In the first quarter of 2026, analysts examined the activity of multiple hacker groups targeting Russian organizations and identified 808 unique malware samples linked to 11 groups. The report shows that the threat landscape remained highly dynamic: attackers relied on phishing as the primary initial access vector, expanded their use of infrastructure such as GitHub, and increasingly focused on stealth, persistence, and evasion of traditional detection tools. The most active group by the number of malware samples was Rare Werewolf, which accounted for 22% of the total — 179 samples. It was followed closely by PhaseShifters and PhantomCore...