Overview
- Check Point says the campaign expanded into European government environments in the second half of 2025 and remains ongoing.
- Several dozen victims have been impacted across government and telecommunications sectors in Europe, Asia, and Africa, according to Check Point’s Eli Smadja.
- Initial access typically comes from misconfigured Microsoft IIS or SharePoint servers, followed by credential harvesting, domain-level takeover, and lateral movement over Remote Desktop.
- Customized IIS modules convert compromised public-facing servers into quiet relay nodes that forward commands and data between victims, creating a mesh that conceals attack origins.
- Investigators also observed RudePanda in some of the same European networks without signs of coordination, while AWS separately warned of similar relay tactics attributed to Russia’s GRU since 2021.