{ "id": "ed9dce0d-ce6e-4c44-aa6d-d9bfd83e8bbd", "created_at": "2026-04-06T00:12:11.746329Z", "updated_at": "2026-04-10T13:11:43.195111Z", "deleted_at": null, "sha1_hash": "682ba94720640cd1ae5a0fc8632d3d40aeb0c951", "title": "Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3489507, "plain_text": "Russian APT29 Hackers Use Online Storage Services, DropBox and\r\nGoogle Drive\r\nBy Mike Harbison, Peter Renals\r\nPublished: 2022-07-19 · Archived: 2026-04-05 15:12:48 UTC\r\nExecutive Summary\r\nOrganizations around the world rely on the use of trusted, reliable online storage services – such as DropBox and Google\r\nDrive – to conduct day-to-day operations. However, our latest research shows that threat actors are finding ways to take\r\nadvantage of that trust to make their attacks extremely difficult to detect and prevent. The latest campaigns conducted by an\r\nadvanced persistent threat (APT) that we track as Cloaked Ursa (also known as APT29, Nobelium or Cozy Bear)\r\ndemonstrate sophistication and the ability to rapidly integrate popular cloud storage services to avoid detection.\r\nThe use of trusted, legitimate cloud services isn't entirely new to this group. Extending this trend, we have discovered that\r\ntheir two most recent campaigns leveraged Google Drive cloud storage services for the first time. The ubiquitous nature of\r\nGoogle Drive cloud storage services – combined with the trust that millions of customers worldwide have in them – make\r\ntheir inclusion in this APT’s malware delivery process exceptionally concerning.\r\nWhen the use of trusted services is combined with encryption, as we see here, it becomes extremely difficult for\r\norganizations to detect malicious activity in connection with the campaign.\r\nThe cybersecurity industry has long considered Cloaked Ursa to be affiliated with the Russian government. This aligns with\r\nthe group’s historic targeting focus, dating back to malware campaigns against Chechnya and other former Soviet bloc\r\ncountries in 2008. In recent years, the hack of the United States Democratic National Committee (DNC) in 2016 has been\r\nattributed to this group, as well as the SolarWinds supply chain compromises in 2020. Increasing the specificity of the\r\nattribution, both the United States and the United Kingdom have publicly attributed this group to Russia’s Foreign\r\nIntelligence Service (SVR).\r\nThe most recent campaigns by this actor provided a lure of an agenda for an upcoming meeting with an ambassador. These\r\ncampaigns are believed to have targeted several Western diplomatic missions between May and June 2022. The lures\r\nincluded in these campaigns suggest targeting of a foreign embassy in Portugal as well as a foreign embassy in Brazil. In\r\nboth cases, the phishing documents contained a link to a malicious HTML file (EnvyScout) that served as a dropper for\r\nadditional malicious files in the target network, including a Cobalt Strike payload.\r\nPalo Alto Networks customers receive protections from the indicators of compromise (IoCs) described in this blog through\r\nCortex XDR, Advanced URL Filtering, DNS Security and WildFire malware analysis.\r\nFull visualization of the techniques observed, relevant courses of action and IoCs related to this report can be found in the\r\nUnit 42 ATOM viewer.\r\nPalo Alto Networks disclosed this activity to both Google and DropBox, and they have taken action to block the activity.\r\nNames for threat actor group discussed Cloaked Ursa, APT29, Nobelium, Cozy Bear\r\nLatest Campaigns\r\nOn May 13, 2022, Cluster25 published a report that outlined Cloaked Ursa’s inclusion of DropBox services in their malware\r\ncampaigns for the first time. (Here, we refer to this as campaign 1.) Searching for similar techniques, we have seen the\r\nactors continue to evolve their tactics, including by incorporating popular online storage services in their campaigns.\r\nLess than two weeks after the Cluster25 report, on May 24, 2022, Unit 42 identified a new campaign targeting a NATO\r\ncountry in Europe. (We refer to this as campaign 2.)\r\nThe campaign oddly consisted of two emails to the same target country a few hours apart. Both emails contained the same\r\nlure document named Agenda.pdf, which provided a link to an agenda for an upcoming meeting with an ambassador in\r\nPortugal.