A group of people wearing Guy Fawkes masks in a dark tech-themed room, suggesting anonymity and hacking activities.
Intelligence

Hacktivists Expand Beyond Politics: Agriculture, Hospitality, and C2 Frameworks

Kaspersky research shows hacktivist groups now targeting agriculture, hospitality, and real estate with Sliver, Havoc, and ValleyRAT
Sami Malik
Copywriter

Something shifted in the threat picture over the past twelve months, and it did not shift quietly. Hacktivist groups — the kind that once defaced government websites and leaked ministerial emails to make a political point — are now knocking on the doors of farms, hotel chains, food manufacturers, and construction firms. Securelist published research earlier this year documenting exactly this expansion: new or significantly enlarged target sectors that most security teams were not watching, paired with tooling that makes attribution genuinely difficult. If your organisation sits outside the traditional financial or government verticals, this is the moment to pay close attention.

What the New Kaspersky Research Shows

The Kaspersky research captured in Securelist is notable for two reasons. First, it names specific sectors that were not historically on the hacktivist radar. Second, it identifies a directional shift in the nature of harm being attempted , away from purely digital embarrassment and towards disruption that can have real-world physical consequences. Understanding both dimensions is essential before you can make any sensible decisions about your own exposure.

Agriculture, Food, Hospitality, Construction

The sectors singled out in the Kaspersky findings are Agriculture and Livestock, Food and Beverages, Hospitality, Construction, Automotive, and Real Estate. That list is telling. None of those industries spend heavily on threat intelligence. Few of them employ large in-house security teams. Most of them operate networks that were designed for operational efficiency first and security second , if at all. Attackers know this.

Agriculture and food production underpin national supply chains. A sustained disruption to a grain-handling cooperative, a dairy processing facility, or a logistics hub for fresh produce is not merely a business inconvenience: it can affect food availability at a population level, particularly in regions already under supply pressure.  has separately documented how the attack surface across critical infrastructure has broadened significantly, with precisely these categories emerging as growth areas for hacktivist targeting. The timing matters. Geopolitical tensions across the EMEA region , from the continued conflict in Ukraine to the fracturing of energy dependencies across Central and Eastern Europe , are feeding the ideological engine that drives hacktivist recruitment and target selection.

Hospitality is a different kind of target but no less interesting to an adversary. Hotel groups and hospitality chains hold enormous volumes of personally identifiable information, payment card data, and corporate travel records. They also operate fragmented IT environments spread across dozens or hundreds of properties, often with inconsistent patch management and third-party integrations that were never properly security-reviewed. Construction firms, meanwhile, are increasingly digitised: BIM platforms, drone survey systems, connected site machinery, and cloud-based project management tools all create entry points that simply did not exist a decade ago.

From Digital Disruption to Cyber-Physical Risk

The more alarming finding in the Securelist research is not which sectors are being targeted, but what kind of harm is now being pursued. Hacktivism is evolving from primarily digital disruption , defacement, DDoS, data leaks , toward scenarios with tangible cyber-physical implications. That phrase deserves unpacking.

Cyber-physical risk means that a successful intrusion does not just corrupt data or degrade a website. It means an attacker can interact with systems that control physical processes. In an agricultural context, that could mean tampered automated irrigation schedules causing crop failure, or compromised climate control in a cold-storage facility spoiling perishable stock. In food manufacturing, it means process control systems that govern ingredient ratios, cooking temperatures, or contamination detection. The IT-OT convergence that has made precision farming and smart food production possible has simultaneously introduced attack paths that did not exist five years ago. Your attack surface in these environments is measurably larger than your IT inventory alone suggests.

This is not theoretical scaremongering. The research documents a clear directional trend, and the tooling now available to hacktivist groups , discussed below , makes cyber-physical scenarios operationally achievable for actors who previously lacked the capability.

The Tools: Sliver, Havoc, and ValleyRAT

The weaponry matters as much as the targeting shift. What makes the current generation of hacktivist campaigns particularly difficult to detect and attribute is that many groups have stopped using bespoke malware and switched to open-source offensive frameworks originally built for legitimate penetration testing. When a red team and a threat actor use the same tool in identical configurations, your detection logic struggles to tell them apart.

Sliver: Open-Source C2 With mTLS

Sliver is an open-source command-and-control framework. It was built for offensive security professionals , penetration testers and red teamers who need a flexible, cross-platform implant that supports multiple communication protocols. The problem is that it is freely available, well-documented, and actively maintained, which makes it equally attractive to threat actors who want capable C2 infrastructure without the development overhead of building their own.

