As Moldova approaches its parliamentary elections on September 28, 2025, cybersecurity experts have identified a sophisticated disinformation campaign orchestrated by Russian entities. This operation aims to erode public trust in Moldova’s pro-European government by disseminating misleading information through newly established online platforms.
Emergence of the Campaign
The campaign’s activities became noticeable in April 2025 when analysts detected a series of newly registered domains publishing biased news articles in both Romanian and Russian. These websites utilized identical templates and shared infrastructure with previous Russian propaganda outlets, indicating a coordinated effort to influence public opinion during a pivotal moment in Moldova’s democratic process.
Technical Analysis and Infrastructure
Researchers from Silent Push employed open-source intelligence and network traffic analysis to uncover the campaign’s infrastructure. They identified numerous URLs featuring inflammatory headlines designed to discredit the ruling coalition and promote a shift back toward Moscow’s influence. Further investigation revealed that these domains were linked to two dedicated IP addresses previously associated with a 2022 disinformation operation known as Absatz.
By examining registration metadata and hosting records, analysts established a direct connection between the current Moldovan campaign and earlier efforts. The reuse of specific code functions, originally developed for the 2022 operation, facilitated rapid deployment and provided a unique fingerprint linking the various sites. Notably, the PHP module responsible for article templating and URL parameter parsing contained identifiable code snippets, allowing researchers to trace the codebase’s evolution across both campaigns.
Evasion Tactics and Infrastructure Resilience
The campaign’s operators demonstrated advanced tactics to evade detection and maintain infrastructure resilience. Each disinformation website employed a rotating pool of content delivery networks (CDNs) and proxy services to obscure origin IP addresses. DNS records were configured with extremely short time-to-live (TTL) values—often under five minutes—complicating efforts to block access.
In instances where access to a malicious domain was successfully blocked at the ISP level, the site automatically redirected visitors to an alternate domain using a stealth JavaScript loader. This loader fetched an obfuscated payload from a third-party CDN, rehydrating the disinformation site content in the user’s browser without interacting with the original domain. This dual-stage loading mechanism allowed the campaign to persist despite domain blacklisting.
To maintain operational security, all command-and-control interactions for content updates were conducted over TLS-encrypted channels using non-standard ports. These same ports had been observed in the 2022 Absatz campaign, further solidifying the link between the two efforts. Additionally, social media amplification relied on low-quality bot accounts programmed to mimic genuine user behavior by varying posting times and interleaving political content with neutral topics like sports or local weather.
Implications and Recommendations
As Moldova approaches its elections, this campaign underscores the importance of technical collaboration and real-time monitoring to defend democratic institutions from covert influence operations. Silent Push continues to track and mitigate the evolving infrastructure behind the Storm-1679 network, with detailed telemetry available to enterprise customers for proactive defense measures.
