Перейти к содержанию

Hackers attack CIS under the guise of "contracts" and payments: Uzbekistan becomes one of the main targets of a phishing campaign

The xplogs22 group sent over 2900 malicious emails in a year and started using a new remote access Trojan.

F6, a company specializing in combating cybercrime, has uncovered a large-scale phishing campaign by the xplogs22 group targeting organizations in CIS countries and other regions. Uzbekistan, Russia, Kazakhstan, Armenia, Azerbaijan, and Belarus were among the key targets of the attackers.

Over the past 12 months, hackers have sent more than 2900 malicious emails, disguised as ordinary business correspondence. Most often, the messages imitated letters about contracts, payments, and financial documents with subjects such as "DOGOVOR", "Contract", "PROEKT DOGOVORA", "Payment receipt", and "KOPIYA PLATEZHA".

Attachments in such emails contained archives with malicious files. After they were launched, the device became infected, and the attackers gained the ability to remotely control the system.

According to F6, the group has been active since at least November 2023. Previously, xplogs22 used the SnakeKeylogger and FormBook Formgrabber malware, but since July 2025, it has switched to the XWorm remote access Trojan versions 6.0 and 7.1.

In addition, the hackers have improved their attack methods: now attachments include not only executable files but also loaders with .vbs, .hta, and .bat extensions. To bypass security systems, the attackers also use steganography, hiding malicious code inside images.

Of particular danger is the use of fake sender addresses in national domain zones, including .uz. This allows attackers to impersonate messages from local companies and increase the likelihood of successful infection.