Connect with us

Hi, what are you looking for?



Russian Hackers Use New ‘SkinnyBoy’ Malware in Attacks on Military, Government Orgs

The Russia-linked threat group known as APT28 has been observed using a new backdoor in a series of attacks targeting military and government institutions, researchers with threat intelligence company Cluster25 reveal.

The Russia-linked threat group known as APT28 has been observed using a new backdoor in a series of attacks targeting military and government institutions, researchers with threat intelligence company Cluster25 reveal.

Active since at least 2007 and also tracked as Fancy Bear, Pawn Storm, Sednit, Strontium, and Tsar Team, APT28 is well known for its cyber-espionage operations targeting the 2016 Presidential elections in the United States, but is also associated with attacks on NATO countries and with activities against organizations in the energy and transportation sectors.

APT28, which is believed to be a military unit of Russia’s General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS), mainly focuses on the military, government, and diplomatic sectors, and the newly detailed campaign is no different.

For initial access, the threat actor is known to use tactics such as watering hole attacks, social engineering, zero-day vulnerabilities, and stolen credentials, followed by the deployment of tools and malware that allow it to achieve persistence and gain access to information of interest.

While the tactics observed in this campaign were no different from previous attacks, what stood out was the use of a new backdoor that Cluster25’s researchers have dubbed SkinnyBoy. The implant is fully operational and functional, but lacks the sophistication expected from a nation-state tool, likely in an effort to hinder attribution.

“With great probability, considering the group’s capabilities, the tactic of significantly lowering these levels becomes functional with an attempt to make any attribution effort more complex,” Cluster25 researchers note.

In another attempt to hide their tracks, the adversary employed commercial VPN services to purchase and manage the infrastructure used in this campaign.

Advertisement. Scroll to continue reading.

The attacks would start with spear-phishing emails delivering a Word document carrying malicious macros that extract a DLL designed to fetch the SkinnyBoy dropper, which achieves persistence and downloads all the components for the next stage.

To evade detection, the dropper does not execute the downloaded payloads. Instead, it creates the persistence mechanism necessary to execute them later: a LNK file is placed in the Windows Startup folder. When executed, the payload acts as the backdoor’s launcher.

The SkinnyBoy implant was designed to exfiltrate information from the infected system, as well as to fetch and run directly in memory the final payload, “which probably exhibits typical backdoor behaviors,” Cluster25 notes.

“After a period of observation of the described threat and an in-depth analysis of the identified victimology, Cluster25 team attributes the SkinnyBoy implant and the related attack to Russian group known as APT28/FancyBear with a mid-to-high confidence,” the researchers conclude.

Related: The Drovorub Mystery: Malware NSA Warned About Can’t Be Found

Related: Russian Military Hackers Targeted Credentials at Hundreds of Organizations in US, UK

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.


The war in Ukraine is the first major conflagration between two technologically advanced powers in the age of cyber. It prompts us to question...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...