Full Report
This bulletin includes coordinated influence operation campaigns terminated on our platforms in Q1 2025. It was last updated on May 15, 2025.JanuaryWe terminated 12 YouT…
Analysis Summary
# Threat Actor: Portal Kombat
## Attribution & Identity
Linked to coordinated influence operations originating from Russia.
Associated Group: Publicly tracked as **Portal Kombat**.
## Activity Summary
Portal Kombat was involved in a Q1 2025 influence operation terminated across Google platforms. The campaign exclusively focused on disseminating narratives supporting Russia and criticizing Ukraine across multiple languages. This effort involved blocking 57 domains from eligibility across Google News surfaces and Discover.
## Tactics, Techniques & Procedures
The primary TTP observed is **Information Operations/Influence Campaigns**, specifically focused on content dissemination across platforms like YouTube and Google News surfaces.
- Disseminating propaganda supportive of Russia and critical of Ukraine.
- Utilizing multiple languages for content distribution.
- **MITRE ATT&CK IDs**: Not explicitly listed, but falls under **T1568.001 (Service-based Phishing)** or **T1568 (Dynamic Resolution)** conceptually in terms of external influence infrastructure, or more broadly **T1599 (Establish C2 Infrastructure)** for operational setup, though the description only details the *outcome* (domain blocking) rather than the technical TTPs of the compromise.
## Targeting
- Sectors: Not specified, primarily focused on information/political narratives targeting public opinion.
- Geography: Global reach encompassing regions/languages including English, French, German, Russian, and others.
- Victims: None specified, targeting general audiences through platform surfaces.
## Tools & Infrastructure
- Infrastructure: 57 domains blocked from eligibility across Google News surfaces and Discover.
- Malware families used: Not applicable (Influence Operation/Information Warfare).
## Implications
The continued high-volume activity linked to Russia, including specific actors like Portal Kombat, indicates a persistent, state-sponsored effort to shape public discourse in support of Russian foreign policy objectives by utilizing coordinated influence operations across multiple Western and global languages.
## Mitigations
- Continued monitoring and termination of coordinated inauthentic networks (CINs) engaged in influence operations.
- Blocking domains identified as part of these influence networks from appearing on trusted news surfaces.
- Defense against adversarial narrative propagation across social media and news aggregation platforms.
***
# Threat Actor: Various Russian-linked Actors (State-Sponsored Entities & Consulting Firms)
## Attribution & Identity
Multiple distinct influence operations linked to Russia were noted:
1. Russian **state-sponsored entities** (multiple instances).
2. Entities linked to a **Russian consulting firm** (multiple instances).
3. General **Russia-linked** operations focusing on the conflict narrative.
4. Unspecified actors targeting German politics supportive of Russia.
## Activity Summary
Russian-linked influence operations were highly active in Q1 2025:
* **State-sponsored entities** ran campaigns sharing pro-Russia/anti-Ukraine content in Russian (terminated 4 YouTube channels in Jan; terminated 63 YouTube channels in Feb).
* **Russian consulting firms** ran large-scale operations targeting content in Russian critical of Ukraine and the West (terminated 1,263 YouTube channels in Jan; terminated 1,377 YouTube channels and 1 domain in Feb).
* Other Russian-linked campaigns disseminated content supportive of Russia across German/English viewers (12 YouTube channels terminated in Jan) and content critical of German support for Ukraine (in Feb).
* One significant February campaign linked to the actor **Doppelganger** utilized a vast multilingual approach (Arabic, English, French, German, Hebrew, Italian, Polish, Ukrainian) supporting Russia and criticizing Ukraine/the West (47 domains blocked).
## Tactics, Techniques & Procedures
- **Information Operations:** Large-scale termination of coordinated networks on YouTube.
- **Narrative Dissemination:** Focusing on pro-Russia and anti-Ukraine messaging.
- **Multilingual Content Delivery:** Utilizing Russian, German, English, and several other European/Middle Eastern languages.
- **Infrastructure Use:** Blocking of associated domains used for potential dissemination or C2.
## Targeting
- Sectors: Information consumption, political discourse environments, and general public opinion.
- Geography: Primarily targeting audiences consuming content in Russian, German, and other relevant language groups across Europe and potentially globally.
- Victims: General public audiences on YouTube and Google News.
## Tools & Infrastructure
Not specified beyond content platforms (YouTube, Google News surfaces).
## Implications
Russian influence operations remain one of the most voluminous threats analyzed in the report, operating through various vectors including state entities and seemingly commercial/consulting fronts, indicating a diversified and sustained effort to achieve information dominance regarding the Ukraine conflict.
## Mitigations
- Continuous, high-volume detection and removal of YouTube channels associated with Russian influence operations.
- Focus on identifying and blocking infrastructure related to known pro-Russian influence conduits like Doppelganger.
***
# Threat Actor: Shanghai Haixun Technology Co., Ltd (PRC-linked)
## Attribution & Identity
Linked to the People’s Republic of China (PRC). Specifically linked to **Shanghai Haixun Technology Co., Ltd**. Network activity is consistent with previous reports.
## Activity Summary
The PRC-linked operations involved two main vectors in Q1 2025:
1. A campaign linked to Shanghai Haixun Technology Co., Ltd (25 domains blocked in Jan) disseminating spammy/repetitive content supportive of the Chinese government across five languages.
2. A larger, ongoing coordinated disinformation network (11,697 YouTube channels terminated in Jan; 2,472 channels and 1 Blogger blog terminated in Feb) uploading content in Chinese and English concerning China and US foreign affairs.
## Tactics, Techniques & Procedures
- **Spam and Repetitive Content:** One component focused on low-effort, high-volume content.
- **Information Operations:** Uploading content on sensitive political topics (China/US foreign affairs).
- **Multilingual Dissemination:** Using Chinese, English, French, German, and Italian.
## Targeting
- Sectors: Global audiences interested in China/US foreign policy, and audiences in Western nations (due to French, German, Italian usage).
- Geography: Global, with content targeting English and Chinese speakers specifically.
- Victims: General audience consuming content on YouTube.
## Tools & Infrastructure
- Infrastructure: 25 domains blocked in January.
- Platforms: YouTube channels, Blogger blog.
## Implications
PRC-linked influence operations remain significant in volume, suggesting a sustained, organized effort focused on advocating for the Chinese government's perspective on foreign policy issues to international audiences.
## Mitigations
- Enhanced detection for high-volume, repetitive content patterns associated with structured state information campaigns.
- Focus on cross-platform correlation due to the use of YouTube and Blogger.
***
*(Note: For brevity, other actors mentioned—Romania-based, Nigeria, Iran, Azerbaijan, US-based consulting firm, and Israel-linked—are summarized conceptually if their activity was less detailed or singular compared to the primary state actors.)*