Uzbekistan Targeted in xplogs22 Phishing Campaign
Uzbekistan Targeted in xplogs22 Phishing Campaign
Tashkent, Uzbekistan (UzDaily.uz) — Uzbekistan has become one of the main targets of a large-scale phishing campaign conducted by the hacker group xplogs22, according to F6, a company specializing in cybersecurity technologies.
According to specialists from F6's Threat Intelligence department, the attackers have sent more than 2,900 malicious emails over the past 12 months. Alongside Uzbekistan, the campaign has primarily targeted Russia, Kazakhstan, Armenia, Azerbaijan and Belarus.
The study said the group has been active since at least November 2023, carrying out large-scale phishing attacks against organizations in multiple countries. Since July 2025, the attackers have been using the XWorm remote access trojan, having previously relied on the SnakeKeylogger malware and the FormBook/Formgrabber information stealer.
The attacks are delivered through emails disguised as business correspondence. Common subject lines include "Contract", "Project Contract", "Payment Receipt", "Copy of Payment" and other messages related to contracts and payment documents. The emails contain archive attachments with malicious files that infect devices when opened.
To increase the effectiveness of the campaign, the attackers use email addresses registered under various national domains, including the .uz domain, disguising the messages as correspondence from local organizations.
F6 also noted that since July 2025, xplogs22 has changed its malware delivery methods. In addition to executable files, the group has begun using loaders with .vbs, .hta and .bat extensions.
Another feature of the campaign is the use of steganography, in which malicious code is concealed inside image files. According to F6, this technique helps bypass some security tools and enables attackers to gain remote access to victims' systems after a successful compromise.