analyst @ nohacky :~/briefings $
cat / briefings / badpilot-campaign-analysis.html
analyst@nohacky:~/briefings/badpilot-campaign-analysis.html
reading mode 12 min read
category threat
published March 2026
read_time 12 min

BadPilot: Inside Sandworm's Global Initial Access Operation

Since at least 2021, a dedicated subgroup within Sandworm — Russia's most consequential offensive cyber unit — has been systematically compromising internet-facing infrastructure across more than 15 countries. The campaign, publicly documented by Microsoft Threat Intelligence in February 2025, is not designed to execute attacks directly. Its function is to open the door and hold it open, giving other Sandworm subgroups a ready pool of persistent access into energy, telecommunications, shipping, arms manufacturing, and government targets aligned with Russia's evolving military objectives.

Sandworm: The Institutional Context

Sandworm is Russia's most dangerous state-sponsored cyber unit. Operated under Unit 74455 of the GRU's Main Center for Special Technologies (GTsST), it has been active since at least 2009 and is responsible for the largest destructive cyberattacks in recorded history: the 2015 and 2016 Ukrainian power grid attacks (the first and only confirmed cyberattacks to cause physical power outages), NotPetya in 2017 (which caused an estimated $10 billion in global damages and paralyzed the world's largest shipping company, a major pharmaceutical manufacturer, and government systems across dozens of countries), and a decade of continuous destructive operations against Ukrainian critical infrastructure during the full-scale invasion that began in February 2022.

In the threat intelligence community, Sandworm is tracked under multiple aliases reflecting different vendor naming conventions: Seashell Blizzard (Microsoft), APT44 (Mandiant/Google Cloud, where it was formally designated an APT in April 2024), Voodoo Bear (CrowdStrike), IRON VIKING (Secureworks), FROZENBARENTS, TeleBots, BlackEnergy Group, and ELECTRUM, among others. The name "Sandworm" derives from references to Frank Herbert's Dune novels embedded in early BlackEnergy malware samples discovered by iSIGHT Partners in 2014 — a detail that reflects the group's confident assumption it would not be attributed.

Where Sandworm has historically been perceived as primarily a Ukrainian-focused threat, the BadPilot campaign represents a structural change: a dedicated initial access subgroup building footholds in Western targets with the scope and persistence that previously characterized only its Ukraine operations.

context

Sandworm hides behind hacktivist fronts when operational exposure risks accumulate. Groups including CyberArmyofRussia_Reborn (CARR), XakNet Team, Killnet, NoName057(16), and Solntsepek have documented links to GRU/Sandworm operations and are used to claim responsibility for attacks where Sandworm does not want direct attribution. This deniability architecture matters for understanding BadPilot: the access BadPilot builds can be handed to any of these personas for specific operational use while keeping the initial access subgroup's fingerprints at one remove from the visible attack.

What BadPilot Is — and What It Is Not

BadPilot is not an attack group. It is an access generation and maintenance function within the broader Sandworm organization. Microsoft's characterization of the subgroup's role is precise: it is dedicated to achieving initial access, establishing persistence, and maintaining presence so that other Sandworm subgroups with post-compromise expertise can take over and execute their specific objectives. Those objectives vary — espionage and intelligence collection, destructive wiper attacks coordinated with Russian military operations, sabotage of industrial control systems, data theft — but they all require prior access that BadPilot is designed to provide.

The division of labor is operationally significant. It means that BadPilot's activity, when detected at a network perimeter, may not immediately produce the high-confidence indicators of malicious intent that a direct attack would generate. A persistent web shell on an Exchange server, an RMM agent installed on a ScreenConnect server, an OpenSSH configuration change on a perimeter device — these may appear, to automated alerting, as configuration anomalies or low-priority findings. That is by design. BadPilot is optimizing for stealth and longevity, not for immediate impact.

