← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
The BadPilot campaign: Multiyear global access operation
WHITE Sandworm AlienVault 2025-02-12 Modified: 2025-03-14
22
IOCs
MEDIUM VOLUME
A Russian state actor subgroup within Seashell Blizzard has conducted a global access operation called the BadPilot campaign since 2021. The group exploits vulnerabilities in Internet-facing infrastructure to gain persistent access to high-value targets across various sectors worldwide. Their tactics include deploying web shells, modifying network resources, and using remote management tools for persistence and command and control. The campaign has expanded Seashell Blizzard's geographical reach beyond Eastern Europe, targeting organizations in the US, UK, Canada, and Australia. The subgroup's activities enable Russia to respond to evolving strategic objectives and provide options for future actions.
cve-2023-23397badpilotrussian state actorcve-2024-1709global operationlocalolivecve-2021-34473cve-2023-48788vulnerability exploitationcve-2022-41352remote managementcve-2023-42793initial accesscredential theftpersistencecve-2023-32315shadowlink
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
MALWARE FAMILIES
LocalOlive ShadowLink
Indicators of Compromise (22)
All CVE FileHash-MD5 FileHash-SHA1 FileHash-SHA256 domain hostname
TYPEINDICATORDESCRIPTIONCREATED
CVE CVE-2021-34473 2025-02-12
CVE CVE-2022-41352 2025-02-12
CVE CVE-2023-23397 2025-02-12
CVE CVE-2023-32315 2025-02-12
CVE CVE-2023-42793 2025-02-12
CVE CVE-2023-48788 2025-02-12
CVE CVE-2024-1709 2025-02-12
FileHash-MD5 be7b13aee7b510b052d023dd936dc32f 2025-02-12
FileHash-SHA1 6715b888a280d54de9a8482e40444087fd4d5fe8 2025-02-12
FileHash-SHA256 17738a27bb307b3cb7bd571934a398223e170842005f1725c46c7075f14e90fe 2025-02-12
FileHash-SHA256 636e04f0618dd578d107f440b1cf6c910502d160130adae5e415b2dd2b36abcb 2025-02-12
FileHash-SHA256 68c7aab670ee9d7461a4a8f06333994f251dc79813934166421091e2f1fa145c 2025-02-12
FileHash-SHA256 9f3d8252e8f3169751a705151bdf675ac194bfd8457cbe08e1f3c17d7e9e9be2 2025-02-12
FileHash-SHA256 b38f1906680c80e1606181b3ccb8539dab5af2a7222165c53cdd68d09ec8abb0 2025-02-12
FileHash-SHA256 b9ef2e948a9b49a6930fc190b22cbdb3571579d37a4de56564e41a2ef736767b 2025-02-12
FileHash-SHA256 c7379b2472b71ea0a2ba63cb7178769d27b27e1d00785bfadac0ae311cc88d8b 2025-02-12
FileHash-SHA256 cab97e837a3fc095bf59703574cbfa7e60fb10991101ba9bfc9bbf294c18fd97 2025-02-12
FileHash-SHA1 7cd07eee4feefa671a4f99e8567cd438c8e9fd39 2025-02-12
domain cloud-sync.org 2025-02-12
domain hwupdates.com 2025-02-12
hostname lt.tech-keys.com 2025-02-12
hostname support.csolve.net 2025-02-12
References (1)
↗ https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/