The Kaspersky investigation found that every Sliver instance uncovered during the research was configured to communicate with a C2 server at 185.221.153[.]121 over mutual TLS , mTLS. That configuration detail is operationally significant. Mutual TLS means both the implant and the server authenticate each other using certificates, which makes passive interception harder and allows the operator to verify that they are communicating with their own implant rather than a sinkholed version. For a defender, the challenge is that mTLS-encrypted traffic over common ports does not immediately raise alarms in a standard SIEM rule set. You need behavioural detection , looking for anomalous beacon intervals, unusual process-to-network associations, or unexpected outbound connections to infrastructure with no business justification , rather than relying on signature matching alone.

Because Sliver does not carry group-specific code signatures, its presence on a compromised host tells you very little about which actor is responsible. That is precisely why understanding indicators of compromise beyond file hashes , including network IOCs, certificate fingerprints, and infrastructure clustering , becomes the primary attribution mechanism when dealing with commodity C2 tooling like this.

Havoc: Post-Exploitation Framework in SFX Archives

Havoc is another open-source post-exploitation framework, and its delivery mechanism in the cases documented by Kaspersky is worth examining closely. Investigators found Havoc embedded inside a self-extracting archive , an SFX file , configured to call back to a C2 at 77.72.85[.]62. SFX archives are a well-worn delivery technique because many organisations either permit or fail to inspect compressed executables in email gateways and endpoint controls. An SFX file can look benign to automated scanning, particularly if it is not immediately flagged by hash-based detection, and it bundles both the extraction logic and the payload in a single file that executes without the target needing third-party decompression software.

Havoc's capabilities in the post-exploitation phase include process injection, token manipulation, and lateral movement , a standard but effective toolkit for an operator who has achieved initial access and wants to expand their foothold quietly before triggering any visible impact. The combination of a low-friction delivery method and a capable post-exploitation framework is exactly what you would expect from groups that are becoming more tactically disciplined. The days of hacktivist operations being noisy and technically unsophisticated are not entirely over, but the upper tier of these groups is operating at a level that would not embarrass a mid-range financially motivated criminal crew.

ValleyRAT and the ABCDoor Backdoor

The third toolset documented in the Kaspersky research involves a Chinese-nexus threat actor known as Silver Fox. The group is targeting organisations in Russia and India, and its lure of choice is impersonation of tax authorities. The approach is operationally elegant: tax authority communications carry inherent urgency and authority, which suppresses the scepticism that might otherwise cause a recipient to scrutinise an attachment or link more carefully.

The payload being distributed in these campaigns is ValleyRAT, a remote access trojan that has been associated with Silver Fox in previous reporting. What the new Kaspersky research adds is the identification of ABCDoor, a backdoor that appears to be a new addition to the group's arsenal. ValleyRAT provides persistent remote access and supports a range of data exfiltration and surveillance capabilities. ABCDoor is described as a new backdoor, suggesting that Silver Fox is actively developing or commissioning new tooling alongside its use of the established ValleyRAT implant. The pairing of a known RAT with a freshly developed backdoor is consistent with an actor that wants redundancy , if one implant is detected and evicted, the other maintains access.

The geographic targeting , Russia and India , combined with the tax authority impersonation theme suggests campaigns timed around filing periods or regulatory deadlines, when targets are both preoccupied with compliance tasks and more likely to interact with official-looking correspondence. For organisations with operations in either country, this is a specific and credible threat vector that warrants attention in your phishing simulation and awareness programmes.

The Blurring Line Between Hacktivism and Financial Crime

One of the more consequential findings across the research is how thoroughly the traditional categories have dissolved. For years, analysts drew reasonably clean lines between hacktivists (ideologically motivated, disruptive), cybercriminals (financially motivated, opportunistic), and nation-state actors (strategically motivated, patient). Those distinctions were always imperfect, but they were useful enough to drive different defensive priorities. They are now actively misleading.

State-Adjacent Groups Adopting Ransom Tactics

has documented this convergence in detail, observing that the motivations behind modern hacktivist operations are increasingly mixed: politically motivated disruption, financial extortion, and intelligence collection can co-exist within a single group or even a single campaign. A group that deploys a ransomware payload against a food distribution company is simultaneously disrupting supply chains for ideological effect and generating revenue that funds further operations. The victim cannot easily distinguish between a purely criminal extortion and a state-adjacent actor using ransom as cover for intelligence collection or sabotage.

This convergence has practical implications for how you respond to an incident. If you assume the actor is purely financial and focus exclusively on restoring operations and paying or declining the ransom, you may miss the intelligence-collection component that was the primary objective. If you assume the actor is nation-state and focus on attribution, you may delay operational recovery unnecessarily. Effective response requires treating both possibilities seriously from the first hour.

