Security Experts:

Connect with us

Hi, what are you looking for?



Russian Cyberspies Target Diplomats With New Malware

Russian cyberespionage group APT29 has been observed using new malware and techniques in phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia, Mandiant reports.

Russian cyberespionage group APT29 has been observed using new malware and techniques in phishing campaigns targeting diplomatic organizations in Europe, the Americas, and Asia, Mandiant reports.

Also known as Cozy Bear, the Dukes, and Yttrium, APT29 is believed to be sponsored by the Russian Foreign Intelligence Service (SVR) and to have orchestrated the 2020 SolarWinds attack that led to hundreds of organizations getting breached.

Reports on APT29’s targeting of diplomatic entities – including the 2016 attacks against the Democratic National Committee (DNC) and a November 2018 attempt to infiltrate DNC – stretch for over half a decade, with some reports tracing the group’s activity as far back as 2013.

In attacks carried out in 2022, Mandiant’s security researchers, who have been tracking extensive APT29 phishing campaigns since early 2021, have observed the use of new malware families, along with a change in the group’s tooling to evade detection.

According to the researchers, who last week officially attributed the Solarwinds attacks to APT29, “the diplomatic-centric targeting of this recent activity is consistent with Russian strategic priorities as well as historic APT29 targeting.”

Mandiant has been tracking APT29’s new phishing campaigns against diplomatic and government entities since mid-January, and says that the observed emails – which masquerade as administrative notices – show close similarities with Nobelium phishing attacks analyzed in 2021.

The emails targeted a large number of recipients, likely “primarily publicly listed points of contact of embassy personnel.” The malicious messages carried the ROOTSAW HTML dropper, which would write an IMG or ISO file to disk.

The attacks employed new downloaders, which Mandiant tracks as BEATDROP and BOOMMIC, and misused legitimate services such as Atlassian’s Trello, Firebase, and Dropbox for command and control (C&C) functionality.

[ READ: SolarWinds Hackers Use New Malware in Recent Attacks ]

Written in C, BEATDROP uses Trello for C&C, and was typically used to deploy a malicious payload onto the compromised systems. In February 2022, the attackers switched from using BEATDROP for the delivery of Cobalt Strike Beacon via a third-party service to employing a novel C++ Beacon dropper.

Typically, within minutes after a successful BEATDROP deployment, BOOMMIC (also known as VaporRage) was used to establish a foothold within the network, achieve persistence, and fetch shellcode payloads and load them into memory.

After establishing access, the attackers were also observed attempting to escalate privileges, often gaining Domain Admin access less than 12 hours after initial compromise. APT29 would employ multiple techniques to escalate privileges, including exploiting misconfigured certificate templates to impersonate administrator users.

Next, the group would perform extensive reconnaissance – including searching hosts for credentials, such as passwords stored in SYSVOL – and move laterally within the environment, using Cobalt Strike Beacon and impersonating privileged users (via malicious certificates).

“Mandiant has observed the group widely using scheduled tasks, run keys, malicious certificates, and in-memory backdoors, in some cases multiple per system. The use of these techniques and tools represents the multiple means by which APT29 attempts to maintain access within an environment,” the researchers note.

The purpose of these attacks, Mandiant believes, is to establish “multiple means of long-term access” to target environments, and to collect diplomatic and foreign policy information from various government entities worldwide.

Related: Defending Your Business Against Russian Cyberwarfare

Related: New ‘Cyclops Blink’ Malware Linked to Russian State Hackers Targets Firewalls

Related: CISA-FBI Alert: 350 Organizations Targeted in Attack Abusing Email Marketing Service

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Fortinet warned of three malicious PyPI packages containing code that fetches the Wacatac trojan and information stealer.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Malware & Threats

A GitHub Codespaces feature meant to help with code development and collaboration can be abused for malware delivery.