Russian cyberattacks against Western companies that support Ukraine are growing in scope as threat actors deploy fake browser updates to distribute sophisticated malware. A new analysis reveals how state-linked operations are merging with traditional cybercrime, creating an increasingly complex threat landscape that also affects Nordic organizations.
A Russian hacking group has been using counterfeit browser upgrade prompts to deliver malware to targets in countries backing Ukraine. The tactic demonstrates how cybercrime has become transnational and how the same techniques are used both in state-sponsored operations and in ransomware campaigns.
Russian cyberattacks have become one of the most visible cybersecurity threats to businesses and organizations across Europe and the Nordics.
Groups linked to Russia are abusing legitimate, often trusted websites to host advanced malware aimed at Western companies that cooperate with or provide assistance to Ukraine. A recent report from cybersecurity firm Arctic Wolf indicates that elements tied to Russia’s military intelligence service, the GRU, are likely behind the attacks.
The analysis identifies a novel variant of the well-known SocGholish technique. The attacks rely on planting malicious code on websites where visitors are deceived into believing their browser needs an update. When users click the fake update, attackers gain the foothold needed to proceed with the intrusion chain. This means even security-aware users can unknowingly initiate severe breaches.
Using fake updates is an established tactic among cybercriminals. What is new in these incidents is the connection to Russian threat actors and the deliberate targeting of specific Western organizations with ties to Ukraine, says Petter Glenstrup, Nordic head at Arctic Wolf.
The report details an incident where an employee clicked a counterfeit browser update on an infected site. The popup appeared legitimate but executed malware that immediately gave the attackers system access. Shortly afterward, they attempted to deploy advanced malware attributed to the Russia-linked group RomCom. This combination of RomCom and SocGholish has not been observed previously.
RomCom’s malware remains dormant until it verifies that it has reached a specific target, allowing narrowly focused operations to hide within broader global campaigns. What may appear at first glance as a mass campaign can in practice be an attack against carefully chosen organizations with defined connections to Ukraine.
The incident analyzed involved a U.S. technology company that had previously collaborated with a city closely connected to Ukraine. The case underscores a clear trend: Russian threat actors are focusing on organizations that directly or indirectly support Ukraine. That makes the threat relevant for the Nordics as well, where many companies, authorities and non-governmental organizations have provided active aid since 2022.
How Russian cyberattacks are changing the threat landscape in the Nordics
According to Petter Glenstrup, this is a clear example of how modern cyber threats ignore geographic borders. The same tools and techniques are used by both financially motivated cybercriminals and state-sponsored actors. Threat actors operate on a shared market despite differing objectives, which complicates the threat picture and makes it harder to anticipate attacks.
SocGholish is also strongly associated with ransomware. The group behind the method, identified as TA569, acts as a digital broker that resells access to compromised systems to other cybercriminals or state-affiliated actors. Many attacks start opportunistically without immediate consequences, but they should always be treated as a warning sign of a potential escalation.
Organizations that detect a SocGholish intrusion should respond as if they are in the early stages of a ransomware attack. Quick containment and remediation can limit lateral movement and prevent the incident from escalating into a full-scale breach, Petter Glenstrup advises.
For many organizations, this development means traditional security assumptions are no longer sufficient. When legitimate websites are used as distribution channels for malware, the line between trusted and risky environments blurs, increasing the demand for both technical defenses and continuous user education.
How to protect against fake update attacks
Arctic Wolf recommends several preventive measures to reduce the risk from SocGholish and similar attacks. Software updates should always be performed through centralized, approved channels and never via browser popups. Organizations should monitor endpoints for anomalous network behavior and automated script execution. Deploying modern endpoint protection that can detect and block attempts to install hidden malware is essential. Clear procedures for handling update notifications and ongoing user training are critical to lowering the chance of successful attacks.
The full analysis is available from Arctic Wolf.