Russian state-sponsored hacking group APT29, also known as Cozy Bear or Nobelium, has launched spear-phishing campaigns aimed at government and diplomatic organizations in the Americas, Europe, and Asia since January, The Hacker News reports.
APT29's campaign involves spear-phishing emails spoofing administrative notifications that contain the ROOTSAW HTML dropper attachment that prompts distribution and execution of the BEATDROP downloader, which then fetches the next-stage malware by exploiting Atlassian's Trello service, a Mandiant report revealed.
APT29 also leverages the BOOMMIC, or VaporRage, tool to establish persistence prior to privilege escalation. However, the group began to use the BEACON C++-based loader instead of BEATDROP beginning in February to better evade detection, according to researchers.
"This latest wave of spear phishing showcases APT29's enduring interests in obtaining diplomatic and foreign policy information from governments around the world," said Mandiant, who added that the group's continuous advancement in tactics, techniques, and procedures indicates its dedication to ensure stealthy operations.