{ "id": "8f88089b-0fcf-4b62-83f3-133e1295722d", "created_at": "2026-04-06T00:10:15.100205Z", "updated_at": "2026-04-10T03:37:50.250205Z", "deleted_at": null, "sha1_hash": "3c0a417aa9d76ce3a9899ad6afd7d34340f91901", "title": "New Spear Phishing Campaign Pretends to be EFF", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 284109, "plain_text": "New Spear Phishing Campaign Pretends to be EFF\r\nBy Cooper Quintin\r\nPublished: 2015-08-27 · Archived: 2026-04-05 15:38:01 UTC\r\nUpdate 01/28/16: EFF now controls the Electronicfrontierfoundation.org domain and that URL\r\ncurrently redirects to this blog post. If you arrived at this page via a link in a message that may have\r\nbeen phishing, please let us know and we will investigate.\r\nGoogle's security team recently identified a new domain masquerading as an official EFF site as part of a targeted\r\nmalware campaign. That domain, electronicfrontierfoundation.org, is designed to trick users into a false sense of\r\ntrust and it appears to have been used in a spear phishing attack, though it is unclear who the intended targets\r\nwere. The domain was registered on August 4, 2015, under a presumably false name, and we suspect that the\r\nattack started on the same day. At the time of this writing the domain is still serving malware.\r\nElectronicfrontierfoundation.org was not the only domain involved in this attack. It seems to be part of a larger\r\ncampaign, known as “Pawn Storm”. The current phase of the Pawn Storm attack campaign started a little over a\r\nmonth ago, and the overall campaign was first identified in an October 2014 report from Trend Micro (PDF). The\r\ngroup behind the attacks is possibly associated with the Russian government and has been active since at least\r\n2007.\r\nThe attack is relatively sophisticated—it uses a recently discovered Java exploit, the first known Java zero-day in\r\ntwo years. The attacker sends the target a spear phishing email containing a link to a unique URL on the malicious\r\ndomain (in this case electronicfrontierfoundation.org). When visited, the URL will redirect the user to another\r\nunique URL in the form of http://electronicfrontierfoundation.org/url/{6_random_digits}/Go.class\r\ncontaining a Java applet which exploits a vulnerable version of Java. Once the URL is used and the Java payload\r\nis received, the URL is disabled and will no longer deliver malware (presumably to make life harder for malware\r\nanalysts). The attacker, now able to run any code on the user's machine due to the Java exploit, downloads a\r\nsecond payload, which is a binary program to be executed on the target's computer.\r\nWe were able to recover the following samples of the malicious Java code from electronicfrontierfoundation.org.\r\nFilename MD5 Sum SHA1 Sum\r\nApp.class 0c345969a5974e8b1ec6a5e23b2cf777 95dc765700f5af406883d07f165011d2ff8dd0fb\r\nGo.class 25833224c2cb8050b90786d45f29160c df5f038d78f5934bd79d235b4d257bba33e6b3\r\nhttps://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff\r\nPage 1 of 3\n\nThe decompiled Java for App.class\r\nThe decompiled Java for App.class\r\nThe Go.class applet bootstraps and executes App.class, which contains the actual attack code. The App.class\r\npayload exploits the same Java zero-day reported by Trend Micro and then downloads a second stage binary,\r\ninternally called cormac.mcr, to the user's home directory and renames it to a randomly chosen string ending in\r\n`.exe`. Interestingly, App.class contains code to download a *nix compatible second stage binary if necessary,\r\nimplying that this attack is able to potentially target Mac or Linux users.\r\nhttps://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff\r\nPage 2 of 3\n\nUnfortunately we weren't able to retrieve the second stage binary, however this is the same path and filename that\r\nhas been used in other Pawn Storm attacks, which suggests that it is likely to be the same payload: the malware\r\nknown as Sednit. On Windows, the Sednit payload is downloaded to the logged-in user's home directory with a\r\nrandomly generated filename and executed. On running it hooks a variety of services and downloads a DLL file.\r\nThe DLL file is executed and connects to a command and control server where it appears to verify the target and\r\nthen execute a keylogger or other modules as may be required by the attacker.\r\nBecause this attack used the same path names, Java payloads, and Java exploit that have been used in other attacks\r\nassociated with Pawn Storm, we can conclude that this attack is almost certainly being carried out by the same\r\ngroup responsible for the rest of the Pawn Storm attacks. Other security researchers have linked the Pawn Storm\r\ncampaign with the original Sednit and Sofacy targeted malware campaigns–also known as “APT 28”–citing the\r\nfact that they use the same custom malware and have similar targets. In a 2014 paper the security company\r\nFireEye linked the “APT 28” group behind Sednit/Sofacy with the Russian Government (PDF) based on technical\r\nevidence, technical sophistication, and targets chosen. Drawing from these conclusions, it seems likely that the\r\norganization behind the fake-EFF phishing attack also has ties to the Russian government. Past attacks have\r\ntargeted Russian dissidents and journalists, U.S. Defense Contractors, NATO forces, and White House staff. We\r\ndo not know who the targets were for this particular attack, but it does not appear that it was EFF staff.\r\nThe phishing domain has been reported for abuse–though it is still active, and the vulnerability in Java has been\r\npatched by Oracle. Of course this is an excellent reminder for everyone to be vigilant against phishing attacks.\r\nOur SSD guide contains advice on how to improve your security, watch for malicious emails, and avoid phishing\r\nattacks such as this one.\r\nSource: https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff\r\nhttps://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "ETDA", "Malpedia" ], "references": [ "https://www.eff.org/deeplinks/2015/08/new-spear-phishing-campaign-pretends-be-eff" ], "report_names": [ "new-spear-phishing-campaign-pretends-be-eff" ], "threat_actors": [ { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434215, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3c0a417aa9d76ce3a9899ad6afd7d34340f91901.pdf", "text": "https://archive.orkl.eu/3c0a417aa9d76ce3a9899ad6afd7d34340f91901.txt", "img": "https://archive.orkl.eu/3c0a417aa9d76ce3a9899ad6afd7d34340f91901.jpg" } }