{
	"id": "d67a00de-253b-4980-9046-ac698063d722",
	"created_at": "2026-04-06T00:10:39.730509Z",
	"updated_at": "2026-04-10T03:38:06.711562Z",
	"deleted_at": null,
	"sha1_hash": "3a7b017f2fcb104f8ac765bac5e67e83d1ae031c",
	"title": "Hackers take over diplomat's email, target Russian deputy minister",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4374522,
	"plain_text": "Hackers take over diplomat's email, target Russian deputy minister\r\nBy Ionut Ilascu\r\nPublished: 2022-01-12 · Archived: 2026-04-05 20:19:50 UTC\r\nHackers believed to work for the North Korean government have compromised the email account of a staff member of\r\nRussia’s Ministry of Foreign Affairs (MID) and deployed spear-phishing attacks against the country’s diplomats in other\r\nregions.\r\nOne of the targets was Sergey Alexeyevich Ryabko, the deputy foreign minister for the Russian Federation, among other\r\nthings responsible for bilateral relations with North and South America.\r\nThe phishing campaign started since at least October 19, 2021, deploying Konni malware, a remote administration tool\r\n(RAT) associated with the cyber activity from North Korean hackers known as APT37 (or StarCruft, Group123, Operation\r\nErebus, and Operation Daybreak).\r\nhttps://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/\r\nPage 1 of 5\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/\r\nPage 2 of 5\n\nVisit Advertiser websiteGO TO PAGE\r\nRussian diplomatic targets\r\nCybersecurity firm Cluster25 last week published research about a phishing campaign towards the end of December 2021\r\nthat delivered Konni RAT to individuals in the Russian diplomatic apparatus.\r\nThe researchers found that the hackers used the New Year theme as a decoy in emails to staff at the Russian embassy in\r\nIndonesia.\r\nsource: Cluster25\r\nIt was a congratulatory message that appeared to be from fellow diplomats at the Russian embassy in Serbia sending a ZIP\r\narchive with a holiday screensaver.\r\nWhen extracted, the file was an executable that ultimately delivered the Konni RAT disguised as Windows service\r\n“scrnsvc.dll.”\r\nsource: Cluster25\r\nResearchers at Lumen’s Black Lotus Labs were also tracking these spear-phishing campaigns that had started at least two\r\nmonths earlier, the likely goal being to harvest credentials of an active MID account.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/\r\nPage 3 of 5\n\nTo achieve their objective, the attackers relied on spoofed hostnames for email services common in Russia, Mail.ru and\r\nYandex.\r\nAnother campaign started around November 7, delivering URLs for downloading an archive with documents asking for\r\ninformation on the vaccination status.\r\nThe archive also included an executable posing as legitimate software used for checking the Covid-19 vaccination status,\r\nwhich executed a malware loader that infected the system with Konni.\r\nAccording to Black Lotus Labs researchers, the campaign in December also spotted by Cluster25 was the third one from the\r\nsame threat actor and used the compromised MID account “mskhlystova@mid[.]ru” to send out malicious emails.\r\nThe recipients of the malicious messages were the Russian embassy in Indonesia and Russian politician Sergey Alexeyevich\r\nRyabkov, currently serving as Deputy Foreign Minister.\r\nsource: Lumen's Black Lotus Labs\r\nLooking at the email headers revealed that the source of the messages was the same IP address, 152.89.247[.]26, used for the\r\nphishing campaign in October, Black Lotus Labs found.