The Reveal Platform
Intel Name: Rainbow hyena strikes again: new backdoor and shift in tactics
Date of Scan: July 21, 2025
Impact: High
Summary: In late June, a phishing campaign targeted Russian healthcare and IT organizations using compromised email accounts from legitimate sources. The attacks were attributed to the Rainbow Hyena cluster, which deployed a new custom-built backdoor named PhantomRemote. Threat actors impersonated well-known brands to enhance credibility and used techniques like polyglot files to bypass email filters. Traditional malicious document delivery methods are being replaced by alternative formats like LNK files.
