VERY IMPORTANT

PhantomCore, a hacking group targeting Russian and Belarusian companies since 2022, launched a new wave of malicious email campaigns on January 19 and 21, 2026. The attacks targeted various sectors including utilities, finance, urban infrastructure, aerospace, consumer digital services, chemical industry, construction, consumer goods manufacturing, and e-commerce. The campaign used phishing emails with malicious attachments, leveraging compromised legitimate email addresses. The malware operates in multiple stages, including downloading decoy documents, executing PowerShell scripts, and establishing persistence through scheduled tasks. The second stage malware, similar to previously known PhantomCore.PollDL, communicates with command and control servers to receive and execute commands.