Microsoft assessed that the subgroup has likely enabled at least three destructive cyberattacks in Ukraine since 2023 by providing the access through which destructive payloads were later deployed. The February 2025 public disclosure of BadPilot confirmed in explicit terms that this same access-generation function is now being applied to organizations in the United States, United Kingdom, Canada, and Australia.

Geographic Evolution: From Ukraine to the West

The geographic progression of BadPilot's targeting reflects Russia's evolving strategic requirements as the Ukraine conflict has matured and as Russia has assessed the geopolitical landscape of its adversaries.

2021–2021 (inception): Initial operations focused on Ukraine and broader Europe. Targeting of critical infrastructure organizations directly relevant to Russian intelligence priorities surrounding the impending invasion — government, military support, transportation, logistics. The subgroup came into operation just months before Russia's full-scale invasion, suggesting it was stood up specifically to build the access inventory that would be needed once kinetic operations began.

2022: With the invasion underway, targeting intensified and broadened in Ukraine, focusing on energy, retail, education, consulting, and agriculture. The subgroup was actively feeding access to Sandworm destructive operations — wiper deployments, ICS attacks, coordinated with Russian missile strikes against power infrastructure. Simultaneously, European organizations providing material support to Ukraine began appearing in BadPilot's targeting.

2023: Global scope expansion. The subgroup began systematically compromising organizations across the United States, Europe, Central Asia, and the Middle East. Supply-chain attacks against regionally managed IT service providers — particularly in Ukraine and Eastern Europe — allowed single compromises to yield access to multiple client organizations simultaneously. The targeting prioritized sectors either providing material support to Ukraine or geopolitically significant to Russian intelligence collection.

2024 — present: The 2024 shift was qualitative, not just quantitative. While earlier years had included some US and UK targets among a broader global opportunistic sweep, 2024 saw the subgroup specifically hone its focus on the United States, United Kingdom, Canada, and Australia — the Five Eyes core. The vulnerability toolset used for this Western targeting shift concentrated on CVE-2024-1709 (ConnectWise ScreenConnect) and CVE-2023-48788 (Fortinet FortiClient EMS). The geographic footprint now includes organizations in more than 15 countries across North America, Europe, Central Asia, South Asia, the Middle East, and Africa — with notable named countries including Angola, Argentina, China, Egypt, India, Kazakhstan, Myanmar, Nigeria, Pakistan, Turkey, and Uzbekistan.

The Exploitation Playbook: Eight CVEs and a Pattern

BadPilot's exploitation relies on opportunistically weaponizing published vulnerabilities in internet-facing enterprise infrastructure. The subgroup monitors newly disclosed CVEs and moves quickly to exploit them before organizations apply patches — a pattern Microsoft's threat intelligence director described as "focus on being agile and keeping track of new CVEs as a potential way to gain access to targets quickly." All but one of the eight documented CVEs carry critical CVSS scores.

CVE Product Class Period Exploited
CVE-2021-34473 Microsoft Exchange (ProxyShell) Pre-auth RCE Late 2021 — present
CVE-2022-41352 Zimbra Collaboration Arbitrary file write via email attachment Oct 2022 — present
CVE-2023-23397 Microsoft Outlook NTLM hash theft / credential relay 2023 — present
CVE-2023-32315 OpenFire Authentication bypass / path traversal 2023 — present
CVE-2023-42793 JetBrains TeamCity Authentication bypass / RCE 2023 — present
CVE-2023-48788 Fortinet FortiClient EMS SQL injection / RCE Early 2024 — present
CVE-2024-1709 ConnectWise ScreenConnect Authentication bypass Feb 2024 — present
Unknown JBoss CVE JBoss Application Server Remote code execution Observed period

The Zimbra exploitation method is technically notable. CVE-2022-41352 allows a threat actor to deploy web shells and other arbitrary files by sending an email with a specially crafted attachment that exploits an arbitrary file-write vulnerability. In the October 24, 2022 exploitation that Microsoft documents, the subgroup used the resulting file-write capability to deploy LocalOlive and establish persistence within days. The Microsoft Outlook CVE-2023-23397 is a credential relay vulnerability — it can be exploited to steal NTLM authentication hashes without requiring any user interaction beyond receiving a specially crafted calendar invitation, which can then be used for authentication relay attacks against internal services.

