Scroll Top

APT29 expands Spear-Phishing campaign, targets Ministries of Foreign Affairs in NATO-Aligned nations


Russia-linked APT29 utilizes Zulip Chat App to target NATO-Aligned Ministries of Foreign Affairs.

In a recent revelation, cybersecurity researchers at EclecticIQ have uncovered an ongoing spear-phishing initiative orchestrated by APT29, a notorious Russia-linked cyberespionage group. The group has set its sights on Ministries of Foreign Affairs within NATO-aligned countries, employing sophisticated tactics to infiltrate and compromise targeted systems.

The attack campaign hinges on the strategic deployment of seemingly innocuous PDF files, which are artfully disguised as communications originating from the German embassy. These documents contain carefully crafted diplomatic invitation lures, designed to entice victims into engaging with the malicious content.

Two distinct PDFs were identified during the investigation. The first harbored a variant of the Duke malware, a known tool associated with APT29. Also referred to as SVR group, BlueBravo, Cozy Bear, Nobelium, Midnight Blizzard, and The Dukes, APT29 has established itself as a formidable cyberespionage force. The second PDF, though devoid of any immediate malicious payload, served as a mechanism for reconnaissance and communication back to the attackers, notifying them of successful interactions with the document.

Strikingly, APT29 leveraged the unsuspecting Zulip open-source chat application as a platform for command-and-control operations. This inventive maneuver allowed the threat actors to camouflage their malicious activities within the guise of legitimate service traffic, thereby evading detection by conventional security measures.

The initial PDF, aptly titled “Farewell to Ambassador of Germany,” harnessed embedded JavaScript code to initiate a complex multi-stage infection process. This ultimately led to the surreptitious installation of a backdoor on the victim’s system. The PDF cleverly prompted an “Open File” dialog box, enticing the user to engage further. Upon execution, the embedded code facilitated the launch of a malevolent HTML file named “Invitation_Farewell_DE_EMB.” This HTML file, employed through HTML smuggling, contained a zipped HTA (HTML Application) file—a type of Living Off The Land Binary (LOLBIN) that combines HTML and scripting code. Upon execution, this file deployed a variant of the Duke malware, solidifying the cyberattack’s impact.

Remarkably, the PDF’s mailto address traced back to the legitimate domain “” This same domain was also identified in a previous campaign by Lab52, targeting diplomatic entities with invitation-themed lures falsely attributed to the Norwegian embassy. The attackers ingeniously utilized Zulip’s API to transmit victim details to a designated chat room managed by the cybercriminals. This mechanism allowed them to issue malicious remote commands, further illustrating the sophistication of their operational tactics.

In a comprehensive analysis, EclecticIQ analysts have expressed high confidence that the implicated PDF documents are components of a broader campaign targeting diplomatic corps on a global scale. This assessment is grounded in the alignment of victimology, phishing lure themes, malware delivery methods, and the malware itself with existing open-source intelligence reports that implicate APT29.

This revelation comes on the heels of a related disclosure by Microsoft Threat Intelligence, where APT29 engaged in Microsoft Teams phishing assaults targeting numerous international organizations and government agencies. In this variant of the attack, APT29 capitalized on compromised Microsoft 365 tenants owned by small businesses. Leveraging these accounts, the group created new domains posing as technical support entities. Subsequently, APT29 employed Teams messages to execute lures aimed at tricking users into granting access to their credentials and multifactor authentication prompts.

Microsoft reported that the attack targeted fewer than 40 unique global organizations, spanning sectors such as government agencies, non-government organizations (NGOs), IT services, technology, discrete manufacturing, and media.

As APT29 continues to refine and expand its tactics, the cybersecurity community remains vigilant in countering these state-sponsored threats. The persistent ingenuity demonstrated by APT29 underscores the critical importance of maintaining robust defenses and staying abreast of evolving cyberthreat landscapes.

Related Posts

Leave a comment

You must be logged in to post a comment.
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.