Russian Cyberattackers Launch Multiphase PsyOps Campaign

Operation Texonto spanned several months, using various Russian propaganda lures and spear-phishing to misinform and trick users into giving up Microsoft 365 credentials.

Russia-linked threat actors employed both PysOps and
spear-phishing
to target users over several months at the end of 2023 in a multiwave campaign aimed at spreading misinformation in Ukraine and stealing Microsoft 365 credentials across Europe.
The operation — dubbed Operation Texonto — came in two distinct waves, the first in October-November 2023 and the second in November-December 2023, researchers from ESET discovered. The campaign used a diverse range of pysop tactics and spam mails as its main distribution method, they revealed
in a blog post
published Feb. 22.
Chronologically, the first campaign was a spear-phishing attack that targeted a Ukrainian defense company in October 2023 and an EU agency in November 2023. The second was a disinformation campaign focused mainly on Ukrainian targets using topics related to heating interruptions, drug shortages, and food shortages — typical themes of Russian propaganda-related campaign, the researchers said.
Though they had different aims, both used similar network infrastructure, which is how ESET linked the two. Then, in a bit of a plot twist, a URL associated with Operation Texonto was to send typical Canadian pharmacy spam in a separate campaign that occurred in January.
Threat campaigns have been employed by Russian-aligned threat actors such as
Sandworm
and
Gamaredon
in
a cyberwar
with Ukraine thats
run concurrently
with the two-year ground operation, according to ESET. Sandworm notably
used wipers
to
disrupt Ukrainian IT infrastructure
early in the war, while Gamaredon recently has ramped up cyber espionage operations.
Operation Texonto shows yet another use of technologies to try to influence the war, the researchers wrote in the post, though they did not attribute the operation to a specific actor. We found a few typical fake Microsoft login pages but most importantly, there were two waves of pysops via emails probably to try to influence Ukrainian citizens and make them believe Russia will win.
Operation Texonto also demonstrates other notable deviations from typical malicious activity, notes Matthieu Faou, the ESET researcher who lead the investigation, in an email to Dark Reading.
What is interesting in the Operation Texonto case is that the same threat actor is both engaged in disinformation and in spear-phishing campaigns, while most of the threat actors do one or the other, he observes. As such, its clear that it is a planned pysop and not just someone posting misinformation on the Internet.
The campaign also shows a move away from using common channels such as Telegram or fake websites to convey the malicious messages, the researchers noted.
The first sign of the operation came in October when employees working at a major Ukrainian defense company received a
phishing email
purportedly from the IT department. The message warned that their mailbox may be removed and that to sign in, they must click on a link to a Web version of the mailbox and log in using their credentials.
The link instead leads to a phishing page, which ESET researchers surmised from another domain belonging to the operation submitted to VirusTotal that it was a fake Microsoft login page to steal Microsoft 365 credentials, though they werent able to retrieve the phishing page itself.
The next wave of the campaign was the first pysops operation, which sent
disinformation
emails with a PDF attachment to at least a few hundred people working for the Ukrainian government and energy companies, as well as individual citizens.
Contrary to the previously described phishing campaign, however, the goal of these emails appeared to be purely disinformation to sow doubt in the mind of Ukrainians, rather than spread malicious links.
Emails in the campaign informed recipients of potential food, heating, and drug shortages, with one going so far as to suggest they eat pigeon risotto and even providing photos of a living pigeon and a cooked pigeon that shows those documents were purposely created in order to rile the readers, the researchers noted.
Overall, the messages align with common Russian propaganda themes, they wrote. They are trying to make Ukrainian people believe they wont have drugs, food, and heating because of the Russia-Ukraine war.
The second phase of the
pysops wave
occurred in December and expanded to other European countries, with a random array of a few hundred targets ranging from the Ukrainian government to an Italian shoe manufacturer, but still written in Ukrainian. The researchers discovered two different email templates in the campaign that sent sarcastic holiday greetings to Ukrainians in another effort to disparage and discourage them.
The researchers mainly tracked domains to keep up with the cybercriminals involved in Operation Texonto, which led them down some interesting paths. One was to a seemingly unrelated but typical Canadian pharmacy spam campaign that used an email server operated by the attackers, a category of illegal business [that] has been very popular within the Russian cybercrime community, they said.
Other domain names associated with the campaign reflected more recent current events such as the death of Alexei Navalny, the well-known Russian opposition leader who died Feb. 16 in prison. The existence of those domains — including navalny-votes[.]net, navalny-votesmart[.]net, and navalny-voting[.]net — means that Operation Texonto probably includes spear-phishing or information operations targeting Russian dissidents, the researchers wrote.
ESET included a range of indicators of compromise (IOCs), including domains, email addresses, and MITRE ATT&CK techniques in their report. The researchers also recommend that organizations enable strong
two-factor authentication
— such as a phone authenticator app or a physical key — to defend against spear-phishing attacks that target Office 365, Faou says.
Regarding defending against malicious actors attempts to spread disinformation online, the best protection is to use our critical mindset and not to trust any information on the Internet, he adds.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Russian Cyberattackers Launch Multiphase PsyOps Campaign