ALERTS MAY 2024
HOME APT BOTNET CAMPAIGN CRIME CRYPTOCURRENCY EXPLOIT HACKING GROUP OPERATION PHISHING RANSOM SPAM VIRUS VULNEREBILITY | March(16) April(92) May(99) June(94) July(5)
DATE | NAME | CATEGORY | SUBCATE | INFO |
31.5.24 | Malicious activity by LilacSquid threat group | ALERTS | GROUP | A recently disclosed infostealing campaign attributed to the threat group known as LilacSquid has been active since at least 2021. |
31.5.24 | Unveiling cryptocurrency mining tactic of the 8220 Gang | ALERTS | CRYPTOCURRENCY | The 8220 Gang, a widely recognized threat actor based in China and driven by financial motives, has been active since 2017. |
31.5.24 | SmallTiger malware campaign reported targeting Korean companies | ALERTS | CAMPAIGN | A malware campaign distributing SmallTiger malware has been reported targeting Korean companies in the defence, automobile parts, and semiconductor manufacturing sectors. |
30.5.24 | BitRAT and Lumma Stealer spread as fake browser updates | ALERTS | Virus | A new campaign delivering BitRAT and Lumma Stealer malware has been observed in the wild. The malware is spread via fake browser updates. |
30.5.24 | Metamorfo Banking Trojan | ALERTS | Virus | Metamorfo is a banking Trojan malware (aka Casbaneiro) that is spread through malspam campaigns luring users to click on HTML attachments. |
30.5.24 | Datebug updating toolkits with Golang to be cross-platform | ALERTS | APT | APT group Datebug, in operation since 2013, has been observed updating their toolkit with a new data exfiltration tool written in Golang created with the goal of targeting APAC governments and defense sectors. |
30.5.24 | NSIS-based packer usage observed in many common malware families | ALERTS | Virus | The Nullsoft Scriptable Install System (NSIS) is a commonly seen open source software used by cybercriminals for generating malware. |
30.5.24 | CatDDoS: A rising threat across multiple sectors | ALERTS | BOTNET | A rise in activity involving a Mirai distributed denial-of-service (DDoS) botnet variant called CatDDoS has been observed. |
30.5.24 | Mexican Telecom Continuously Impersonated by SpyNote Actor | ALERTS | Virus | Since at least October 2023, a SpyNote actor has been abusing the brand of a well-known and prominent telecommunications company in Mexico that operates extensively across Latin America and the Caribbean, serving millions of customers |
30.5.24 | AllaSenha - new AllaKore malware variant | ALERTS | Virus | AllaSenha is a new banking malware variant from the AllaKore RAT family that has recently been used in distribution campaigns targeted at banking users in Brazil. |
30.5.24 | Zonix Ransomware | ALERTS | RANSOM | Zonix is a recently discovered ransomware variant from the Xorist malware family. The malware encrypts user files and appends the ".ZoN" extensions to them. |
30.5.24 | CVE-2024-32640 - SQL Injection vulnerability in Mura/Masa CMS | ALERTS | VULNEREBILITY | CVE-2024-32640 is a recently disclosed SQL injection vulnerability affecting Mura/Masa CMS, which is an open source enterprise content management system. |
30.5.24 | Emergence of a new North Korean threat actor dubbed Moonstone Sleet | ALERTS | APT | A recent emergence in the threat landscape involves a new North Korean actor dubbed Moonstone Sleet. |
30.5.24 | Fraudulent PDF Viewer Login Pages Phishing for User Credentials | ALERTS | PHISHING | A phishing campaign was recently observed where a malicious HTML attachment masquerading as a PDF Viewer login page prompts users to verify their password to access a document. |
30.5.24 | Agent Tesla: The Uninvited Guest at Indonesia's GEMASTIK 2024 Event | ALERTS | Virus | Symantec has recently observed a peculiar malspam campaign in Indonesia where the actor is running a sophisticated email scheme impersonating the School of Electrical Engineering and Informatics (STEI) at the Institut Teknologi Bandung (ITB) in Indonesia. |
30.5.24 | Red Akodon threat group recent activities | ALERTS | Virus | According to recent report published by SCITUM, Red Akodon is a new threat group conducting its malicious activities prevalently in Colombia since at least April 2024. |
30.5.24 | TXZ file extension: Evolution of malware distribution in email campaigns | ALERTS | Virus | Threat actors usually send malicious emails with attachments carrying a malicious payload, or they send out containers which include files like archives. |
