{ "id": "06e2f1bb-fee8-49d8-b756-005a4e5c9a72", "created_at": "2026-04-06T00:10:37.176374Z", "updated_at": "2026-04-10T03:37:16.971839Z", "deleted_at": null, "sha1_hash": "4e2bc375a372e4c00a19758f279938ce41537ae1", "title": "New invitation from APT29 to use CCleaner", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1125883, "plain_text": "New invitation from APT29 to use CCleaner\r\nPublished: 2023-07-12 · Archived: 2026-04-05 16:56:06 UTC\r\nLast month of May we were talking about the new APT29 campaign that we called “Information”. Recently, just a week\r\nago, an unknown actor used similar techniques to APT29. This time APT29 is once again the focus after new techniques\r\nwere identified in their operations.\r\nThis post details the new techniques observed, in particular:\r\nSVG Dropper\r\nDLL used for infection\r\nC2 behaviour\r\nInfection chain\r\nStage0: SVG Dropper\r\nhttps://lab52.io/blog/2344-2/\r\nPage 1 of 9\n\nThe input vector for this campaign has been the email. The phishing email used by the authors has the subject “Invitation –\r\nSanta Lucia Celebration“. This seems to impersonate the Norwegian embassy inviting to a celebration. This particular\r\n“invitation” is in .svg format.\r\nWhen the file is opened, a script is executed that mounts and downloads a file with .iso extension containing the next stage\r\nof infection. In this way, the .svg file functions as an HTML Smuggling that infects the victim dropping the next stage.\r\n.svg content\r\nThis technique had already been seen before as the user @SI_FalconTeam indicates, in a test sample dropping “Process\r\nExplorer”, they also include a Yara rule to detect this type of technique.\r\nThe use of this type of file as a dropper is a novelty in APT29 TTPs, so it is interesting to keep an eye on this type of\r\nattachments to hunt for future campaigns.\r\nhttps://lab52.io/blog/2344-2/\r\nPage 2 of 9\n\nSVG “test” Sample\r\nOnce the file is opened, an ISO (invitation.iso) will be downloaded with a similar content to the one we have observed in\r\nother APT29 campaigns.\r\n“Invitation.iso” content\r\nThe file used during this analysis is the following:\r\nFile Sha256\r\nInvitation.iso AF1922C665E9BE6B29A5E3D0D3AC5916AE1FC74AC2FE9931E5273F3C4043F395\r\nThis particular Invitation.iso file contains the following files.\r\nhttps://lab52.io/blog/2344-2/\r\nPage 3 of 9\n\nFile Sha256 Sta\r\nInvitation.lnk A8AE10B43CBF4E3344E0184B33A699B19A29866BC1E41201ACE1A995E8CA3149 Sta\r\nCCleanerReactivator.exe 59E5B2A7A3903E4FB9A23174B655ADB75EB490625DDB126EF29446E47DE4099F Sta\r\nCCleanerReactivator.dll 7FC9E830756E23AA4B050F4CEAEB2A83CD71CFC0145392A0BC03037AF373066B Sta\r\nCCleanerDU.dll D7BDA5E39327FE12B0C1F42C8E27787F177A352F8EEBAFBE35D3E790724ECEFF Sta\r\nStage1: Loader\r\nThe first file that catches attention is invitation.lnk, which, despite having the icon of a folder, is a shortcut that launches the\r\nfollowing command:\r\n%windir%/system32/cmd.exe /q /c \"robocopy . C:\\Windows\\Tasks /NODCOPY /NFL /NDL /NJH /NJS /NC /NS /NP \u003e nul \u0026 start C:\\Wi\r\nThis command makes use of Robocopy to copy all files to the “C:\\Windows\\Tasks” folder and then run\r\nCCleanerReactivator.exe.\r\nThe CCleanerReactivator.exe binary is signed and undetected in VirusTotal. It is a software to free up computer space that\r\ncan be downloaded legitimately.\r\n“CCleanerReactivator.exe” detections in VirusTotal\r\nThe malicious activity will therefore be found in the CCleanerReactivator.dll and CCleanerDU.dll libraries, which will be\r\nloaded by the executable using the DLL Side-Load technique.\r\nIn the Imports of CCleanerReactivator.exe we can see how it loads only the library CCleanerReactivator.dll.\r\n“CCleanerReactivator.dll” imports\r\nWhen looking at the AutoReactivatorSDK::RunProgram function of CCleanerReactivator.dll we can see that it only loads\r\nthe other library CCleanerDU.dll, specifically the FreeInterface function.\r\nSo CCleanerReactivator.dll only acts as a bridge and CCleanerDU.dll library is the one that will contain the malicious\r\ncode in its FreeInterface function.\r\nhttps://lab52.io/blog/2344-2/\r\nPage 4 of 9\n\n“AutoReactivatorSDK::RunProgram” loading”CCleanerDU.dll”.