Skip to content
  Thursday 12 June 2025
  • Home
  • Attack
  • Malware
  • Cloud
  • Data
  • Technology
  • World of tech
Trending
February 4, 2025Microsoft Patches Critical Azure AI Face Service Vulnerability with CVSS 9.9 Score October 5, 2023Cisco Releases Urgent Patch to Fix Critical Flaw in Emergency Responder Systems September 4, 2024U.S. safety regulator calls for probe of Temu, Shein over ‘deadly baby and toddler products’ April 12, 2024Zscaler Buys Airgap Networks to Fuel Segmentation in IoT, OT August 24, 2023Nvidia warns more semiconductor curbs will end U.S. chipmakers’ ability to compete in China February 17, 2024Driving Security and Reducing Cost with Passwordless AuthenticationWebinar. June 14, 2024Microsoft to delay launch of AI Recall tool due to security concerns August 19, 2024New UULoader Malware Distributes Gh0st RAT and Mimikatz in East Asia August 20, 2024Czech Mobile Users Targeted in New Banking Credential Theft Scheme November 8, 2024Sony raises guidance on gaming strength, quarterly operating profit beats estimates
  • Home
  • Attack
  • Malware
  • Cloud
  • Data
  • Technology
  • World of tech
  Attack  Russian Hackers Use Zulip Chat App for Covert C&C in Diplomatic Phishing Attacks
Attack

Russian Hackers Use Zulip Chat App for Covert C&C in Diplomatic Phishing Attacks

adminadmin—August 17, 20230
FacebookTwitterPinterestLinkedInTumblrRedditVKWhatsAppEmail


Aug 17, 2023THNCyber Espionage / Malware

Russian Hackers

An ongoing campaign targeting ministries of foreign affairs of NATO-aligned countries points to the involvement of Russian threat actors.

The phishing attacks feature PDF documents with diplomatic lures, some of which are disguised as coming from Germany, to deliver a variant of a malware called Duke, which has been attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes).

“The threat actor used Zulip – an open-source chat application – for command-and-control, to evade and hide its activities behind legitimate web traffic,” Dutch cybersecurity company EclecticIQ said in an analysis last week.

The infection sequence is as follows: The PDF attachment, named “Farewell to Ambassador of Germany,” comes embedded with JavaScript code that initiates a multi-stage process to drop the malware.

APT29’s use of invitation themes has been previously reported by Lab52, which documented an attack that impersonates the Norwegian embassy to deliver a DLL payload that’s capable of contacting a remote server to fetch additional payloads.

Cybersecurity

The use of the domain “bahamas.gov[.]bs” in both the intrusion sets further solidifies this link.

More stories

Mustang Panda Targets Asia with Advanced PlugX Variant DOPLUGS

February 21, 2024

Preventing Data Breaches, Privilege Misuse, and More

March 26, 2025

Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack

June 26, 2024

Red Cross-Themed Phishing Attacks Distributing DangerAds and AtlasAgent Backdoors

September 27, 2023

Should a potential target succumb to the phishing trap by opening the PDF file, a malicious HTML dropper called Invitation_Farewell_DE_EMB is launched to execute JavaScript that drops a ZIP archive file, which, in turn, packs in an HTML Application (HTA) file designed to deploy the Duke malware.

Command-and-control is facilitated by making use of Zulip’s API to send victim details to an actor-controlled chat room (toyy.zulipchat[.]com) as well as to remotely commandeer the compromised hosts.

EclecticIQ said it identified a second PDF file, likely used by APT29 for reconnaissance or for testing purposes.

“It did not contain a payload, but notified the actor if a victim opened the email attachment by receiving a notification through a compromised domain edenparkweddings[.]com,” the researchers said.

It’s worth noting that the abuse of Zulip is par for the course with the state-sponsored group, which has a track record of leveraging a wide array of legitimate internet services such as Google Drive, Microsoft OneDrive, Dropbox, Notion, Firebase, and Trello for C2.

APT29’s primary targets are governments and government subcontractors, political organizations, research firms, and critical industries in the U.S. and Europe. But in an interesting twist, an unknown adversary has been observed employing its tactics to breach Chinese-speaking users with Cobalt Strike.

The development comes as the Computer Emergency Response Team of Ukraine (CERT-UA) warned of a new set of phishing attacks against state organizations of Ukraine using a Go-based open-source post-exploitation toolkit called Merlin. The activity is being tracked under the moniker UAC-0154.

Cybersecurity

The war-torn country has also faced sustained cyber assaults from Sandworm, an elite hacking unit affiliated to Russian military intelligence, primarily intended to disrupt critical operations and gather intelligence to gain a strategic advantage.

According to a recent report from the Security Service of Ukraine (SBU), the threat actor is said to have unsuccessfully attempted to gain unauthorized access to Android tablets possessed by Ukrainian military personnel for planning and performing combat missions.

“The capture of devices on the battlefield, their detailed examination, and the use of available access, and software became the primary vector for the initial access and malware distribution,” the security agency said.

Some of the malware strains include NETD to ensure persistence, DROPBEAR to establish remote access, STL to gather data from the Starlink satellite system, DEBLIND to exfiltrate data, the Mirai botnet malware. Also used in the attacks is a TOR hidden service to access the device on the local network via the Internet.

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.





Source link

FacebookTwitterPinterestLinkedInTumblrRedditVKWhatsAppEmail

admin

CISA Adds Citrix ShareFile Flaw to KEV Catalog Due to In-the-Wild Attacks
Why You Need Continuous Network Monitoring?
Related posts
  • Related posts
  • More from author
Attack

New TokenBreak Attack Bypasses AI Moderation with Single-Character Text Changes

June 12, 20250
Attack

AI Agents Run on Secret Accounts — Learn How to Secure Them in This Webinar

June 12, 20250
Attack

How to Address the Expanding Security Risk

June 12, 20250
Load more

Whoops, you're not connected to Mailchimp. You need to enter a valid Mailchimp API key.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Read also
Malware

Governments Embrace Secure by Design to Curb Cyberthreats

June 12, 20250
Malware

Evita Founder Charged in $530M Case

June 12, 20250
Malware

Vulnerability Databases Face Accuracy and Access Gaps

June 12, 20250
Attack

New TokenBreak Attack Bypasses AI Moderation with Single-Character Text Changes

June 12, 20250
Attack

AI Agents Run on Secret Accounts — Learn How to Secure Them in This Webinar

June 12, 20250
Malware

LockBit’s New Reality Is Out of Control Affiliates

June 12, 20250
Load more

Recent Posts

  • Governments Embrace Secure by Design to Curb Cyberthreats
  • Evita Founder Charged in $530M Case
  • Vulnerability Databases Face Accuracy and Access Gaps
  • New TokenBreak Attack Bypasses AI Moderation with Single-Character Text Changes
  • AI Agents Run on Secret Accounts — Learn How to Secure Them in This Webinar

    © 2022
    • Home
    • Attack
    • Cloud
    • Data
    • Malware
    • Technology
    • World of tech
    • Privacy
    • Contact