30.5.24 | Gipy malware distributed under the disguise of AI voice generator tools | ALERTS | Virus | A new malicious campaign spreading infostealing malware dubbed Gipy has been observed in the wild. |
28.5.24 | Embargo Ransomware | ALERTS | RANSOM | Embargo is a new Rust-based ransomware variant identified in the wild. The malware encrypts user files and appends “.564ba1” extension to them. |
28.5.24 | Rising popularity of Arc browser overshadowed by malvertising campaign | ALERTS | CAMPAIGN | The Arc browser, developed by The Browser Company, has been gaining a lot of popularity in the market, promising to personalize the way users browse the internet. |
28.5.24 | Phishing campaign targeting financial institutions impersonates medical center | ALERTS | PHISHING | A phishing campaign targeting European and US financial institutions has been reported. The attacks involve sending emails impersonating a medical center, with SCR files disguised as financial documents to trick victims into downloading and executing them. |
28.5.24 | Iluria Stealer | ALERTS | Virus | There have been reports of in-the-wild activity for a run-of-the-mill stealer known as Iluria. Like many other forks and variants of Discord Stealers, it is capable of stealing tokens, browser credentials, and payment information. |
28.5.24 | Rise of Fake AV websites hosting advanced malware | ALERTS | Virus | Recently, there has been an increase in the number of fake antivirus (AV) websites pretending to be legitimate solutions. |
28.5.24 | CVE-2024-30268: XSS Vulnerability in Cacti | ALERTS | VULNEREBILITY | CVE-2024-30268 is a reflected cross-site scripting vulnerability in Cacti, a network monitoring and fault management framework. |
28.5.24 | CVE-2024-21793 and CVE-2024-26026 - two recent vulnerabilities affecting F5 BIG-IP Next Central Manager | ALERTS | VULNEREBILITY | CVE-2024-21793 and CVE-2024-26026 are two recently identified high severity vulnerabilities affecting the F5 BIG-IP Next Central Manager. |
28.5.24 | CVE-2020-17519: Directory Traversal Vulnerability in Apache Flink | ALERTS | VULNEREBILITY | The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently added a three-year-old directory traversal vulnerability (CVE-2020-17519) in Apache Flink to the Known Exploited Vulnerabilities Catalog |
28.5.24 | Android Bankbot impersonates Uzbekistan banks | ALERTS | Virus | In recent days, mobile users in Uzbekistan have been targeted by an Android BankBot campaign where actors are disguising their malware as fictitious banking apps (Xalq Banki Credit.apk & Bank Ipak.apk) |
25.5.24 | Path Traversal Vulnerability in Nexus Repository CVE-2024-4956 | ALERTS | VULNEREBILITY | CVE-2024-4956 is a path traversal vulnerability in Sonatype Nexus Repository 3. Nexus Repository is a widely used artifact repository manager. |
25.5.24 | Operation Diplomatic Specter: A Chinese APT campaign targeting political entities in multiple regions | ALERTS | APT | An ongoing campaign dubbed Operation Diplomatic Specter, targeting political entities in the Middle East, Africa, and Asia, has been reported. A Chinese APT group behind the campaign has been leveraging rare email exfiltration techniques against compromised servers. |
25.5.24 | RustDoor malware exploits JAVS Viewer vulnerability in courtroom software | ALERTS | Virus | A Windows-based malware named RustDoor has been observed being distributed via a compromised audio-visual recording software package used in courtroom environments |
23.5.24 | Expanded operations of the Sharp Dragon APT | ALERTS | APT | As reported by Checkpoint, Sharp Dragon APT group (also formerly known as Sharp Panda) has been expanding its operations towards targets in Africa and in the Caribbean. |
23.5.24 | CVE-2024-29895 - Command Injection Vulnerability in Cacti | ALERTS | VULNEREBILITY | CVE-2024-29895 is a critical (CVSS score 10) command injection vulnerability affecting Cacti, which is a network monitoring and fault management framework. |
23.5.24 | Waltuhium Grabber | ALERTS | HACKING | Waltuhium is an open-source infostealer that has been observed being shared in dark web forums. It is claimed to have features such as |
