Russia-linked cyberespionage group APT29 has been observed staging new malware for attacks likely targeting embassy-related individuals, Recorded Future reports.
Also referred to as Cozy Bear, the Dukes, Nobelium, and Yttrium, APT29 is a Russian advanced persistent threat (APT) group believed to be sponsored by the Russian Foreign Intelligence Service (SVR). It’s also believed to have orchestrated multiple high-profile attacks, including the 2020 SolarWinds attack.
In October 2022, Recorded Future identified new infrastructure and malware that the cyberespionage group likely set up for attacks targeting embassy staff or an ambassador.
A compromised site containing the text “Ambassador’s schedule November 2022” was used as a lure to infect visitors with new malware called GraphicalNeutrino.
The threat, which uses the US-based business automation service Notion for command and control (C&C), is a loader that packs numerous anti-analysis capabilities, including sandbox evasion, API unhooking, and string encryption.
