Redazione RHC : 13 July 2025 12:02
Author: Gianluca Tiepolo
APT29 is a highly sophisticated Advanced Persistent Threat (APT) group that has been attributed to Russia’s Foreign Intelligence Service (SVR). The group has been active since at least 2008 and has been involved in a wide range of espionage campaigns and cyber attacks against governments, organizations militarys, defense contractors, and various industries in the United States, Europe, and Asia. Bear (Crowdstrike), The Dukes (Kaspersky), JACKMACKEREL (iDefense), BlueBravo (Recorded Future) and UNC2452 (FireEye).
The group is known for its subtle and sophisticated craft in stealing geopolitical information: unlike other Russian state-sponsored groups such as APT28 or Sandworm, APT29 has not been linked to disruptive operations and operates much more discreetly.
The group has been attributed to a number of high-profile cyberattacks, including:
In May 2021, it was revealed that APT29 was responsible for a large-scale cyberattack on multiple U.S. government agencies and private companies, including Microsoft. The group used a compromised email marketing system to send spear-phishing emails to over 3,000 individual accounts, installing a backdoor that allowed attackers to access victims’ networks. The group has also been linked to other significant cyberattacks, including the theft of COVID-19 research from US-based pharmaceutical companies.
Overall, APT29 is one of the most sophisticated and well-resourced APT groups in the world, and its TTPs are constantly evolving and changing.
APT29 is known for its patient and persistent targeting of its victims, often using multi-stage attacks that take weeks or even months to complete. Below is a list of the group’s most notable TTPs:
In this particular research, I focused on analyzing APT29’s command and control capabilities.
This threat group has a history of using trusted and legitimate cloud services (such as social media services and Google Drive) for their cyberattacks in an attempt to blend into normal network traffic and evade detection. The malware distributed by APT29 also contains data exfiltration capabilities over those same C2 channels. For example:
APT29 also used custom encryption methods, such as those found in the group’s SeaDuke malware, where a unique fingerprint was generated for the infected host and Base64 encoding and RC4/AES encryption were used to layer data during communications with its own server. C2. The group also used techniques such as “domain fronting ” and TOR obfuscation plug-ins to create encrypted network tunnels.
Using social networks for C2 communications is not an entirely new technique: other Russian groups such as Turla (Poisonous Bear) have exploited comments posted on Instagram to obtain the address of their command and control servers.
APT29 was first detected using Twitter to control infected machines as early as 2015: in the HAMMERTOSS campaign, the group was able to receive commands and send stolen data through the popular social network, which allowed them to evade detection by security solutions that did not monitor social media traffic.
In a more recent campaign dating back to June 2021, APT29 targeted Italian diplomatic organizations with a spear phishing campaign that distributed the EnvyScout backdoor.
The backdoor first calls a function to create a custom Slack channel, adding the attacker’s user ID to the newly created channel. The backdoor obtains the username and hostname of the victim host, adds 4 random numbers to form the channel name, and sends an HTTP request with an authorization token to the Slack API.
After the channel is established, the backdoor enters an infinite loop: it uses the “chat.postMessage” API request to send a beacon message to the newly created channel and receives a response with a list of additional files and payloads that are downloaded and executed on the target machine.
In mid-January 2022, APT29 launched another spear phishing campaign against a diplomatic entity, which was detected and remediated by Mandiant. During the investigation, Mandiant discovered that malicious emails were used to distribute the downloader BEATDROP and BOOMMIC .
BEATDROP is a downloader written in C that leverages Trello for Command-and-Control (C2) communication . Trello is a web-based project management application that allows users to organize tasks and projects using customizable cards, lists, and tabs.
When executed, BEATDROP maps its own copy ntdll.dll in memory to execute shellcode in its own process. It creates a suspended thread, then enumerates the system for the username, computer name, and IP address to create a victim ID. This victim ID is used by BEATDROP to store and retrieve victim payloads from its C2. Once the victim ID is created, BEATDROP sends an initial request to Trello to determine if the current victim has already been compromised. The shellcode payload is then retrieved from Trello and is targeted for each victim. Once the payload has been retrieved, it is deleted from Trello.
In October 2022, ESET Research discovered a sample uploaded to VirusTotal that closely resembled the one APT29 used a few months ago, with the key difference being that it used Notion , a cloud-based note-taking software platform, for Command-and-Control (C&C) communications.
The Notion API for C2 communications can be abused by embedding commands in the Notion workspace, which the malware accesses as if it were a legitimate user. This misuse of Notion allows threat actors to evade detection and bypass security controls, as traffic between the malware and the Notion server is likely to be perceived as legitimate traffic.
ESET researchers suspect that the downloader distributed in this particular campaign was designed to collect and execute additional malicious payloads, such as Cobalt Strike. The campaign was analyzed in more detail by researchers at Hive Pro e Recorded Future , which identify the sample as theGraphicalNeutrino malware.
According to Recorded Future, APT29 used a compromised website with a decoy text of “Ambassador Program November 2022” to distribute the ZIP file “programma.zip”, suggesting that the campaign’s targets are related to embassy staff or an ambassador. GraphicalNeutrino, the malware used in the operation, acts as a loader with basic C2 functionality and employs various anti-analysis techniques to avoid detection, including API unhooking and sandbox evasion.
After establishing persistence, the malware decrypts several strings, including a Notion API key and a database identifier, and calculates a unique ID for the victim based on the username and hostname. It then uses the Notion API for C2 communication and to deliver additional payloads to the victim’s machine.
For each request to C2, GraphicalNeutrino parses the response in JSON format and looks for a “file ” array. If the array is not empty, the malware will parse the URL field. will download the file and decrypt it using a custom cipher. Once decrypted, the shellcode is generated indirectly in a new thread.