23.5.24 | GuLoader Impersonates an Italian Seafood Distributor | ALERTS | Virus | GuLoader, an advanced downloader, is showing no signs of stopping, and its prevalence continues to increase with more and more campaigns observed around the world. |
23.5.24 | CLOUD#REVERSER campaign leverages cloud storage for malware delivery | ALERTS | CAMPAIGN | A new campaign dubbed CLOUD#REVERSER has been reported to abuse various cloud storage repositories such as Dropbox or Google Drive for malware delivery and C&C purposes. |
23.5.24 | Acrid infostealer leverages “Heaven’s Gate” technique | ALERTS | Virus | Acrid is a recently identified C++-based infostealing malware. In its functionality, it is very similar to other infostealer variants present currently in the threat landscape |
23.5.24 | CVE-2023-43208 - NextGen Healthcare Mirth Connect RCE vulnerability exploited in the wild | ALERTS | VULNEREBILITY | CVE-2023-43208 is a Remote Code Execution (RCE) vulnerability disclosed in October last year. The vulnerability affects NextGen Healthcare Mirth Connect prior to version 4.4.1, |
23.5.24 | GhostEngine malware terminates EDR agents and deploys coin miner | ALERTS | Virus | A multimodule malware dubbed GhostEngine has been observed in the wild. This malware leverages vulnerable drivers to terminate and delete known Endpoint Detection and Response (EDR) agents that would likely interfere with the deployed coin miner. |
22.5.24 | Smishing: Fake IRS Scare Tactic to Snatch Cryptowallets' 12-Word Recovery Phrases | ALERTS | PHISHING | Symantec has recently observed a malicious SMS campaign in the US targeting mobile users' cryptowallet 12-word recovery phrases. The actors are impersonating the IRS and using a scare tactic related to cryptocurrency holdings declaration. |
22.5.24 | XWorm v5.6 malware | ALERTS | Virus | A new v5.6 variant of the XWorm malware has been observed in the wild. The malware is distributed under the disguise of various applications, games or adult content, with the binaries spread through either online sharing repositories or via torrent downloads. |
22.5.24 | Malware campaign uses LNK files and MSBuild to likely deliver TinyTurla backdoor | ALERTS | Virus | A malware campaign utilizing malicious LNK files has been observed. The threat actors behind the campaign are using human rights seminar invitations and public advisories to lure users. Once lured, MSBuild is used to execute and deliver a fileless final payload. |
22.5.24 | Keyplug backdoor distributed against organizations in Italy | ALERTS | Virus | A new campaign attributed to the Grayfly threat group (aka APT41) has been distributing the Keyplug modular malware to various organizations in Italy. As reported by Yoroi, this C++based malware comes in variants supporting both Windows and Linux platforms. |
21.5.24 | Deuterbear RAT targets Asia-Pacific in advanced cyber espionage campaign | ALERTS | Virus | A cyber espionage campaign has been reported targeting the Asia-Pacific region, involving the deployment of a remote access trojan (RAT) called Deuterbear |
21.5.24 | SamsStealer malware | ALERTS | Virus | Reports have emerged of a new infostealer, dubbed SamsStealer, circulating in the threat landscape. |
21.5.24 | Bank Mellat Users in Various Countries Targeted by FakeBank Campaign | ALERTS | CAMPAIGN | Symantec has observed an Android FakeBank campaign targeting mobile users of a private Iranian bank known as Mellat, by posing as a fictitious banking app (Mellat.apk). |
21.5.24 | Vultur Malware Poses as Antivirus | ALERTS | Virus | Recently, a Vultur campaign has been observed in which the actor is disguising it as a known antivirus mobile application (<company name>_Security.apk). |
21.5.24 | HiJackLoader gets new modules to lay low | ALERTS | Virus | HijackLoader is a multi-stage loader that has recently seen some updates. |
21.5.24 | Antidot mobile malware | ALERTS | Virus | Antidot is a recently discovered banking trojan for Android. The malware is distributed under the disguise of a Google Play update app. |
21.5.24 | Chaos Ransomware Lures Gamers with Fake Free Discord Nitro | ALERTS | RANSOM | As the Chaos Ransomware builder is widely available to the public, instances are observed on a daily basis around the world with both consumers and enterprises being targeted. |
21.5.24 | Synapse Ransomware | ALERTS | RANSOM | Synapse is a ransomware written in C that can encrypt local files, files on removable drives, and files stored on network shares, with the capability of propagating to other systems on a network. Encrypted files will have the extension |