Three Distinct Exploitation Patterns

Microsoft's February 2025 report specifically identifies three distinct exploitation patterns within the BadPilot campaign, each representing a different phase of the subgroup's operational evolution.

Pattern 1: Web Shell Deployment (Late 2021 — Present)

The foundational and longest-running exploitation pattern involves exploiting email and collaboration platform vulnerabilities — primarily Microsoft Exchange ProxyShell and Zimbra — to deploy LocalOlive, a custom ASPX web shell written in C# that Microsoft assesses as exclusive to the BadPilot initial access subgroup. LocalOlive is identified on compromised perimeter infrastructure and serves as the primary means of achieving command and control while deploying additional tooling. Its capabilities include command execution, file upload and retrieval, and network port manipulation — sufficient yet deliberately minimal functionality designed for reliability and detection avoidance rather than feature richness.

After establishing LocalOlive, the subgroup deploys tunneling tools through the web shell to establish deeper network access. Documented tunneling utilities include Chisel (an HTTP tunnel tool), rsockstun (a reverse SOCKS5 proxy), and Plink (the command-line SSH client from PuTTY). These tools allow BadPilot to create covert channels from the compromised perimeter system into the internal network, enabling lateral movement and communication with deeper hosts through the web shell's outbound connectivity.

Pattern 2: Credential Collection via Infrastructure Modification (Late 2021 — 2024)

Running concurrently with web shell deployment, a second exploitation pattern focuses on modifying infrastructure to harvest credentials at scale. Two specific techniques were documented. First, JavaScript injection into Outlook Web Access (OWA) sign-in pages: after gaining access to Exchange infrastructure, the subgroup modified the OWA login portal to inject malicious JavaScript code that captured user credentials in real-time and transmitted them to attacker-controlled infrastructure. The modification targeted the authentication flow, meaning every user who authenticated through the modified OWA login — whether on-premises users, IT administrators, or executives — had their credentials silently exfiltrated.

Second, DNS A-record modification: the subgroup altered DNS records likely to intercept credentials from authentication services, potentially redirecting authentication requests to attacker-controlled endpoints where credentials could be harvested. The combination of OWA JavaScript injection and DNS manipulation created a persistent, passive credential collection mechanism that continued generating intelligence long after the initial exploitation event, without requiring ongoing active operator engagement.

Pattern 3: RMM Tool Deployment and ShadowLink (February 2024 — Present)

The most recently documented and operationally significant exploitation pattern emerged in early 2024 in conjunction with the geographic pivot to US and UK targets. Following exploitation of ConnectWise ScreenConnect (CVE-2024-1709) and Fortinet FortiClient EMS (CVE-2023-48788), the subgroup began deploying legitimate Remote Monitoring and Management (RMM) software as command and control infrastructure — a technique that had not previously been observed in Seashell Blizzard operations.

Specifically documented RMM tools include Atera Agent and Splashtop Remote Services. The operational logic is clear: RMM tools are legitimate commercial software used by IT administrators worldwide. Their network traffic — periodic check-ins to cloud management infrastructure, remote command execution, file transfer — is indistinguishable from authorized administrative activity. Deploying Atera on a compromised ScreenConnect server allows BadPilot to maintain command and control while generating traffic that blends into the noise of normal IT operations. Traditional signature-based malware detection produces no alert. Network traffic analysis sees legitimate software communicating with its legitimate vendor infrastructure.

warning

The use of RMM tools as C2 is not unique to BadPilot — Iranian group Mango Sandstorm and criminal ransomware operators have both used this technique since at least 2022. What distinguishes BadPilot's implementation is the combination with ShadowLink, its bespoke Tor-based persistence mechanism, providing two parallel C2 channels: a high-bandwidth legitimate-appearing channel via RMM tools, and a covert, attribution-resistant channel via Tor hidden services. Losing access to one does not disrupt the other.

