Punishing Owl

Punishing Owl is a newly identified, suspected politically motivated hacktivist threat actor active since at least December 2025, targeting Russian state institutions, a Russian government security agency, scientific enterprises, and IT organizations (including Russian critical infrastructure targets). The group publicly claimed a breach on December 12, 2025 and leaked stolen internal documents via a data leak site and a Mega.nz repository. In at least one intrusion, the actor gained access to the victim’s DNS configuration, created a subdomain, and modified DNS records to redirect traffic to a Brazil-hosted server that served the stolen data and a political manifesto; the announcement was timed for Friday evening (6:37 PM) to slow response and maximize impact. Post-compromise, Punishing Owl conducted business email compromise (BEC) against the victim’s partners/contractors using email addresses created within the victim’s domain and sending from Brazilian infrastructure; the actor also set up supporting infrastructure including fake TLS certificates and IMAP/SMTP services. Initial access and execution are described as phishing-based: emails deliver password-protected ZIP archives containing Windows shortcut (LNK) files masquerading as PDF documents. Opening the LNK triggers PowerShell to download and execute a PowerShell stealer dubbed ZipWhisper (download observed from bloggoversikten[.]com). ZipWhisper harvests sensitive data including browser credential files, cookies, and saved passwords; stages collected data as ZIP archives in AppData\Local\Temp (with archive naming patterns including username and chunk numbers); and uploads the archives back to the same command-and-control server via a customized endpoint structure. Analysis noted code comments suggesting possible use of AI tooling to generate parts of the script. One social media account associated with Punishing Owl was administered from Kazakhstan.