Summary:

A June 8, 2026, intelligence report from Kaspersky GReAT confirms that 4BID and affiliated groups Hakerskii Kit, C.A.S., and Goffee have expanded their targeting beyond Russia and Belarus to include organisations in Kazakhstan, the UAE, Syria, and Egypt. Originally operating as politically motivated hacktivists, the groups are increasingly adopting ransomware tactics and shifting toward financially motivated operations. Their campaigns leverage Microsoft Exchange ProxyShell exploitation, such as .aspx web shells, commercial remote management tools, EDR-disabling kernel drivers, and the ClearWater and Blackout Locker ransomware strains. This combination of hacktivist activity, ransomware deployment, and advanced endpoint evasion capabilities significantly elevates the threat. UAE organisations running Microsoft Exchange Server, ASP.NET applications, or remote management tools such as AnyDesk should review their exposure and implement immediate protective measures.

Technical Description:

Initial access in all confirmed 4BID campaigns is achieved through exploitation of Microsoft Exchange Server ProxyShell vulnerabilities, the critical chain of CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207 that allows unauthenticated attackers to perform remote code execution on Exchange via a combination of authentication bypass, privilege escalation, and arbitrary file write. Despite these vulnerabilities being disclosed in 2021, unpatched Exchange deployments remain widespread globally and particularly across MENA enterprise environments. Post-exploitation begins immediately with deployment of fd.aspx, a custom web shell written in ASP.NET, designed to blend into legitimate Exchange or ASP.NET application directories. The fd.aspx shell provides the attacker with persistent HTTP-accessible command execution, file management, and lateral movement capabilities that survive reboots and Exchange service restarts.

After establishing the web shell, the attackers deploy a carefully sequenced post-exploitation toolkit. Remote monitoring and management tools, including AnyDesk and similar commercial RMM platforms, are installed to provide GUI-based remote access that blends with legitimate IT management traffic. Custom PowerShell and batch scripts perform reconnaissance, credential harvesting, and Active Directory enumeration. A Bring-Your-Own-Vulnerable-Driver (BYOVD) EDR killer is deployed to disable endpoint detection and response tools by exploiting a signed but vulnerable kernel driver, rendering CrowdStrike, Defender, and other EDR products ineffective. With defences neutralised, ransomware is deployed: ClearWater ransomware for general file encryption and financial extortion, and Blackout Locker, an updated version distributed via a Rust-based dropper for targeted destructive encryption. The Rust dropper writes the payload to AppData\Local\Microsoft\[REDACTED].dat and renames it to .exe before execution. The full attack chain is detailed below,

Delivery and Infection Chain:

The 4BID campaign follows a consistent and documented attack sequence confirmed by Kaspersky GReAT across all investigated victim environments. The full chain is as follows,

• Attacker scans for and exploits unpatched Microsoft Exchange Servers using the ProxyShell vulnerability chain (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). Unauthenticated remote code execution was achieved on the Exchange server. No user interaction required.
• The fd.aspx ASP.NET web shell is written to the Exchange server filesystem via the ProxyShell file write capability. The shell is accessible via HTTP/HTTPS and provides persistent command execution, file management, and proxy capabilities that survive service restarts.
• Commercial remote management tools, including AnyDesk, are silently installed via the web shell to provide GUI-based persistent remote access. RMM traffic blends with legitimate business tooling, defeating network-layer detection that focuses on novel C2 protocols.
• Custom PowerShell scripts enumerate Active Directory users, groups, shares, and connected systems. Credentials are harvested from LSASS memory, browser stores, and the credential manager. Domain admin credentials are targeted to enable network-wide ransomware deployment.
• A Bring-Your-Own-Vulnerable-Driver attack deploys a signed but vulnerable kernel driver to disable EDR and AV products, including CrowdStrike Falcon, Microsoft Defender, and others. With endpoint protection neutralised, the attackers operate freely on all compromised hosts.

Technical Capabilities:

The BYOVD EDR-killing technique is the most operationally significant capability in the 4BID toolkit; it is what separates this campaign from lower-sophistication hacktivist operations. By exploiting a signed, legitimate kernel driver with a known vulnerability, the attacker gains kernel-level code execution to terminate EDR agent processes and kernel callbacks that would otherwise detect and block ransomware deployment. This technique has historically been associated with sophisticated ransomware-as-a-service groups such as BlackCat/ALPHV and Cl0p. Its adoption by hacktivist-origin groups confirms the capability convergence that Kaspersky GReAT flagged as the defining characteristic of the 4BID campaign. Blackout Locker's Rust-based dropper adds another layer of detection resistance: Rust-compiled executables are structurally different from the C/C++ malware that most AV signatures are trained on, and the AppData staging path impersonating a Microsoft directory is specifically chosen to evade automated suspicious-path detection rules.

ClearWater ransomware has been deployed in attacks linked to Hakerskii Kit, with public acknowledgements indicating coordination with C.A.S. Blackout Locker remains 4BID’s primary ransomware and was enhanced in January 2026 with a Rust-based dropper. The groups’ expansion into the UAE appears tied to a shift from primarily ideological objectives toward financially motivated targeting, meaning UAE organisations should consider themselves potential targets regardless of any connection to the groups’ original Russia-focused agenda.