The use of bait Diplomatic intervention during periods of heightened geopolitical tensions, such as the ongoing war in Ukraine, is likely to be effective for Russian APT groups, given the potential impact of information gathered from compromised entities or individuals on Russian foreign policy and strategic decisions. implementation processes. It is perhaps for this reason that APT29 has adopted the same tactics – specifically stealthy C2 communication via Notion – for its next major campaign, this time targeting the European Commission.
In this final section of the blog post, I am analyzing a previously unknown campaign attributed to APT29 that targeted the European Commission. Hopefully, the previous introduction to the group’s TTPs and campaigns is beneficial to the reader, as this attack shares some similarities with the GraphicalNeutrino campaign that was was exposed by Recorded Future .
Starting in mid-February 2023, a spear phishing campaign targeted a number of email addresses related to members of the European Commission. The attack involved the distribution of an .iso image malicious file that contained a new sample of the VaporRage downloader. Once executed, the malware was observed leveraging the Notion API to deploy Cobalt Strike beacons.
The first phishing email, sent on February 13, 2023, disguised as an administrative notice regarding documents available for download from eTrustEx, a web-based exchange platform that ensures the secure transmission of documents between Commission members. The decoy emails are written in English and were delivered to a highly targeted number of key people using the eTrustEx platform.
Furthermore, I noticed that in several email samples, the senders are likely compromised email accounts belonging to legitimate government organizations. This could trick victims into believing that the emails are coming from trusted partners, making recipients more likely to click the links.
When the link is opened, the victim is redirected to a malicious HTML page hosted at hxxps://literaturaelsalvador[.]com/Instructions.html which uses a known technique such as HTML smuggling to download an ISO image to the target system. I believe this domain is not owned by the actor but has been compromised, which is consistent with previous APT29 activity.
The ISO file is set to download automatically when the website is visited by the victim; this is achieved through the following JavaScript code. The contents of Instructions.iso are stored in the d variable.
Once the file has been written to disk, when a user double-clicks it in Windows 10 or later, the image is mounted and the contents of the folder are displayed in Windows Explorer. The ISO contains two files: a Windows shortcut file ( Instructions.lnl) and a malicious DLL ( BugSplatRc64.dll).
If the user clicks the LNK file, the following command is executed, unintentionally triggering the execution of the malicious DLL.
Using LNK shortcuts to execute malicious DLLs is a technique that has been associated with APT29 in numerous campaigns. In this particular scenario, I recognized the sample as VaporRage, a downloader used by APT29 since 2021.
When run with the InitiateDs export, VaporRage first runs some reconnaissance commands and generates a host-id by hex-encoding the DNS domain and username. It then creates a copy of itself at:
C:Users%USERNAME%AppDataLocalDsDiBacksBugSplatRc64.dll
VaporRage then establishes persistence on the compromised system by creating a registry execution key located in: SoftwareMicrosoftWindowsCurrentVersionRunDsDiBacks.
As I mentioned at the beginning of this post, the VaporRage example provided in the execution chain leverages its command and control by communicating on HTTPS using Notion APIs. Notion’s database function is also used to store victim information and stage additional payloads for download.
Based on my Observations: This VaporRage sample periodically makes a POST request to the Notion API to check for the availability of a second-stage malware payload, which is then retrieved and executed in memory. In this particular campaign, APT29 used VaporRage to deploy Cobalt Strike beacons to further establish a foothold within the environment.
The following endpoint was used for C2 communications:
This technique exemplifies APT29’s ongoing attempts to obscure its actions and maintain continuous access to target systems. This has been extensively documented by Mandiant, which described APT29 using a variety of techniques, including whichscheduled tasks , execution keys,malicious certificates, and
in-memory backdoors, sometimes using multiple methods for each target.Overall, the use ofcloud services such asTrello andNotion for C2 communications not only provides a threat actor with greater capabilities to evade network security controls, but also increases resilience to law enforcement takedown operations: social media and cloud services are often hosted on multiple servers and locations, making it more difficult for authorities to remove the entire platform. This means that the threat actor can continue to use the platform for C2 communications even if some servers are taken down. These advantages make it an attractive option for threat groups like APT29 to conduct their malicious activities.
The range of tactics, techniques, and procedures (TTPs) used by APT29 in this campaign supports the conclusion that their goal is to establish numerous long-term means of access to facilitate intelligence gathering within the victim networks of targeted government entities. Nations that have a connection to The Ukrainian crisis, particularly those with significant geopolitical, economic, or military ties to Russia or Ukraine, face a heightened risk of being targeted by APT29.
This threat group has shown an impressive ability to adapt rapidly throughout their operations. They use innovative and unique methods to circumvent detection and authentication requirements in their target environments. In their recent operations, the group has demonstrated a deep understanding of operational security, allowing them to move seamlessly between on-premise and cloud resources with minimal use of malware. These factors, combined with their advanced malware development capabilities, long history of operations, and extended time on targets, indicate that APT29 is a well-funded actor. andexceptionally sophisticated and will certainly continue to pose a threat during 2023.
Below is a list of indicators associated with this campaign.
Domains
hxxps://literaturaelsalvador[.]com/instructions.html
hxxps://api[.]notion[.]com/v1/databases/37089abc0926463182bb5343bce252cc/query
PI
108[.] 167.180.186
104[.] 18.42.99
File — SHA256
21a0b617431850a9ea2698515c277cbd95de4e59c493d0d8f194f3808eb16354 (Instructions.iso)
e957326b2167fa7ccd508cbf531779a28bfce75eb2635ab822927B9augRplat.
Redazione