\r\nTechnical analysis of the infection chain from Lumen’s researchers confirmed Cluster25’s findings, including the evasion\r\ntechnique of hiding a payload in a “401 unauthorized” server error response.\r\nsource: Cluster25\r\nBlack Lotus Labs researchers say that this was a highly targeted campaign that “downloaded a first-stage agent which is\r\nnearly identical to the agent” discovered by Malwarebytes in a Konni attack against Russian targets.\r\nBoth cybersecurity outfits are confident in attributing the spear-phishing campaigns against the Russian diplomatic entities\r\nto the Konni advanced persistent threat.\r\nhttps://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/\r\nPage 4 of 5\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/\r\nhttps://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/hackers-take-over-diplomats-email-target-russian-deputy-minister/"
	],
	"report_names": [
		"hackers-take-over-diplomats-email-target-russian-deputy-minister"
	],
	"threat_actors": [
		{
			"id": "6f30fd35-b1c9-43c4-9137-2f61cd5f031e",
			"created_at": "2025-08-07T02:03:25.082908Z",
			"updated_at": "2026-04-10T02:00:03.744649Z",
			"deleted_at": null,
			"main_name": "NICKEL FOXCROFT",
			"aliases": [
				"APT37 ",
				"ATK4 ",
				"Group 123 ",
				"InkySquid ",
				"Moldy Pisces ",
				"Operation Daybreak ",
				"Operaton Erebus ",
				"RICOCHET CHOLLIMA ",
				"Reaper ",
				"ScarCruft ",
				"TA-RedAnt ",
				"Venus 121 "
			],
			"source_name": "Secureworks:NICKEL FOXCROFT",
			"tools": [
				"Bluelight",
				"Chinotto",
				"GOLDBACKDOOR",
				"KevDroid",
				"KoSpy",
				"PoorWeb",
				"ROKRAT",
				"final1stpy"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "aa65d2c9-a9d7-4bf9-9d56-c8de16eee5f4",
			"created_at": "2025-08-07T02:03:25.096857Z",
			"updated_at": "2026-04-10T02:00:03.659118Z",
			"deleted_at": null,
			"main_name": "NICKEL JUNIPER",
			"aliases": [
				"Konni",
				"OSMIUM ",
				"Opal Sleet "
			],
			"source_name": "Secureworks:NICKEL JUNIPER",
			"tools": [
				"Konni"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "b43c8747-c898-448a-88a9-76bff88e91b5",
			"created_at": "2024-02-02T02:00:04.058535Z",
			"updated_at": "2026-04-10T02:00:03.545252Z",
			"deleted_at": null,
			"main_name": "Opal Sleet",
			"aliases": [
				"Konni",
				"Vedalia",
				"OSMIUM"
			],
			"source_name": "MISPGALAXY:Opal Sleet",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bbe36874-34b7-4bfb-b38b-84a00b07042e",
			"created_at": "2022-10-25T15:50:23.375277Z",
			"updated_at": "2026-04-10T02:00:05.327922Z",
			"deleted_at": null,
			"main_name": "APT37",
			"aliases": [
				"APT37",
				"InkySquid",
				"ScarCruft",
				"Group123",
				"TEMP.Reaper",
				"Ricochet Chollima"
			],
			"source_name": "MITRE:APT37",
			"tools": [
				"BLUELIGHT",
				"CORALDECK",
				"KARAE",
				"SLOWDRIFT",
				"ROKRAT",
				"SHUTTERSPEED",
				"POORAIM",
				"HAPPYWORK",
				"Final1stspy",
				"Cobalt Strike",
				"NavRAT",
				"DOGCALL",
				"WINERACK"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "552ff939-52c3-421b-b6c9-749cbc21a794",
			"created_at": "2023-01-06T13:46:38.742547Z",
			"updated_at": "2026-04-10T02:00:03.08515Z",
			"deleted_at": null,
			"main_name": "APT37",
			"aliases": [
				"Operation Daybreak",
				"Red Eyes",
				"ScarCruft",
				"G0067",
				"Group123",
				"Reaper Group",
				"Ricochet Chollima",
				"ATK4",
				"APT 37",
				"Operation Erebus",
				"Moldy Pisces",
				"APT-C-28",
				"Group 123",
