The Restless Spirit campaign represents a renewed wave of cyberattacks by the PhantomCore threat actor, which has been targeting Russian and Belarusian companies since 2022. In January 2026, PhantomCore deployed phishing emails containing malicious attachments sent from compromised legitimate email addresses, increasing the likelihood of successful delivery and user trust. The attack is multi-staged: initially, the malware downloads decoy documents to distract or mislead victims, then executes PowerShell scripts to perform malicious actions. Persistence is achieved through scheduled tasks (MITRE ATT&CK technique T1053.005), allowing the malware to maintain foothold even after reboots. The second stage malware resembles PhantomCore.PollDL, a known downloader that communicates with command and control (C2) servers to receive instructions and additional payloads, enabling flexible post-compromise operations. The campaign targets a broad range of sectors including utilities, finance, urban infrastructure, aerospace, consumer digital services, chemical industry, construction, consumer goods manufacturing, and e-commerce, indicating a strategic intent to disrupt critical and commercial infrastructure. Indicators of compromise include multiple file hashes, IP addresses, domains, and URLs associated with the malware infrastructure. The attack leverages common techniques such as phishing (T1566), PowerShell execution (T1059.001), scheduled tasks for persistence (T1053.005), and C2 communications (T1071). Despite the sophistication, no CVE or known exploits beyond phishing are reported, and the campaign is assessed as medium severity due to its targeted scope and reliance on user interaction.

For European organizations, the direct impact of this campaign is currently limited as the primary targets are Russian and Belarusian companies. However, European entities with business relationships, supply chains, or digital interconnections to these regions could face collateral risks such as phishing emails leveraging compromised legitimate addresses or secondary infections via shared infrastructure. The sectors targeted—utilities, finance, aerospace, urban infrastructure, and manufacturing—are critical to economic stability and national security, and any successful compromise could lead to data theft, operational disruption, or espionage. The use of multi-stage malware with persistence mechanisms increases the difficulty of detection and eradication, potentially allowing attackers prolonged access to sensitive systems. Additionally, the campaign’s use of legitimate email accounts for phishing increases the risk of successful social engineering attacks in Europe if the threat actor expands targeting. The medium severity suggests moderate risk, but the evolving tactics and potential for lateral movement warrant vigilance among European organizations connected to the affected sectors or regions.

European organizations should implement targeted defenses against phishing and multi-stage malware campaigns. Specifically, enhance email security by deploying advanced anti-phishing solutions capable of detecting spoofed or compromised legitimate addresses and malicious attachments. Employ strict attachment sandboxing and content disarm and reconstruction (CDR) technologies to neutralize embedded threats. Monitor and restrict PowerShell usage through application whitelisting and logging to detect anomalous script execution. Audit scheduled tasks regularly to identify unauthorized persistence mechanisms, and implement endpoint detection and response (EDR) tools to correlate suspicious behaviors such as decoy document downloads and C2 communications. Network segmentation and strict egress filtering can limit malware communication with external C2 servers. Conduct targeted user awareness training focusing on spear-phishing risks, especially regarding emails appearing from trusted internal or partner addresses. Finally, maintain up-to-date threat intelligence feeds to recognize indicators of compromise such as known hashes, IPs, and domains associated with PhantomCore campaigns.