ShadowLink is the most technically distinctive element of the BadPilot campaign and the one that most clearly reflects a mature operational security doctrine. Microsoft identified it as a bespoke utility — custom-built, not an off-the-shelf tool — designed to configure a compromised system as a Tor hidden service, making it persistently accessible via the Tor anonymity network regardless of external network changes, IP address rotation, or partial incident response activity.

The mechanism works as follows. ShadowLink uses Tor service binaries and a unique actor-defined torrc configuration file to register the compromised system as a Tor hidden service. The system receives a unique .onion address. From that point forward, BadPilot operators can access the compromised system through the Tor network using that address, with all inbound connections routing through the Tor anonymization layer. The effect is bidirectional cloaking: the operators' infrastructure is not visible to the victim, and the victim's connection to Tor is not immediately attributable to a specific threat actor because Tor traffic is shared infrastructure.

Microsoft's framing of ShadowLink's operational impact is precise: it "effectively cloaks all inbound connections to the affected asset and limits exposures from both the actor and victim environment." An incident responder reviewing network logs would see Tor-related traffic — outbound connections to Tor relays — without a direct indication of what is communicating over those connections. Blocking Tor egress removes ShadowLink access, but does not reveal the prior persistence that was established or what data may have been accessed during the dwell period.

Alongside ShadowLink, BadPilot establishes OpenSSH access using unique operator-controlled public keys, creating a cryptographic credential that provides direct SSH-based access to compromised systems independently of any web shell or RMM channel. The combination of three parallel persistence mechanisms — LocalOlive (ASPX web shell), RMM tools (commercial software), and ShadowLink (Tor hidden service) with OpenSSH — reflects an operation designed for resilience against partial remediation. Removing one does not restore the organization to a clean state.

Post-Exploitation Activity: What Happens After Access Is Handed Off

BadPilot's role ends — formally — when it hands access to other Sandworm subgroups. What those subgroups do with the access varies by target, timing, and strategic objective. Microsoft documented post-compromise activities observed following BadPilot initial access across victim environments. These include credential harvesting using Procdump (for LSASS memory dumps) and Windows registry extraction; data exfiltration via Rclone, Chisel, and Plink to covert tunnels; lateral movement to reach additional hosts in the compromised network; DNS configuration manipulation; creation of new services and scheduled tasks for persistence; and in high-value cases, the deployment of destructive payloads.

The three destructive attacks in Ukraine that Microsoft assessed BadPilot enabled since 2023 connect the initial access subgroup's activity directly to Sandworm's core destructive mission. ZEROLOT — the wiper ESET documented being deployed against Ukrainian energy companies from December 2024 through March 2025 via Active Directory Group Policy abuse — is the most recent example of this pipeline in operation. DynoWiper, documented by ESET in December 2025, was deployed against a Polish energy company following network access consistent with the BadPilot methodology. These deployments illustrate how the access BadPilot generates becomes the precondition for wiper attacks: the Group Policy abuse that distributes wipers across an entire organizational network requires Domain Admin privileges obtained through sustained access and lateral movement that BadPilot's long-dwell persistence enables.

The coordination between BadPilot's access operations and Sandworm's destructive operations is not merely sequential — Microsoft has specifically observed BadPilot pursuing access to an organization prior to a Seashell Blizzard-linked destructive attack. This suggests that in at least some cases, BadPilot is specifically tasked to build access to organizations that other Sandworm components have identified as destruction targets, rather than simply providing a passive inventory from which targets are later selected.