				"InkySquid",
				"Venus 121"
			],
			"source_name": "MISPGALAXY:APT37",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "c0cedde3-5a9b-430f-9b77-e6568307205e",
			"created_at": "2022-10-25T16:07:23.528994Z",
			"updated_at": "2026-04-10T02:00:04.642473Z",
			"deleted_at": null,
			"main_name": "DarkHotel",
			"aliases": [
				"APT-C-06",
				"ATK 52",
				"CTG-1948",
				"Dubnium",
				"Fallout Team",
				"G0012",
				"G0126",
				"Higaisa",
				"Luder",
				"Operation DarkHotel",
				"Operation Daybreak",
				"Operation Inexsmar",
				"Operation PowerFall",
				"Operation The Gh0st Remains the Same",
				"Purple Pygmy",
				"SIG25",
				"Shadow Crane",
				"T-APT-02",
				"TieOnJoe",
				"Tungsten Bridge",
				"Zigzag Hail"
			],
			"source_name": "ETDA:DarkHotel",
			"tools": [
				"Asruex",
				"DarkHotel",
				"DmaUp3.exe",
				"GreezeBackdoor",
				"Karba",
				"Nemain",
				"Nemim",
				"Ramsay",
				"Retro",
				"Tapaoux",
				"Trojan.Win32.Karba.e",
				"Virus.Win32.Pioneer.dx",
				"igfxext.exe",
				"msieckc.exe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "9b02c527-5077-489e-9a80-5d88947fddab",
			"created_at": "2022-10-25T16:07:24.103499Z",
			"updated_at": "2026-04-10T02:00:04.867181Z",
			"deleted_at": null,
			"main_name": "Reaper",
			"aliases": [
				"APT 37",
				"ATK 4",
				"Cerium",
				"Crooked Pisces",
				"G0067",
				"Geumseong121",
				"Group 123",
				"ITG10",
				"InkySquid",
				"Moldy Pisces",
				"Opal Sleet",
				"Operation Are You Happy?",
				"Operation Battle Cruiser",
				"Operation Black Banner",
				"Operation Daybreak",
				"Operation Dragon messenger",
				"Operation Erebus",
				"Operation Evil New Year",
				"Operation Evil New Year 2018",
				"Operation Fractured Block",
				"Operation Fractured Statue",
				"Operation FreeMilk",
				"Operation Golden Bird",
				"Operation Golden Time",
				"Operation High Expert",
				"Operation Holiday Wiper",
				"Operation Korean Sword",
				"Operation North Korean Human Right",
				"Operation Onezero",
				"Operation Rocket Man",
				"Operation SHROUDED#SLEEP",
				"Operation STARK#MULE",
				"Operation STIFF#BIZON",
				"Operation Spy Cloud",
				"Operation Star Cruiser",
				"Operation ToyBox Story",
				"Osmium",
				"Red Eyes",
				"Ricochet Chollima",
				"Ruby Sleet",
				"ScarCruft",
				"TA-RedAnt",
				"TEMP.Reaper",
				"Venus 121"
			],
			"source_name": "ETDA:Reaper",
			"tools": [
				"Agentemis",
				"BLUELIGHT",
				"Backdoor.APT.POORAIM",
				"CARROTBALL",
				"CARROTBAT",
				"CORALDECK",
				"Cobalt Strike",
				"CobaltStrike",
				"DOGCALL",
				"Erebus",
				"Exploit.APT.RICECURRY",
				"Final1stSpy",
				"Freenki Loader",
				"GELCAPSULE",
				"GOLDBACKDOOR",
				"GreezeBackdoor",
				"HAPPYWORK",
				"JinhoSpy",
				"KARAE",
				"KevDroid",
				"Konni",
				"MILKDROP",
				"N1stAgent",
				"NavRAT",
				"Nokki",
				"Oceansalt",
				"POORAIM",
				"PoohMilk",
				"PoohMilk Loader",
				"RICECURRY",
				"RUHAPPY",
				"RokRAT",
				"SHUTTERSPEED",
				"SLOWDRIFT",
				"SOUNDWAVE",
				"SYSCON",
				"Sanny",
				"ScarCruft",
				"StarCruft",
				"Syscon",
				"VeilShell",
				"WINERACK",
				"ZUMKONG",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434239,
	"ts_updated_at": 1775792286,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/3a7b017f2fcb104f8ac765bac5e67e83d1ae031c.pdf",
		"text": "https://archive.orkl.eu/3a7b017f2fcb104f8ac765bac5e67e83d1ae031c.txt",
		"img": "https://archive.orkl.eu/3a7b017f2fcb104f8ac765bac5e67e83d1ae031c.jpg"
	}
}