21.5.24 | Storm-1811 threat actor conducts Vishing attack via Quick Assist tool | ALERTS | GROUP | Threat actor Storm-1811 has been reported carrying out a vishing (voice phishing) attack using the client management tool Quick Assist. |
21.5.24 | Springtail threat group uses new Linux backdoor in attacks | ALERTS | APT | In a newly released report, Symantec’s Threat Hunter Team sheds light on a recently discovered Linux backdoor developed by the North-Korean Springtail espionage group (aka Kimsuky). |
16.5.24 | New malware Cuttlefish | ALERTS | Virus | A new malware dubbed Cuttlefish was reported to infect small office/home office and enterprise grade routers with the intent to monitor passing data traffic and discreetly exfiltrating only authentication related information such as usernames, |
16.5.24 | Remcos RAT expands functionality with PrivateLoader module | ALERTS | Virus | Remcos RAT, a remote access Trojan, enables unauthorized remote control and surveillance of compromised systems. Recently, Remcos RAT was observed leveraging a PrivateLoader module to augment its functionality and persistence on the victim's machine. |
16.5.24 | Malicious Minecraft mod harvests data from Windows system | ALERTS | Virus | Many gamers prefer to enhance their gaming experience with custom mods, such as those offering the Windows Borderless feature. This feature enables multitasking and seamless switching between applications, facilitating tasks like game recording. |
16.5.24 | Atomic Stealer (AMOS) among the malware variants spread in the GitCaught operation | ALERTS | Virus | A recent malicious campaign dubbed GitCaught has been reported to spread multiple infostealing payloads targeted at various platforms including macOS. |
16.5.24 | PureCrypter malware used in Mallox ransomware distribution campaign | ALERTS | Virus | PureCrypter loader has been used in a recent malicious campaign leading up to the delivery of Mallox ransomware payloads |
16.5.24 | Malicious Word Document Dropping DanaBot Malware | ALERTS | Virus | A recent Danabot malspam campaign was observed being delivered via a Word document containing a malicious external link which if clicked will launch a series of events where additional executable files will get downloaded including a command prompt |
15.5.24 | Phorpiex botnet distributes LockBit Black Ransomware via email campaign | ALERTS | BOTNET | A high-volume email campaign facilitated by the Phorpiex botnet, delivering LockBit Black ransomware, has been reported. |
15.5.24 | Dracula (Samurai) Stealer | ALERTS | Virus | Dracula (also known as Samurai Stealer) is an infostealing malware variant attributed to the threat group known as the Amnesia Team (aka Cerberus). |
15.5.24 | WaveStealer: New malware distributed on messaging platforms | ALERTS | Virus | WaveStealer, a newly emerged sophisticated malware tool, is being distributed on platforms like Telegram and Discord for purchase at a low cost. |
15.5.24 | FIN7 malware campaign exploiting Google Ads | ALERTS | Virus | A malware campaign exploiting Google Ads, attributed to the threat actor FIN7, has been reported in the wild. |
15.5.24 | Beast Ransomware and Vidar Infostealer delivered via disguised documents | ALERTS | RANSOM | Documents like copyright violation warnings and resumes were leveraged in a recent campaign to deliver ransomware and infostealer. |
15.5.24 | GCash Users Targeted in Latest Smishing Scam | ALERTS | SPAM | Mobile wallets have transformed the financial landscape by providing convenience and accessibility, but they also present lucrative targets for cybercriminals as Symantec continues to observe a flurry of smishing around the world. |
15.5.24 | Trinity Ransomware | ALERTS | RANSOM | According to a recent research published by Cyble, Trinity is a newly identified ransomware variant believed to be an updated version of the “2023Lock” ransomware. |
15.5.24 | Malspam campaign delivers ASyncRAT by way of multiple scripts | ALERTS | Virus | In a recently observed campaign, multiple scripts were used to deliver the ASyncRAT payload. Initiated by an HTML email attachment, victims would be compromised by various non-PE files to deliver and establish persistence of ASyncRAT. |
