Suspected Russian phishing campaign sets sights on NATO countries

NATO-aligned countries' foreign affairs ministries have been targeted by a new phishing campaign deploying a Duke malware variant, which has been linked to Russian state-backed cyberespionage operation APT29, also known as Cozy Bear, BlueBravo, Cloaked Ursa, The Dukes, Midnight Blizzard, and Iron Hemlock, The Hacker News reports. Attacks commence with emails containing PDF documents leveraging diplomatic lures, which launches a malicious HTML dropper before executing a JavaScript code that then prompts the installation of the Duke malware, according to an EclecticIQ. Threat actors have also exploited the API of open source chat app Zulip to facilitate command-and-control activities, said researchers, who noted the use of another PDF document for potential reconnaissance efforts. "It did not contain a payload, but notified the actor if a victim opened the email attachment by receiving a notification through a compromised domain edenparkweddings[.]com," researchers added. Such attacks come after Ukraine's Computer Emergency Response Team reported the use of the Merlin post-exploitation toolkit in phishing attacks against Ukrainian state organizations.