Cyber Threat Actor: Razy
| Actor Type | Location | Known Incidents |
Criminal
|
India
|
1 incident |
|---|
Profile
The threat actor known as Razy operates with infrastructure linked to India. This entity targeted Kazakhstan's e-government infrastructure in July 2021, compromising subdomains associated with legal documentation and budgetary information. The operation focused on exploiting public trust in government digital services to distribute malware. By infiltrating the legalacts and budget sections of the portal, Razy uploaded malicious files disguised as regional resolutions and financial summaries—common document types expected by users of these platforms. This approach indicates a deliberate effort to leverage the credibility of official channels for payload delivery rather than indiscriminate targeting. The campaign’s narrow focus on specific government subdomains suggests reconnaissance to identify high-traffic resources where malicious documents would blend seamlessly with legitimate content.
Razy employed watering hole techniques to compromise visitors through trojanized documents hosted on trusted government domains. The malware, sharing the actor’s alias, functioned as a downloader capable of retrieving additional payloads. Security researchers observed the malicious files mimicking authentic formats, including regional administrative resolutions and fiscal reports, to evade suspicion. This TTP exploited routine user behavior—downloading expected administrative documents—to initiate infections. The operation’s reliance on subdomain compromises demonstrates an understanding of web infrastructure segmentation, though no technical details about exploitation methods were disclosed. Public reporting did not attribute the activity to state-sponsored groups or criminal alliances, leaving Razy’s organizational context unconfirmed beyond its geographic infrastructure ties.