15.5.24 | Black Basta ransomware attacks target the healthcare sector | ALERTS | RANSOM | Symantec Security Response is aware of the recent joint alert from CISA, the FBI, Department of Health and Human Services (HHS), and Multi-State Information Sharing and Analysis Center (MS-ISAC) regarding a number of targeted activities observed for the Black Basta ransomware |
15.5.24 | A Mining Trojan called Hidden Shovel | ALERTS | Virus | Researchers uncovered a new mining trojan dubbed "Hidden Shovel", discovered through network security monitoring. |
12.5.24 | CVE-2024-24506 - LimeSurvey Community Edition XSS vulnerability | ALERTS | VULNEREBILITY | CVE-2024-24506 is a recently disclosed Cross Site Scripting (XSS) vulnerability affecting LimeSurvey Community Edition version 5.3.32. |
12.5.24 | CVE-2024-1313 - BOLA vulnerability in Grafana | ALERTS | VULNEREBILITY | CVE-2024-1313 is a recently disclosed Broken Object-Level Authorization (BOLA) vulnerability affecting Grafana, which is a open-source data visualization web application. |
10.5.24 | Exploitation of Ivanti Pulse Secure vulnerabilities for Mirai botnet delivery | ALERTS | Exploit | In January of this year, Ivanti reported two vulnerabilities, CVE-2023-46805 (Authentication Bypass) & CVE-2024-21887 (Command Injection), affecting Ivanti Connect Secure and Ivanti Policy Secure Gateways. |
10.5.24 | Malware campaign targeting Windows and MS Office users via software cracks | ALERTS | Virus | A malware campaign distributing RATs and coinminers via cracks for popular software, specifically targeting users of Windows and MS Office software, has been observed. |
10.5.24 | Coper Actors Abuse LiveChat CDN in Ongoing Fake Chrome Tactic | ALERTS | Virus | Symantec continues to observe daily instances of Coper malware disguised as a fake Chrome Android application. This tactic is not new having been in use for some time now. |
10.5.24 | Malspam campaign: Password protected archive hosted on GitHub leads to AsyncRAT | ALERTS | CAMPAIGN | Over the past two weeks, Symantec has observed an actor leveraging a peculiar attack chain to distribute highly obfuscated payload onto compromised systems. The attacks start with malicious emails containing a malicious PDF, DOCX, or SVG file (REMITIRA A TRAVES DEL SERVICIO POSTAL AUTORIZADO.docx, Radicado juridico 23156484.svg, and 99-DEMANDA .docx). |
10.5.24 | Russian bulletproof hosting services exploited for malicious activities, SocGholish malware campaigns | ALERTS | Exploit | The use of Russian bulletproof hosting services for hosting malicious activities, including command-and-control (C2) servers and phishing pages distributing SocGholish malware, has been reported. |
10.5.24 | Malicious Minecraft Mods: zEus stealer targets gamers | ALERTS | Virus | A malware campaign targeting Minecraft players has been reported, where custom packages promising to enhance the game's appearance are actually distributing the zEus stealer. |
| 9.5.24 | Malicious Minecraft Mods: zEus stealer targets gamers | ALERTS | Virus | A malware campaign targeting Minecraft players has been reported, where custom packages promising to enhance the game's appearance are actually distributing the zEus stealer. |
| 9.5.24 | Continuous Distribution of RokRAT Malware | ALERTS | Virus | APT37 (ScarCruft) continues to distribute RokRAT malware via LNK files particularly targeting South Korean users. The malware, disguised within a genuine document will execute PowerShell commands after activation. |
| 9.5.24 | Gadfly buzzes inboxes with new phishing campaign | ALERTS | CAMPAIGN | Symantec has recently observed an uptick in phishing campaigns being delivered out of Gadfly (aka TA577). |
| 9.5.24 | Hunt Ransomware - another Dharma/Crysis variant | ALERTS | RANSOM | Hunt is another Dharma/Crysis ransomware variant discovered recently in the wild. The malware encrypts user files and appends .hunt extension to them alongside of a unique victim ID and the threat actor email address. |
| 9.5.24 | CVE-2024-27956 - WP-Automatic Plugin SQL Injection vulnerability exploited in the wild | ALERTS | VULNEREBILITY | CVE-2024-27956 is a recently disclosed critical (CVSS score 9.8) SQL injection (SQLi) vulnerability in WP-Automatic plugin prior to version 3.92.1. |
