Forbidden Hyena hacktivists use AI‑generated scripts against Russian companies

The threat actor employs AI to develop tools. This is a rare occurrence: in 2025, the share of AI‑assisted attacks on Russian companies was below 1%

March 12, 2026

The hacktivist cluster Forbidden Hyena first came on the radar in early 2025. Its primary targets are Russian government agencies, as well as healthcare, energy, engineering, retail, and utilities organizations.

BI.ZONE Threat Intelligence specialists discovered the cluster’s C2 server hosting scripts obviously generated by AI. The findings included two PowerShell scripts: one designed to establish persistence in the target system, and the other designed to install AnyDesk for remote access. Another bash script served to download and launch an obfuscated Sliver implant, a tool originally intended for penetration testing.

The fact that artificial intelligence was used to generate these scripts is evident from the code. Among other things, we found debug strings, numerous detailed comments, and readable variable names. And there were no signs of obfuscation—that is, special code‑obscuring techniques that threat actors typically use when developing tools independently.

This evidence shows that AI solutions currently available to attackers are quite standard and primitive. However, the emerging trend toward the weaponization of AI will only intensify. Over time, such attacks will become more frequent, more complex, and more sophisticated.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

The attackers aimed to download BlackReaperRAT, the previously unknown malware, onto the target device to enable covert control. The ultimate goal was to encrypt the victim´s infrastructure and demand a ransom. For this purpose, Forbidden Hyena used a modified variant of the Blackout Locker ransomware, this time renamed to Milkyway. This illustrates a trend that emerged in the second half of 2025: the share of ideology‑driven attacks is declining (from 20% in the first half of the year to 12% in the second), while hacktivist clusters are increasingly combining such attacks with classic extortion.

Among other trends identified by BI.ZONE are the growing share of campaigns initiated through phishing messages and a wider adoption of Telegram for C2 communications.