In January 2024, an operation dismantled a network of hundreds of SOHO routers controlled by GRU Military Unit 26165. This network facilitated various crimes, including extensive spear phishing and credential harvesting against entities of interest to the Russian government, such as U.S. and foreign governments, military, and key security and corporate sectors.
Non-GRU cybercriminals installed the Moobot malware on Ubiquiti Edge OS routers that still used publicly known default administrator passwords. GRU hackers then used the Moobot malware to install their own bespoke scripts and files that repurposed the botnet, turning it into a global cyber espionage platform.
Read more: https://www.helpnetsecurity.com/2024/02/16/us-authorities-disrupt-russian-intelligence-botnet/