| 9.5.24 | Shinra Ransomware | ALERTS | RANSOM | Shinra, a recently discovered ransomware variant from the Proton malware family, encrypts files and appends the ".SHINRA3" extension while renaming file names to random strings. |
| 9.5.24 | CVE-2024-2389 - Command Injection vulnerability affecting Progress Flowmon | ALERTS | VULNEREBILITY | CVE-2024-2389, a recently disclosed critical vulnerability with a CVSS score of 10, affects Progress Flowmon, a widely used network performance monitoring tool. |
| 9.5.24 | Increase of Lockbit ransomware attacks | ALERTS | RANSOM | Earlier in February this year the Lockbit ransomware family was targeted in a coordinated disruption operation called "Operation Cronos" that saw multiple members of this ransomware gang arrested, assets taken and a decryption tool released publicly. |
| 7.5.24 | CVE-2024-4040 - CrushFTP vulnerability exploited in the wild | ALERTS | VULNEREBILITY | CVE-2024-1852 is a recently disclosed injection vulnerability affecting CrushFTP versions before 10.7.1 and 11.1.0. |
| 7.5.24 | Counterfeit Revenue Agency page distributing VBlogger malware | ALERTS | Virus | A malware campaign involving a counterfeit Revenue Agency webpage hosted on an Italian domain has been reported. |
| 7.5.24 | Cuckoo: A new macOS malware targeting music ripping applications | ALERTS | Virus | A new macOS malware dubbed Cuckoo has been reported. This malware is distributed through websites that offer applications for ripping music from streaming services. |
| 7.5.24 | Android malware used in targeted attack against Indian defense forces | ALERTS | Virus | A socially engineered delivery through WhatsApp was leveraged to reportedly target Indian defense forces with a new Android malware by presenting itself as a defense-related application. |
3.5.24 | NiceCurl and TameCat custom backdoors leveraged by Damselfly APT | ALERTS | APT | NiceCurl and TameCat are two custom backdoor variants recently leveraged in malicious campaigns attributed to the Damselfly APT (also known as APT42). |
3.5.24 | TesseractStealer malware leverages OCR engine for information extraction | ALERTS | Virus | TesseractStealer is an infostealer recently distributed by variants of the ViperSoftX malware. This malware leverages Tesseract (an open source OCR engine) in an effort to extract text from user image files. |
3.5.24 | A recent Darkgate malspam campaign | ALERTS | CAMPAIGN | The infection chain for this campaign initiates from an email file with an HTML attachment. |
3.5.24 | Latest macOS Adload variant focuses on detection evasion | ALERTS | Virus | A recent report by SentinelOne outlines changes observed to a recent macOS malware Adload. The most recent variants of this malware family come with capabilities allowing it to evade the latest Apple XProtect signatures. |
3.5.24 | Old dogs teaching new tricks to ZLoader | ALERTS | Virus | ZLoader, a modular trojan, has implemented anti-analysis capabilities that appear to be lifted from the ZeuS source code. |
3.5.24 | Goldoon botnet | ALERTS | BOTNET | According to a recent report from FortiGuard Labs, a new botnet variant dubbed Goldoon has been observed in the wild. |
3.5.24 | BirdyClient malware leverages Microsoft Graph API for C&C communication | ALERTS | Virus | An increasing number of threats have begun to leverage the Microsoft Graph API, usually to facilitate communications with command-and-control (C&C) infrastructure hosted on Microsoft cloud services. |
3.5.24 | DarkGate loader continues to be actively distributed | ALERTS | DarkGate loader malware has been a very actively distributed within the last year. Numerous email campaigns have leveraged various attack chains to deliver the DarkGate payload. | |
3.5.24 | Dwphon mobile malware | ALERTS | Virus | Dwphon is a recently identified malware variant targeting the Android platform. |
3.5.24 | SpyNote using Central Bank of Kazakhstan as a lure | ALERTS | Virus | No countries or financial institutions are exempt from having their brands abused to lure mobile users into installing Android malware—a trend that continues to grow. |
3.5.24 | GuLoader campaign targeting industries in Russian-speaking countries | ALERTS | CAMPAIGN | An actor has been observed running two email campaigns with different social engineering tactics that lead to Guloader. Both campaigns target industries in Russian-speaking countries such as Russia, Belarus, Kyrgyzstan, and Kazakhstan. |