Silver Fox and the Tax Authority Impersonation Campaign

Silver Fox illustrates the blurring particularly well. The group's infrastructure, targeting choices, and technical capability are consistent with state-adjacent operations, yet the use of a remote access trojan distributed via social engineering fits the profile of financially motivated espionage-for-hire as much as it fits a purely state-directed intelligence operation. The tax authority impersonation theme maximises the probability of a successful initial access event regardless of the final objective, which suggests a group optimising for access above all else , a characteristic shared by both sophisticated criminal operators and state-directed actors collecting economic intelligence.

Understanding this kind of actor requires moving beyond reactive detection. Cyber threat intelligence that maps the group's infrastructure, tracks its certificate issuance patterns, and monitors for new domain registrations associated with its known TTPs gives you a window of opportunity to identify campaigns before they reach your users' inboxes.

Why Non-Traditional Industries Are Now Exposed

The targeting of agriculture, food production, hospitality, and construction is not random. There is a clear logic to why these sectors have moved from the periphery to the centre of the threat picture, and understanding that logic is the starting point for any proportionate defensive response.

OT and IT Convergence in Agriculture and Food Production

Precision farming now routinely involves GPS-guided machinery, automated irrigation systems driven by soil sensor data, robotic harvesting equipment controlled via networked interfaces, and cloud platforms that aggregate field data for yield optimisation. Each of these systems represents an IT-OT integration point. The operational technology , the machinery and physical processes , is now reachable via the same IP networks that connect to the internet, to supplier portals, and to corporate email systems. A phishing email that compromises a farm manager's credentials can, in the right network architecture, provide a path to systems that control physical agricultural processes.

Food manufacturing compounds this risk. Temperature control systems, contamination detection equipment, production line automation, and batch control software are all increasingly networked. Legacy OT devices in these environments were often designed decades before network connectivity was considered, meaning they run without authentication, without encryption, and without the capacity to run endpoint security agents. When they are connected to a modern IT network , even indirectly , they become reachable from the internet in ways their manufacturers never anticipated.

Low Security Maturity in Hospitality and Construction

Hospitality and construction face a different problem. The issue is less about OT convergence and more about the structural characteristics of these industries. Hospitality companies typically operate with thin margins, high staff turnover, heavy reliance on third-party technology vendors, and distributed IT environments where central security governance is genuinely difficult. A mid-sized hotel group might have fifty properties, each running a mix of property management systems, point-of-sale platforms, and guest Wi-Fi infrastructure from different vendors, integrated via APIs of varying security quality. The security team , if one exists at the group level , rarely has full visibility into what is running at each property.

Construction is digitising rapidly. Project management platforms, drone survey tools, BIM collaboration environments, and connected site equipment all create an expanding digital footprint that outpaces the security awareness and investment of most firms in the sector. Sub-contractors and suppliers with weaker security controls regularly access these platforms, creating supply-chain entry points. An attacker who compromises a small sub-contractor's credentials gains legitimate authenticated access to the main contractor's project environment. From there, the options for espionage, disruption, or data theft are considerable.

What Security Teams Should Do

The research points to a set of concrete priorities rather than a general programme of improvement. Start with visibility. If you operate in any of the sectors identified , or if you supply, insure, finance, or regulate organisations that do , you need a current map of your external attack surface that includes OT-connected systems, supplier access points, and any cloud platforms with integrations into operational technology. Visibility gaps are where intrusions persist undetected.

On the tooling side, the use of Sliver and Havoc by hacktivist actors means that network detection must be behavioural rather than signature-based. Deploy network traffic analysis capable of detecting anomalous beacon patterns and unexpected mTLS connections to external infrastructure with no established business relationship. The C2 addresses identified in the Kaspersky research , 185.221.153[.]121 for Sliver and 77.72.85[.]62 for Havoc , should be blocked and used as seed infrastructure for wider clustering of related IP space. Do not treat a single IOC as a complete picture; treat it as the starting point for infrastructure analysis.

For organisations in Russia or India, or those with significant operations or partnerships in those countries, the Silver Fox campaign demands specific attention to how tax-related communications are handled. Implement DMARC, DKIM, and SPF enforcement on inbound mail, and consider additional scrutiny , human or technical , for any attachment or link arriving in the context of regulatory or tax authority correspondence. Train staff on the specific impersonation theme rather than relying on generic phishing awareness content.

On the broader question of hacktivist targeting, map your organisation's potential ideological exposure. Are you associated with a government contract, a controversial infrastructure project, a geopolitically sensitive sector, or a parent company with a public position on a contested issue? Hacktivist target selection is driven by narrative, and understanding the narratives that might make you a target is a prerequisite for anticipating campaigns before they land. Dark web monitoring that tracks chatter on hacktivist forums and Telegram channels can surface targeting intent days or weeks before an attack is launched, giving you time to reinforce specific controls rather than reacting from a standing start.