Strategic Significance: Pre-Positioning for Future Operations

The 2024 geographic pivot — from opportunistic global targeting to focused Western targeting — is the dimension of BadPilot that demands the most attention from defenders and policymakers. Microsoft assessed that Seashell Blizzard uses the initial access subgroup to horizontally scale operations as new exploits are acquired, and to sustain persistent access to current and future sectors of interest to Russia. The phrase "future sectors of interest" is analytically significant: BadPilot is not building access for immediate use in all cases. It is building an access inventory.

That inventory represents pre-positioning. Russia now holds, or has held, persistent access to organizations in the energy, telecommunications, shipping, and arms manufacturing sectors of the United States, United Kingdom, Canada, and Australia. In peacetime, this access enables intelligence collection — reading communications, mapping network architecture, identifying key personnel and systems. In a crisis — an escalation of the Ukraine conflict, a direct confrontation with NATO, or a decision by Moscow to impose costs on Western supporters of Ukraine — that access can be activated for destructive operations, intelligence disruption, or sabotage of critical infrastructure, without requiring a new exploitation campaign.

"This global exploitation activity has helped Russian intelligence gain access to sensitive industries in numerous locations around the world." — Sherrod DeGrippo, Director of Threat Intelligence Strategy, Microsoft

The sectors targeted by BadPilot are not random. Energy organizations control power generation and distribution. Telecommunications companies provide communications infrastructure. Shipping companies move physical goods through global supply chains. Arms manufacturers produce the equipment flowing to Ukraine. Each of these sectors represents a category of leverage — the ability to disrupt, surveil, or coerce Western governments and militaries by compromising the civilian infrastructure they depend on. The targeting logic of BadPilot maps precisely to what would be needed to impose maximum strategic costs on Western supporters of Ukraine in a scenario where Russia decided to widen the conflict beyond its current geographic scope.

Defensive Guidance

BadPilot's methodology — opportunistic exploitation of n-day vulnerabilities, minimal-footprint persistence, living-off-the-land lateral movement, and legitimate-tool C2 — exploits the gaps between rapid patch deployment, RMM inventory control, and behavioral anomaly detection. Organizations in targeted sectors need controls that specifically address each of these gaps.

  1. Treat internet-facing infrastructure as the highest-priority patch surface with emergency patch response timelines. Every vulnerability in BadPilot's documented CVE set was publicly known before exploitation began. The subgroup's agility — moving quickly to exploit freshly disclosed vulnerabilities — means that standard monthly or quarterly patch cycles create exploitable windows. Organizations running Microsoft Exchange, Zimbra, TeamCity, OpenFire, ScreenConnect, or Fortinet FortiClient EMS should monitor vendor security advisories and treat critical pre-auth vulnerabilities in these products as emergency patches requiring same-day or next-day deployment where feasible.
  2. Implement and enforce an RMM allowlist. BadPilot's use of Atera and Splashtop to masquerade as legitimate IT administration is detection-resistant unless organizations maintain strict control over which RMM tools are sanctioned for use. An RMM inventory — documenting which agents are authorized, on which systems, with which management servers — enables alerting on any RMM installation that does not match the authorized inventory. Blocking the installation of unsanctioned RMM software at the endpoint level is the most direct mitigation.
  3. Hunt specifically for LocalOlive and web shell indicators on perimeter infrastructure. LocalOlive is an ASPX web shell; its filename (def.aspx based on Microsoft's documentation) and characteristic patterns are detectable through file integrity monitoring on Exchange servers and other ASPX-capable perimeter applications. Microsoft's February 2025 report includes YARA rules and IoCs specifically for LocalOlive detection. Any ASPX file appearing in unexpected web application directories on internet-facing infrastructure warrants immediate investigation.
  4. Monitor for Tor egress traffic as an anomaly indicator. ShadowLink configures compromised systems as Tor hidden services, requiring outbound connections to Tor relays. Most enterprise perimeter environments should not generate Tor network traffic. Monitoring outbound connections to known Tor relay IP ranges or the Tor directory authority servers, and alerting on such connections from servers and network infrastructure (as opposed to end-user workstations), provides a reliable indicator of ShadowLink-style persistence even when the specific payload is not yet identified.
  5. Audit OWA and authentication infrastructure for unauthorized JavaScript modifications. The credential harvesting technique of injecting JavaScript into OWA login pages is persistent until actively detected and remediated. Periodic integrity checking of Exchange OWA files against known-good versions, combined with monitoring of DNS A-record changes for authentication-related hostnames, detects both documented BadPilot credential collection techniques. Any modification to OWA login page files that is not associated with an authorized Exchange update should be treated as a potential compromise indicator.
  6. Assume long dwell times and investigate accordingly. BadPilot's operational model is to establish access and maintain it, sometimes for months or years before the access is exercised for a specific operation. An organization that discovers a BadPilot IoC should not assume the indicator represents the full scope of activity. Credential theft, lateral movement, and infrastructure modification may all have occurred during the dwell period. Full incident response — not just removal of the identified indicator — is appropriate.
  7. Energy, telecom, shipping, and defense manufacturing organizations should treat the BadPilot threat as sector-specific and actively prioritized. BadPilot's targeting is not random. These sectors are consistently identified as primary targets in Microsoft's analysis. Organizations in these sectors operating in the US, UK, Canada, or Australia should assume elevated risk and prioritize the controls above accordingly.