Attribution and Evolution:

4BID and its affiliated groups are assessed by Kaspersky GReAT with medium-confidence links between the four distinct personas: 4BID, Hakerskii Kit, C.A.S., and Goffee. The groups share tooling, infrastructure, and operational coordination patterns. The broader cluster is assessed as Russian-speaking, politically motivated hacktivists who have integrated financially motivated ransomware operations as a revenue stream. Public statements from an alleged 4BID member indicating that Russian targeting is no longer profitable, combined with confirmed victims in the UAE, Kazakhstan, Syria, and Egypt, suggest a deliberate geographic expansion strategy. The groups operate primarily via Telegram for public claims and coordination, which provides attribution visibility and intelligence for defenders monitoring Telegram hacktivist channels.

Active Campaign and Geographic Spread:

UAE organisations are confirmed victims in the Kaspersky GReAT investigation. This is not a projected or theoretical risk; it is confirmed active targeting. The campaign specifically targets internet-facing Microsoft Exchange Servers (the ProxyShell entry point) and Windows environments with AnyDesk or similar RMM tooling. UAE enterprises with on-premises or hybrid Exchange deployments that have not applied the 2021 ProxyShell patches remain at direct and immediate risk. The expansion coincides with a broader pattern of Russia-affiliated and Eastern European threat actors pivoting to MENA targets as geopolitical and financial motivations shift, consistent with the 44% increase in underground recruitment by ransomware affiliates targeting GCC countries documented in Group-IB's 2025 report.

Conclusion:

The 4BID campaign represents the maturation of hacktivist groups into full-capability ransomware operators, combining the ideological framing of hacktivism with the financial motivation and technical sophistication of professional ransomware affiliates. For UAE organizations, the immediate priorities are clear: patch Exchange ProxyShell vulnerabilities immediately if not already done, audit for fd.aspx or similar web shells in Exchange and ASP.NET directories, monitor for AnyDesk installations outside approved IT management workflows, deploy BYOVD-resistant EDR configurations, and ensure ransomware-resilient offline backup coverage for all critical systems.

Impact:

Successful 4BID exploitation results in full domain compromise via the ProxyShell-to-web-shell-to-domain-admin chain, followed by EDR neutralisation and simultaneous ransomware deployment across all reachable Windows endpoints. ClearWater and Blackout Locker both encrypt files and demand ransom. The hacktivist framing means payment does not guarantee decryption, as reputational damage and disruption are coequal goals alongside financial extraction. For UAE organisations, a confirmed ransomware incident triggers UAE PDPL breach notification obligations if personal data is encrypted or exfiltrated, NCA ECC mandatory incident reporting, and significant operational disruption to any business process dependent on encrypted systems.

IOC and Context Details:

Recommended Actions:

• Audit all Microsoft Exchange Server deployments immediately for ProxyShell patches (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207). Any unpatched Exchange server is a confirmed 4BID entry point. If already patched, verify the patch was applied correctly, not just that a cumulative update was installed.
• Search all Exchange and ASP.NET web directories for fd.aspx and any other recently created .aspx files not associated with a known application deployment. Any unknown .aspx file in these directories should be treated as a confirmed web shell and escalated for immediate incident response.
• Audit all AnyDesk and commercial RMM tool installations across the Windows estate. Any AnyDesk installation not deployed through approved IT management workflows, particularly on Exchange servers, domain controllers, or file servers, should be treated as a confirmed persistence mechanism and investigated immediately.
• Deploy CrowdStrike Falcon with BYOVD protection enabled. Ensure kernel driver load monitoring is active and alerts on any unsigned or vulnerable signed driver loading outside of approved software deployment. The BYOVD EDR killer is the technique that enables ransomware deployment; blocking it is the highest-value defensive action after patching Exchange.
• Ensure ransomware-resilient offline backups exist for all critical systems and are verified as recent and restorable. ClearWater and Blackout Locker encrypt all reachable files, including network shares, and offline backups isolated from domain-accessible storage are the only reliable recovery path.
• Integrate Windows Event Log and Exchange audit logs into your SIEM (CrowdStrike or Sentinel). Create alerts for: new .aspx file creation in Exchange web directories, AnyDesk or RMM process execution on servers, unexpected kernel driver load events, and mass file rename or encryption patterns.
• Implement network segmentation to restrict lateral movement from the Exchange server into the broader Windows domain. The 4BID chain progresses from Exchange to domain admin to network-wide ransomware network segmentation between the Exchange DMZ and the internal domain significantly limits blast radius.
• Brief IT and end-user teams on the specific 4BID threat to UAE organisations. The geographic pivot is confirmed, and financially motivated UAE organisations should not assume political non-targeting protects them. Any report of unusual AnyDesk activity, unexpected system behaviour, or ransom notes on Windows systems should be escalated immediately.

Reference:

https://securelist.com/hacktivists-broaden-attack-geography/120115/

https://www.technadu.com/hacktivist-groups-4bid-hakerskii-kit-and-c-a-s-broaden-attack-geography-report-says/629152

https://windowsnews.ai/article/4bid-hacktivism-expands-exchange-web-shells-rmm-tools-ransomware-edr-killers.423688