Cyber Threat Actor: Prosox
| Actor Type | Location | Known Incidents |
Sensationalist
|
Russia
|
1 incident |
|---|
Profile
Prosox, also known as Prosox Shade or simply Shade, is a threat actor that has been publicly linked to a series of web‑based defacement campaigns. Open‑source reporting indicates that the actor operates from Russia, although no further details about their exact location or organizational structure have been confirmed. The aliases Prosox and Shade appear interchangeably in the defacement notices and in the archival records posted to Zone‑H, suggesting that the actor uses multiple handles to claim responsibility for the same intrusions.
The actor’s known activity includes the compromise of thirty country‑specific subdomains belonging to the energy drink company Red Bull in April 2018. By exploiting a recently disclosed remote code execution vulnerability in Drupal, Prosox uploaded a file named adminer.php to each subdomain and then modified the file to display a defacement message. Shortly after the initial intrusion, another individual using the Shade alias edited the same adminer.php files to add a “Hacked By Shade” note, demonstrating a pattern of sequential claim‑taking on the same infrastructure. Prior to the Red Bull incident, Prosox was reported to have gained unauthorized access to Vevo’s official YouTube account, allowing the actor to alter video titles and to cause the unpublishing of several high‑profile videos, including the song “Despacito.” These actions were limited to defacement and account manipulation, with no public evidence of data exfiltration or financial gain.
The observed tactics, techniques, and procedures center on exploiting publicly disclosed content‑management system vulnerabilities to gain remote code execution, followed by the deployment of a simple web shell (adminer.php) for persistent access and defacement. The actor also makes use of public defacement archives such as Zone‑H to record and broadcast the intrusions. No specific malware families, exploit kits, or advanced tooling have been described in the available sources. Attribution remains limited to the geographic indication of Russia; no public statements have tied Prosox to a state‑sponsored program or a known criminal consortium. The actor’s public profile is therefore defined by a series of web‑defacement operations targeting media and consumer‑goods platforms, relying on known CMS flaws and basic web‑shell techniques to achieve visibility and disruption.
