Hacktivist attacks surge as motives grow murkier

Hacktivist clusters are behind one in five cyberattacks on Russian companies. Financial motives are becoming more prominent, and adversaries are actively adopting new tools and techniques

July 15, 2025

Hacktivists accounted for 20% of all cyberattacks targeting Russian organizations in the first half of 2025, marking a notable surge from 14% during the same period in 2024.

At the same time, threat actors’ motivations are growing more and more obscure—a trend first observed in 2023. An increasing number of clusters classified as hacktivists are demanding ransom in exchange for decrypting data or restoring access to compromised systems. However, they continue to report their “successes” on Telegram channels and underground forums, claiming they were ideologically driven. Other clusters focus on espionage.

Hacktivist attacks remain a major threat, accounting for 24% of all high-severity cyber incidents registered in the first half of 2025. In 2024, this figure was even higher, reaching 30%. This may be partly due to the growing collaboration within the hacktivist community, which enables clusters to coordinate and launch joint attacks. Some of them are also experimenting with various, often custom, tools and techniques.

A recent campaign by Rainbow Hyena is a perfect example of such approach. The threat actor distributed phishing emails from legitimate addresses of previously compromised companies. These messages contained polyglot decoys—multi-format files that adapt to the application used to open them. This allowed the adversaries to evade email security filters more efficiently.

Once a user opened an attachment, the PhantomRemote backdoor was installed on their device. This new, custom-built tool enables the attackers to collect information about the compromised system, download other executables from their C2 server, and run commands on a victim device.

Oleg Skulkin

Head of BI.ZONE Threat Intelligence

This time, Rainbow Hyena primarily focused on healthcare and IT organizations. In the first half of 2025, IT suffered the most hacktivist attacks, accounting for 25% of all cases. Telecom companies and the public sector were also among the top targets, with 18% and 11%, respectively.

Phishing is one of the most popular attack vectors against organizations. You can leverage dedicated services such as BI.ZONE Mail Security to filter out unwanted messages and protect your email communications. The service employs machine learning to detect advanced threats, supports flexible traffic management, and ensures high performance. It also features enhanced integration capabilities and draws on real‑time threat data from the BI.ZONE Threat Intelligence portal.

To protect your organization against advanced threats, we would also recommend that you leverage endpoint threat detection and response solutions such as BI.ZONE EDR. This service enables early detection of attacks and immediate incident response, either automated or manual.