

The group leveraged compromised Storm-0156 C2 infrastructure to access Afghan government networks.

By exploiting vulnerabilities and deploying their custom malware, “Two-Dash,” they gained persistent access to critical systems. 

While the group’s operations, spanning from late 2022 to mid-2023, involved extensive data exfiltration and potential espionage activities targeting sensitive government information.

Secret Blizzard infiltrating both Storm-0156 and Afghan government networks

According to Lumen, it breached Storm-0156’s infrastructure, gaining access to sensitive information and potentially compromising additional networks by leveraging this access to target Indian government and military networks, interacting with CrimsonRAT and Waiscot C2s. 

While Secret Blizzard didn’t deploy their own agents, they likely exploited existing infrastructure to gather intelligence and execute attacks, which highlights the evolving threat landscape and the need for robust cybersecurity measures to protect critical infrastructure.

A Russian FSB-linked threat actor has adopted a unique tactic of compromising other threat actors’ C2 servers to conceal its operations and shift blame, which, combined with sophisticated techniques and a focus on data exfiltration, poses a significant threat. 

To mitigate this risk, organizations should implement robust security measures, including a well-tuned EDR solution, monitoring for large data transfers, and considering SASE solutions.

The security community can better protect against these advanced threats by staying vigilant and sharing threat intelligence.

Analyse Real-World Malware & Phishing Attacks With ANY.RUN - Get up to 3 Free Licenses

Aman Mishra

Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Recent Posts

Zero-Trust Policy Bypass Enables Exploitation of Vulnerabilities and Manipulation of NHI Secrets

A new project has exposed a critical attack vector that exploits protocol vulnerabilities to disrupt…

2 days ago

Threat Actor Sells Burger King Backup System RCE Vulnerability for $4,000

A threat actor known as #LongNight has reportedly put up for sale remote code execution…

2 days ago

Chinese Nexus Hackers Exploit Ivanti Endpoint Manager Mobile Vulnerability

Ivanti disclosed two critical vulnerabilities, identified as CVE-2025-4427 and CVE-2025-4428, affecting Ivanti Endpoint Manager Mobile…

2 days ago

Hackers Target macOS Users with Fake Ledger Apps to Deploy Malware

Hackers are increasingly targeting macOS users with malicious clones of Ledger Live, the popular application…

2 days ago

EU Targets Stark Industries in Cyberattack Sanctions Crackdown

The European Union has escalated its response to Russia’s ongoing campaign of hybrid threats, announcing…

2 days ago

Venice.ai’s Unrestricted Access Sparks Concerns Over AI-Driven Cyber Threats

Venice.ai has rapidly emerged as a disruptive force in the AI landscape, positioning itself as…

2 days ago