1. Overview
ProjectRelic is a relatively unknown threat actor that has been observed conducting cyber operations against small to mid-sized organisations, primarily in Europe. The group is characterised by its use of repurposed tooling, low-profile infrastructure, and a minimalist approach to command and control. Its operations suggest a mix of reconnaissance, credential harvesting, and quiet data exfiltration.
Although not widely publicised, ProjectRelic has appeared in multiple threat intelligence datasets under different aliases, often in connection with attacks on research institutions, public sector platforms, and third-party service providers. The group’s lack of overt political messaging, financial demands, or high-profile leaks makes its motives difficult to define, though espionage and staging for later access are plausible explanations.
2. Origin and Evolution
ProjectRelic has been active since at least 2021, with increased activity noted in 2023 and early 2024. It first appeared in open-source intelligence reporting as an unattributed cluster of activity targeting European academic and civil sector entities. The name ProjectRelic was later adopted by researchers to describe the actor’s consistent use of a lightweight toolkit known as RelicLoader.
The group tends to focus on organisations that handle sensitive but non-classified data. It rarely targets large enterprises or high-value geopolitical assets directly, but instead seems to exploit low-complexity vulnerabilities to maintain footholds in peripheral networks.
ProjectRelic is likely a small, specialised team or subcontracted operation, potentially acting as an initial access provider or data broker.
3. Tactics, Techniques, and Procedures (TTPs)
ProjectRelic demonstrates an interest in stealth, persistence, and minimal on-host impact. Common tactics include:
- Initial access
Exploitation of outdated CMS platforms, misconfigured VPNs, and exposed web services (T1190). Often uses reconnaissance tools like WhatWeb and Shodan to identify targets. - Credential harvesting
Deploys phishing pages impersonating university portals, public procurement sites, or small government services (T1566.002). May use browser-based keyloggers or token theft (T1556.001). - Custom loaders
Uses a lightweight binary named RelicLoader, which acts as a dropper for remote access tools or passive information collectors. These tools are typically unsigned and obfuscated but not heavily encrypted. - Data staging and exfiltration
Compresses documents and exports them via HTTP POST or FTP (T1041), targeting research data, internal communications, and configuration files. - Infrastructure
Command and control servers are short-lived, with domain names mimicking legitimate services. The group often reuses bulletproof VPS infrastructure and operates in low-bandwidth C2 channels.
4. Targeting Profile
ProjectRelic focuses on mid-tier organisations with weaker perimeter defences but access to valuable internal data. Frequent targets include:
- Public sector websites and document portals
- Academic institutions and university research networks
- Regional think tanks and policy advisory bodies
- Civil infrastructure providers (transport, water, energy)
- Legal and procurement platforms affiliated with public contracts
The UK has been indirectly affected by ProjectRelic operations, particularly through universities, local government subcontractors, and European research consortiums with UK-based partners.
5. Notable Campaigns and Victims
Due to its quiet operational style, ProjectRelic is rarely identified in the immediate aftermath of an intrusion. However, retrospective analysis has linked the group to:
- The compromise of a Central European city council intranet site in 2022
- Exfiltration of data from a UK-EU academic collaboration on environmental risk
- Repeated access to a public procurement archive in Southern Europe
- A credential harvesting campaign against .edu and .gov email accounts across Western Europe
In most cases, data was not leaked or monetised openly, further suggesting espionage or credential resale as the objective.
6. Technical Indicators
While ProjectRelic rotates infrastructure quickly, common indicators include:
- Domains resembling academic resources or public services (e.g., docs-public[.]org, secure-bid[.]net)
- Use of base64-encoded commands and small C2 payloads via HTTP POST
- File hashes related to RelicLoader binaries, which have low detection rates on public antivirus services
- Credential phishing kits with minimal visual styling, designed for speed over quality
- FTP traffic from servers operating in unlisted data centres in Eastern Europe
Indicator updates are maintained by UK Cyber Defence Ltd for subscribers monitoring low-profile threat actors.
7. Defensive Measures and Recommendations
To reduce exposure to ProjectRelic activity:
- Monitor for suspicious outbound FTP or HTTP POST traffic from internal hosts
- Audit authentication logs for abnormal login attempts across public-facing services
- Patch CMS platforms, webmail portals, and legacy access tools
- Apply multi-factor authentication across all remote services and academic portals
- Scan for RelicLoader and similar low-sophistication loaders using YARA and memory analysis
- Maintain internal segmentation for research, legal, and administrative data repositories
Organisations in academic and public sector networks should treat this actor as a credible long-term threat, even in the absence of immediate financial or destructive impact.
8. Attribution and Alliances
There is no confirmed attribution for ProjectRelic. Its operational footprint and infrastructure suggest it could be operating from Eastern Europe or the Middle East. Some researchers speculate that ProjectRelic may be linked to a private contractor or proxy group acting on behalf of a larger state-sponsored threat actor.
No clear alliances have been established with known ransomware groups, hacktivist entities, or nation-state operations, though the group’s methods overlap slightly with those used by older APTs such as APT33 and APT34.
9. Conclusion
ProjectRelic is a quiet and persistent threat actor operating below the radar of most conventional cyber defence frameworks. Its focus on credential harvesting, peripheral networks, and data staging suggests it is either an initial access facilitator or a niche espionage operation. While the group lacks the destructive capabilities of ransomware collectives, its ability to access sensitive data through low-complexity vectors makes it a long-term risk.
UK institutions involved in research, local governance, and public-private partnerships should prioritise monitoring for signs of ProjectRelic activity and harden the services most commonly targeted in its campaigns.
Author:
Threat Intelligence Team, UK Cyber Defence Ltd
All intelligence current as of May 2025
