Russian state-sponsored hacking group APT29, also known as Cozy Bear and Nobelium, has been linked to the widespread ongoing cyberespionage campaign against countries part of NATO and the European Union by Poland's Military Counterintelligence Service and its Computer Emergency Response Team, BleepingComputer reports.
Diplomatic entities and foreign ministries across the EU have been targeted by spear-phishing emails spoofing European embassies, according to the joint advisory. Such emails include malicious attachments that facilitated the spread of the EnvyScout dropper that then allowed the deployment of the QUARTERRIG and SNOWYAMBER malware downloaders and the Cobalt Strike Beacon stager HALFRIG.
"If the infected workstation passed manual verification, the aforementioned downloaders were used to deliver and start-up the commercial tools COBALT STRIKE or BRUTE RATEL. HALFRIG, on the other hand, works as a so-called loader it contains the COBALT STRIKE payload and runs it automatically," said a separate malware analysis report. APT29 was previously reported to have targeted NATO countries' Microsoft 365 accounts for phishing attacks.