Russian Hackers Use Zulip Chat App for Covert C&C in Diplomatic Phishing Attacks
Aug 17, 2023
Cyber Espionage / Malware
An ongoing campaign targeting ministries of foreign affairs of NATO-aligned countries points to the involvement of Russian threat actors. The phishing attacks feature PDF documents with diplomatic lures, some of which are disguised as coming from Germany, to deliver a variant of a malware called Duke , which has been attributed to APT29 (aka BlueBravo, Cloaked Ursa, Cozy Bear, Iron Hemlock, Midnight Blizzard, and The Dukes). "The threat actor used Zulip – an open-source chat application – for command-and-control, to evade and hide its activities behind legitimate web traffic," Dutch cybersecurity company EclecticIQ said in an analysis last week. The infection sequence is as follows: The PDF attachment, named "Farewell to Ambassador of Germany," comes embedded with JavaScript code that initiates a multi-stage process to leave a persistent backdoor on compromised networks. APT29's use of invitation themes has been previously reported by Lab52, which doc