Key Takeaways

  1. BadPilot is Sandworm's initial access generation subgroup, not a standalone threat. Its output — persistent access to compromised perimeter infrastructure — is the precondition for the full range of Sandworm operations: espionage, credential collection, destructive wiper deployment, ICS sabotage. Detecting and remediating BadPilot activity prevents the downstream operations that follow from BadPilot's access, not just the initial access itself.
  2. The 2024 geographic shift to US/UK/Canada/Australia targeting is a deliberate strategic pivot. BadPilot is not opportunistically compromising Western targets incidentally. Since early 2024, the subgroup has specifically focused on Five Eyes organizations in energy, telecommunications, shipping, and arms manufacturing — sectors that represent leverage over Western support for Ukraine and vulnerability in any scenario involving escalation between Russia and NATO.
  3. Eight critical CVEs have been documented in BadPilot's exploitation set, all affecting common enterprise perimeter software. ProxyShell, Zimbra, Microsoft Outlook, OpenFire, TeamCity, Fortinet FortiClient EMS, ConnectWise ScreenConnect, and JBoss all appear in the documented record. All but one carry critical CVSS scores. The presence of multiple email and collaboration platforms reflects a targeting preference for systems handling organizational communications — the same systems where credential harvest and intelligence collection yield the highest value.
  4. Three parallel persistence mechanisms make partial remediation insufficient. LocalOlive (custom ASPX web shell), commercial RMM tools (Atera, Splashtop), and ShadowLink (Tor hidden service) with OpenSSH provide three independent access channels. Incident response that removes one or two of these without identifying all three leaves active persistence in place.
  5. The access BadPilot builds is pre-positioning for future use, not necessarily immediate action. Russia's access to Western critical infrastructure organizations may sit dormant for extended periods before being activated. The strategic value of that access — as leverage, as intelligence, as an option for escalation — exists regardless of whether active post-compromise operations are occurring at any given moment. Organizations that were compromised in 2024 and have not conducted thorough forensic investigation may remain compromised today.

The February 2025 public disclosure of BadPilot by Microsoft Threat Intelligence represents an unusually direct naming of an active Russian state capability. The disclosure was accompanied by hunting queries, YARA rules, and IoCs designed to enable defenders to detect and respond to the campaign. That transparency is an acknowledgment that the threat is active, that it has reached organizations in Western critical infrastructure, and that the window for remediation is not theoretical — it is present.

— end of briefing