\r\nStage2: CCleanerDu.dll\r\nThe first thing we find in the FreeInstance function of CCleanerDu.dll is that it tries to load the wininet.dll library.\r\nTo do this, it reserves memory by directly using calls to NtAllocateVirtualMemory and NtProtectVirtualMemory. It then\r\nloads the library using the LdrLoad function of NTDLL.dll.\r\nGetting “wininet.dll”\r\nIn case the library has been loaded correctly, it will start a function which we have named C2_comm. This Function will take\r\ncare of the communication with the C2, for which it will load the following wininet.dll functions necessary to establish a\r\nconnection:\r\nInternetOpenA\r\nInternetConnectA\r\nHttpOpenRequestA\r\nHttpSendRequestA\r\nInternetReadFile\r\nInternetCloseHandle\r\nhttps://lab52.io/blog/2344-2/\r\nPage 5 of 9\n\nAfter this, it will try to mount the request correctly. The responsible function is one we have named CreateRequest , which\r\ndoes the following:\r\n1. It obtains the UserName and the ComputerName through calls to GetUserNameA and GetComputerNameExA.\r\nWith these values and a series of modular operations it will extract a 4-digit number that will identify the victim.\r\nCreate Victim ID\r\n2. The code goes on to list all the running processes, using CreateToolhelp32Snapshot, Process32First and\r\nProcess32Next. This information will be buffered together with the UserName and ComputerName as follows.\r\nhttps://lab52.io/blog/2344-2/\r\nPage 6 of 9\n\nExfiltration buffer\r\n3. Next, mount the path to which the connection will be made, which follows the following format:\r\nsearch/s.php?i=1\u0026id=APOX8NWOV4{4_DIGITS_VICTIM_ID}\r\n4. With the request created, it will perform a PUT registering the victim in the C2 kefas[.]id.\r\nPUT Request\r\n5. The last step is to check the server response, which will be successful if it receives “KKEE“.\r\nCheck “KKEE” response\r\nAt the end of the CreateRequest function, it makes another connection and if successful performs a GET of the next stage of\r\ninfection. This payload starts again with “KKEE”, which it checks to see if the communication was successful. If successful\r\nit returns the payload (without the “KKEE”), otherwise it suspends execution by calling NtDelayExecution.\r\nhttps://lab52.io/blog/2344-2/\r\nPage 7 of 9\n\nGET Request\r\nFinally, it reserves memory again with NtAllocateVirtualMemory and NtProtectVirtualMemory and creates an execution\r\nthread with CreateFiber that will be in charge of launching the execution of the next stage. A fiber is a much lighter\r\nexecution unit than a thread since it is not managed by the CPU but by the program itself.\r\nCreateFiber function\r\nC2 Communications\r\nIt is interesting to note that communication with C2 has changed significantly since previous campaigns. Previously,\r\nregistration with C2 was done with a POST of an encrypted JSON with the UserName and ComputerName.\r\nIn this new iteration, victim IDs in C2 have been simplified to 4 digits. In addition, the next stage (shellcode) will be\r\ndownloaded from C2 directly, instead of loading it locally.\r\nIOCs\r\nFile Sha256\r\nInvitation – Santa Lucia\r\nCelebration.msg\r\n966E070A52DE1C51976F6EA1FC48EC77F6B89F4BF5E5007650755E9CD0D73281\r\nInvitation.svg 4875A9C4AF3044DB281C5DC02E5386C77F331E3B92E5AE79FF9961D8CD1F7C4F\r\nInvitation.iso AF1922C665E9BE6B29A5E3D0D3AC5916AE1FC74AC2FE9931E5273F3C4043F395\r\nInvitation.lnk A8AE10B43CBF4E3344E0184B33A699B19A29866BC1E41201ACE1A995E8CA3149\r\nCCleanerReactivator.exe 59E5B2A7A3903E4FB9A23174B655ADB75EB490625DDB126EF29446E47DE4099F\r\nCCleanerDU.dll D7BDA5E39327FE12B0C1F42C8E27787F177A352F8EEBAFBE35D3E790724ECEFF\r\nCCleanerReactivator.dll 7FC9E830756E23AA4B050F4CEAEB2A83CD71CFC0145392A0BC03037AF373066B\r\nhttps://lab52.io/blog/2344-2/\r\nPage 8 of 9\n\nC2\r\nhxxps://kefas[.]id/search/s.php\r\nSource: https://lab52.io/blog/2344-2/\r\nhttps://lab52.io/blog/2344-2/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://lab52.io/blog/2344-2/" ], "report_names": [ "2344-2" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434237, "ts_updated_at": 1775792236, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4e2bc375a372e4c00a19758f279938ce41537ae1.pdf", "text": "https://archive.orkl.eu/4e2bc375a372e4c00a19758f279938ce41537ae1.txt", "img": "https://archive.orkl.eu/4e2bc375a372e4c00a19758f279938ce41537ae1.jpg" } }