do son 
ciacontactru[.]com | Image: Silent Push
Silent Push Threat Analysts uncover a multi-cluster phishing operation leveraging fake CIA and anti-Putin group websites to harvest personal data under the guise of trust.
Silent Push Threat Analysts have uncovered a sprawling cyber-espionage campaign believed to be operated by or on behalf of Russian Intelligence Services, aiming to identify and surveil Russian citizens sympathetic to Ukraine, as well as potential military defectors and pro-Ukraine dissidents.
The campaign deploys highly convincing phishing pages designed to impersonate trusted organizations such as the CIA, Russian Volunteer Corps (RVC), Legion Liberty, and the Ukrainian military’s hotline project Hochuzhit (“I Want to Live”). These clusters are united by a single objective: “Collecting personal information from site-visiting victims for the benefit of the threat actor.”
The operation exploits bulletproof hosting infrastructure, primarily linked to Nybula LLC (ASN 401116), allowing attackers to publish malicious websites with little fear of takedown. Domains like ciagov[.]icu, rusvolcorps[.]net, and hochuzhitlife[.]com were found actively masquerading as legitimate outreach platforms.
These pages often mimicked recruitment forms or hotlines, asking victims to submit deeply personal information such as:
- Political beliefs
- Military experience
- Telegram handles
- Psychological fitness
- Current citizenship and legality of residence
“Visitors to the Google Form were instructed to provide their personal information… including motivation for joining our division,” researchers noted in reference to the spoofed RVC domain rusvolcorps[.]net.
One of the more alarming components was the impersonation of the U.S. Central Intelligence Agency. Domains like ciagov[.]icu and ciagov[.]info hosted cloned forms that displayed a “Submission Reference ID” after a user entered data—a tactic meant to reinforce legitimacy and trust.
“The phishing pages were designed to lure potential victims into submitting their personal information… under the false belief they were contacting the CIA.”
Even YouTube was used in the deception, with a malicious video titled “How do I contact the CIA?” that embedded the fake .onion domain: ciagovlgmxiyo7qapr6km536svznpsygmqdeen5hpg5xce7b4zav54ad[.]onion.
The campaign’s infrastructure exhibits tight coordination, including:
- WHOIS records tied to the fake organization “Semen Gerda”
- Domains registered via NiceNIC
- Hosting shared across dedicated IPs like 80.78.22[.]146
Silent Push analysts identified shared visual elements, such as reused favicons, cloned HTML, and even legitimate Telegram handles embedded within fake domains—likely to boost perceived trustworthiness.
“Our team strongly believes these phishing honeypots are likely the work of either Russian Intelligence Services or a threat actor aligned to Russian interests.”
As anti-war dissent continues to grow among Russian civilians and soldiers, these phishing campaigns represent a high-tech form of political suppression. Sites like legionliberty[.]top and hochuzhitlife[.]com redirect legitimate intentions into honeypots operated by Russian-aligned actors.
One cluster even spoofed legionllberty[.]army, with a deceptive extra “l” in the domain—just enough to fool even a careful observer.
Related Posts:
- CIA: Russian intelligence agency GRU was behind the NotPetya attack
- A British youth hacker, who hacked CIA chief’s e-mail was sentenced to two years in prison
- Russia blocks 1.8 million Amazon and Google cloud service IP addresses
- Justice Department Seizes 41 Domains Used by Russian Intelligence in Massive Cyber Espionage Takedown
