Hackers are sending Russian doctors mass emails with trojans

Medical institutions in Russia have become the target of a focused phishing attack disguised as correspondence with insurance companies and other hospitals. Hackers are sending emails with malicious programs attached, allowing them to control infected users' computers.

According to specialists from Kaspersky Lab, at the end of 2025 hackers were actively sending emails with fake messages from well-known insurance companies and medical institutions. In the fourth quarter of 2025, a wave of such emails was recorded, containing 63 attachments with the BrockenDoor malware. The emails were addressed to both state and, likely, private medical institutions.

In the emails, the hackers claim that a certain client is dissatisfied with treatment and is allegedly filing a complaint through the voluntary medical insurance program, referring to documents in the attachment. The message concerns the need for an amicable resolution of the situation. In some cases, other fakes were used, for example, a request for a hospital to urgently admit a patient for specialized treatment. Experts believe that the attackers will continue to invent new tricks to persuade the victim to open the attachment.

Kaspersky Lab analysts noted that the mailings look very plausible and inspire trust among recipients. The attackers register email domains imitating the names of real medical insurance companies and institutions, creating an illusion of legitimacy. In addition, many such domains were registered a very short time before the attacks began. This allows them to bypass spam filters and increases the chances of a successful attack through social engineering.

After a computer is infected, the trojans can collect information such as the user name, OS version, and file list, and send it to the attackers. If the data is of interest, the hackers can issue further commands to carry out attacks.

Under the law, medical institutions are required to protect their IT systems from attacks and report them to the FSB of Russia. The Prosecutor's Office monitors compliance with these rules. However, non-compliance can lead to reputational and financial losses, notes Andrei Eli, director of the Bud zdorov clinic network. Vulnerable devices can be used as a foothold for further attacks on other institutions.

To protect against such cyberattacks, Kaspersky Lab recommends that organizations train their employees in the basics of cybersecurity, use solutions to block suspicious emails, and deploy threat detection technologies. Training courses and the continuous professional development of employees will help create a more secure IT infrastructure.

Read more on the topic:

• At the end of 2025, hackers began massively attacking companies from Russia: details
• The key web threats of 2025 have been named
• Russians do not trust AI in hospitals

20 Apr 13:30 News

A parking fine may turn out to be a trap: scammers have started sending drivers fake notifications Motorists were advised to check fines through official resources to avoid becoming victims of scammers

20 Apr 12:18 News

People have started being admitted to MFCs without a passport: a new identity verification method has been launched in the Leningrad Region The "Digital ID" service operates on the basis of the national messenger MAX

20 Apr 09:48 News

The Echo cyberattack countermeasures platform was showcased at a military technology exhibition in Malaysia The development belongs to the Russian company Angara Security

19 Apr 19:18 News

Cybersecurity in Reverse: Fraudsters Teach Protection and Steal Passwords Under the guise of a "security scanner," users themselves were giving access to their accounts

19 Apr 12:25 News

AI has been taught to catch the second when a person can become a victim of scammers Moscow researchers have created a model that tracks stress through body signals and determines the risk of deception in advance