Connect with us

Hi, what are you looking for?



Russian Cyberspies Target Diplomats With New Malware

Russian cyberespionage group APT29 has been observed using new malware and techniques in phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia, Mandiant reports.

Russian cyberespionage group APT29 has been observed using new malware and techniques in phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia, Mandiant reports.

Also known as Cozy Bear, the Dukes, and Yttrium, APT29 is believed to be sponsored by the Russian Foreign Intelligence Service (SVR) and to have orchestrated the 2020 SolarWinds attack that led to hundreds of organizations getting breached.

Reports on APT29’s targeting of diplomatic entities – including the 2016 attacks against the Democratic National Committee (DNC) and a November 2018 attempt to infiltrate DNC – stretch for over half a decade, with some reports tracing the group’s activity as far back as 2013.

In attacks carried out in 2022, Mandiant’s security researchers, who have been tracking extensive APT29 phishing campaigns since early 2021, have observed the use of new malware families, along with a change in the group’s tooling to evade detection.

According to the researchers, who last week officially attributed the Solarwinds attacks to APT29, “the diplomatic-centric targeting of this recent activity is consistent with Russian strategic priorities as well as historic APT29 targeting.”

Mandiant has been tracking APT29’s new phishing campaigns against diplomatic and government entities since mid-January, and says that the observed emails – which masquerade as administrative notices – show close similarities with Nobelium phishing attacks analyzed in 2021.

The emails targeted a large number of recipients, likely “primarily publicly listed points of contact of embassy personnel.” The malicious messages carried the ROOTSAW HTML dropper, which would write an IMG or ISO file to disk.

Advertisement. Scroll to continue reading.

The attacks employed new downloaders, which Mandiant tracks as BEATDROP and BOOMMIC, and misused legitimate services such as Atlassian’s Trello, Firebase, and Dropbox for command and control (C&C) functionality.

[ READ: SolarWinds Hackers Use New Malware in Recent Attacks ]

Written in C, BEATDROP uses Trello for C&C, and was typically used to deploy a malicious payload onto the compromised systems. In February 2022, the attackers switched from using BEATDROP for the delivery of Cobalt Strike Beacon via a third-party service to employing a novel C++ Beacon dropper.

Typically, within minutes after a successful BEATDROP deployment, BOOMMIC (also known as VaporRage) was used to establish a foothold within the network, achieve persistence, and fetch shellcode payloads and load them into memory.

After establishing access, the attackers were also observed attempting to escalate privileges, often gaining Domain Admin access less than 12 hours after initial compromise. APT29 would employ multiple techniques to escalate privileges, including exploiting misconfigured certificate templates to impersonate administrator users.

Next, the group would perform extensive reconnaissance – including searching hosts for credentials, such as passwords stored in SYSVOL – and move laterally within the environment, using Cobalt Strike Beacon and impersonating privileged users (via malicious certificates).

“Mandiant has observed the group widely using scheduled tasks, run keys, malicious certificates, and in-memory backdoors, in some cases multiple per system. The use of these techniques and tools represents the multiple means by which APT29 attempts to maintain access within an environment,” the researchers note.

The purpose of these attacks, Mandiant believes, is to establish “multiple means of long-term access” to target environments, and to collect diplomatic and foreign policy information from various government entities worldwide.

Related: Defending Your Business Against Russian Cyberwarfare

Related: New ‘Cyclops Blink’ Malware Linked to Russian State Hackers Targets Firewalls

Related: CISA-FBI Alert: 350 Organizations Targeted in Attack Abusing Email Marketing Service

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...