The Russia-linked threat actor Nobelium has been observed targeting diplomatic entities and government agencies in European Union countries that are aiding Ukrainian citizens and providing help to the country’s government.

Nobelium (aka APT29, Cozy Bear, The Dukes, StellarParticle, UNC2452, and Dark Halo) is a military hacking unit linked to the Russian government. Nobelium is believed to be the group behind the massive SolarWinds supply-chain attack that led to the compromise of several US federal agencies.

The threat actor has historically targeted government organizations, non-governmental organizations, think tanks, military, IT service providers, health technology and research, and telecommunications providers. The group’s arsenal includes a variety of tactics to conduct credential theft, as well as sophisticated malware and tools, such as SUNBURST backdoor, TEARDROP, GoldMax, GoldFinder, and Sibot malware.

The recent Nobelium’s campaign spotted BlackBerry researchers in March 2023 involved phishing emails purportedly sent by the European Commission and Poland’s Ministry of Foreign Affairs. The malicious emails contained a weaponized document with a link leading to the download of an HTML file. The weaponized URLs were hosted on a legitimate online library website based in El Salvador, which the threat actor is believed to have compromised between the end of January and the beginning of February.

The threat actor has been observed using multiple legitimate systems, including LegisWrite and eTrustEx, which the EU nations use for information exchange and secure data transfer.

“Using a compromised legitimate server to host the packed malware payload increases the chances of a successful installation on the victims’ machines,” BlackBerry noted.

An analysis of the malicious HTML file revealed that it was a version of Nobelium’s malicious dropper known as ROOTSAW/ EnvyScout. It uses a technique known as HTML smuggling to deliver an IMG or ISO file to the victim’s system. The HTML file drops two “.iso” files on the system, each of them contains two files.

One of the files is BugSplatRc64.dll designed to collect and exfiltrate information about the infected system. This information is then used to create the victim’s unique identifier, which it then sends to the command-and-control (C2) server, Notion. Every minute the BugSplatRc64.dll connects to the Notion server, waiting for the next payload. If successful, the payload is executed as a shellcode in the memory of its process.

“Nobelium actively collects intelligence information about the countries supporting Ukraine in the Russian-Ukraine war. The overlap between Poland's Ambassador’s visit to the United States with the lure used in the attacks, provides evidence that the threat actors carefully follow geopolitical events and use them to increase their possibility of a successful infection,” BlackBerry notes.