In a complex cyber operation discovered by Silent Push Threat Analysts, Russian hackers have launched a multi-pronged phishing campaign impersonating various organizations, including the CIA, to gather intelligence on individuals sympathetic to Ukraine’s defense efforts.
The campaign, believed to be orchestrated by Russian Intelligence Services or aligned actors, utilizes a network of fraudulent websites to collect personal information from unsuspecting victims.
Exploiting Anti-War Sentiment
The threat actors have created convincing replicas of websites belonging to the Russian Volunteer Corps (RVC), Legion Liberty, and “I Want to Live” (Hochuzhit), an appeals hotline for Russian service members in Ukraine.
These fake sites prompt visitors to submit personal data, ostensibly for recruitment or information-sharing purposes.
The campaign specifically targets Russian citizens involved in anti-war activities, which are illegal in the Russian Federation and can result in arrests.
Technical Infrastructure and Tactics
The phishing infrastructure spans multiple domains hosted on bulletproof providers, with a notable presence on Nybula LLC (ASN 401116).
The attackers employ sophisticated tactics, including the use of legitimate-looking Google Forms to capture victim information and the embedding of authentic Telegram channels to enhance credibility.
One key domain in the CIA impersonation effort, ciagov[.]icu, was found to generate suspicious “Submission Reference IDs” when users attempted to report information.
According to the Report, this domain, along with others like jagotovoff[.]com, shared infrastructure with the fake RVC and Legion Liberty sites, indicating a coordinated effort.
The threat actors have also manipulated search engine results and created deceptive YouTube content to lure victims to their phishing pages.
For instance, a YouTube channel (@contactciaofficial) was discovered referencing both ciagov[.]icu and a fake .onion domain, demonstrating the campaign’s multi-platform approach.
As of March 2025, the campaign remains active with new domains continually being registered.
Security researchers have identified several indicators of compromise, including specific IP addresses and domain naming patterns.
Organizations and individuals are advised to exercise caution when interacting with websites purporting to represent these entities and to verify the authenticity of any forms requesting personal information.
This sophisticated operation underscores the evolving nature of cyber threats in the context of geopolitical conflicts, highlighting the need for enhanced digital vigilance and robust cybersecurity measures.
Are you from SOC/DFIR Teams? – Analyse Malware, Phishing Incidents & get live Access with ANY.RUN -> Start Now for Free.