Finally, revisit your incident response assumptions. The convergence of hacktivist, criminal, and state-adjacent motivations documented in the Kaspersky and SOCRadar research means that your IR playbooks need to account for mixed-motivation actors. An initial DDoS or data leak may be cover for a concurrent intrusion campaign. A ransomware deployment may be secondary to intelligence collection that has already occurred. Build parallel workstreams into your IR process so that operational recovery and forensic investigation run simultaneously rather than sequentially.

Frequently Asked Questions

What distinguishes a hacktivist from a nation-state actor or cybercriminal today?

Increasingly, very little , and that is the core problem. As  has documented, a single group or campaign can combine political disruption goals, financial extortion, and intelligence collection. Nation-state actors use hacktivist front groups for deniable operations. Criminal groups adopt ideological framing to recruit and to provide cover for ransomware deployments. The practical distinction for a defender is less important than understanding the capabilities and TTPs in front of you: what tools are they using, what infrastructure are they operating, and what access are they seeking? Those questions have concrete answers regardless of whether you can precisely categorise the actor's motivation.

Why are groups using commercial C2 frameworks like Sliver instead of custom tools?

Efficiency and attribution resistance. Developing and maintaining custom malware is expensive, time-consuming, and exposes the developer to potential discovery through code similarities with previously attributed samples. Sliver and Havoc are mature, well-supported frameworks with active development communities. They support multiple communication protocols, operate across platforms, and , critically , do not carry the code signatures of any specific threat actor group. When every red team in Europe is also using Sliver for legitimate engagements, a defender's detection logic cannot simply flag Sliver as malicious. Attribution requires infrastructure analysis, campaign correlation, and contextual intelligence rather than simple tool identification.

Does Sliver leave forensic traces that incident responders can identify?

Yes, though the traces are different from those left by cruder malware families. Sliver implants establish persistent connections on a beacon schedule, and those beacon intervals are configurable but consistent , anomaly detection tuned to irregular outbound connection timing can surface them. The mTLS configuration identified in the Kaspersky research means that the TLS certificate presented by the C2 server may have characteristics , self-signed, short validity, specific subject attributes , that differ from legitimate commercial certificates and can be flagged by a network inspection rule. Process injection artefacts in memory, unusual parent-child process relationships, and scheduled tasks or services created without a corresponding change management record are all forensic indicators worth hunting for if you suspect a Sliver compromise.

What is ABCDoor and how does it differ from ValleyRAT?

Based on the Kaspersky research, ABCDoor is a newly identified backdoor distributed alongside ValleyRAT in Silver Fox campaigns targeting organisations in Russia and India. ValleyRAT is an established remote access trojan associated with Silver Fox in previous reporting, providing persistent access, surveillance, and data exfiltration capabilities. ABCDoor appears to be a more recent addition to the group's toolkit, suggesting active development or commissioning of new tooling. The operational rationale for deploying both is likely redundancy: if ValleyRAT is detected and removed, ABCDoor maintains the access channel. Beyond that, detailed technical differentiation between the two tools requires deeper reverse engineering than is currently published in the available research.

How should a hospitality company assess its risk from hacktivist groups?

Start with the narrative question: is your company or its parent associated with anything that could become a hacktivist target , government contracts, geopolitical affiliations, controversial ownership, or a prominent public position on a contested issue? Then map your actual attack surface honestly, including every third-party integration, every property-level system, and every supplier with authenticated access to your platforms.  has noted that the attack surface for hospitality and related sectors has broadened significantly, and the entry points attackers exploit are almost always in the integrations and third-party connections rather than in the core systems that receive the most security attention. Commission a third-party assessment of your external exposure, implement dark web monitoring for early warning of targeting chatter, and ensure your IR plan does not assume that an initial DDoS or defacement is the totality of the attack rather than its opening move.

How Defendis Can Help

Attacks like this one rarely announce themselves through official channels first. New payloads, active infrastructure, and exploitation techniques circulate in closed forums and private channels well before any public research surfaces them. By the time an incident makes it into a threat report, organisations without early visibility are already behind.

Defendis gives your security team that early visibility. We monitor the dark web, underground forums, and threat actor channels so your team receives relevant intelligence before it becomes breaking news, context about emerging threats matched against your organisation's exposure, without requiring your analysts to spend time in places they should not have to go.

Book a demo →

About the author
Sami Malik is a copywriter passionate about crafting clear, engaging, and impactful content that helps brands connect with their audience through storytelling and strategy.

Related Articles

Discover simplified
Cyber Risk Management
Request access and learn how we can help you prevent cyberattacks proactively.