\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/\r\nPage 1 of 15\n\nFigure 1. Portuguese Embassy lure file.\r\nExamining the two emails sent to the targeted nation provided clues as to why two emails were sent. The first email was sent\r\nat 2022-05-24T11:41:55Z with an Agenda.pdf hash of\r\na0bdd8a82103f045935c83cb2186524ff3fc2d1324907d9bd644ea5cefacbaaf. This PDF had the following traits:\r\nCreated: 2022:04:04 13:51:53+02:00\r\nModified: 2022:05:24 13:28:23+02:00\r\nProducer: 2.4.12 (4.3.5)\r\nPDF Version: 1.5\r\nLink: www.dropbox[.]com/s/dhueerinrg9k97k/agenda.html?dl=1\r\nInterestingly, this sample was last modified roughly two hours before it was sent to its target. Additionally, this sample was\r\ndesigned to call out to DropBox to retrieve an EnvyScout payload.\r\nThe second email was sent at 2022-05-24T13:46:54Z with an Agenda.pdf hash of\r\nf9b10323b120d8b12e72f74261e9e51a4780ac65f09967d7f4a4f4a8eabc6f4c. This PDF had the following traits:\r\nCreated: 2022:04:04 13:51:53+02:00\r\nModified: 2022:05:24 14:27:02+02:00\r\nProducer: 2.4.14 (4.3.5)\r\nPDF Version: 1.5\r\nLink: wethe6and9[.]ca/wp-content/Agenda.html\r\nSimilarly, this second sample was last modified less than an hour before it was sent to its target. Comparing the two samples,\r\nwe see that the creation times remained consistent while the modification times aligned to the dates when the samples were\r\nused. The producer version in the second sample is incrementally higher, climbing from 12 to 14. Additionally, we see that\r\nthe link in the document was updated to point to a legitimate web and digital marketing company in Toronto\r\n(wethe6and9[.]ca).\r\nWhile speculative, one likely scenario is that the recipient could not access the file hosted in DropBox. There could be\r\nvarious reasons for this, including restrictive government network policies blocking access to cloud storage services.\r\nRegardless of the reason, the actors were compelled to rapidly build and send a second spear phishing email the same day\r\nwith a link to an EnvyScout HTML file with the same name hosted on a legitimate website.\r\nPivoting on the creation time, producer and PDF version metadata in the two samples, we were able to quickly identify\r\nseveral additional suspicious documents in VirusTotal dating back to early April 2022. Many of these documents appear to\r\nbe phishing documents associated with common cybercrime techniques. This suggests that there is likely a common\r\nphishing builder being leveraged by cybercrime and APT actors alike to generate these documents.\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/\r\nPage 2 of 15\n\nTable 1. Samples with similar metadata.\r\nReviewing this list, we identified a third Agenda.pdf created on June 30, 2022 that we assess to be part of a second phishing\r\ncampaign by Cloaked Ursa. Examining the file, we found that its lure was consistent with the previous campaign.\r\nSpecifically, the lure contained the same language and a similar link to an EnvyScout dropper hosted on a legitimate domain\r\n(porodicno[.]ba/wp-content/Agenda.html). Where the two campaigns differed was their target. While the first two lures were\r\naddressed to a Portuguese Embassy, this third lure was addressed to an embassy in Brazil.\r\nFigure 2. Campaign 2 lure file Agenda.pdf\r\nFinally, in comparing both campaigns, we found that Cloaked Ursa had evolved their use of cloud storage services in their\r\ndelivery tactics. Notably, rather than continuing their use of the DropBox services, identified by Cluster25 in early May,\r\nthese new campaigns incorporated Google Drive storage services as a means to obfuscate their actions and deploy additional\r\npayloads into target environments. A detailed analysis of both campaigns can be found below, particularly starting with the\r\nsections on Campaign 2 and Campaign 1.\r\nRecent Related Cloaked Ursa Campaigns\r\nThe May campaign using Agenda.pdf represents repeat targeting of a particular NATO country. On Jan. 17, 2022, just days\r\nafter the WhisperGate attacks in Ukraine, this NATO country was targeted in a Cloaked Ursa phishing campaign using a lure\r\nwith the subject line of “Note Verbal - Ambassador Absence.”\r\nAdditionally, this is not the first time we have seen Portugal serve as a focus for Cloaked Ursa campaigns. On Feb. 8, 2022,\r\na phishing campaign targeted the Austrian Ministry of Foreign affairs. This campaign used a lure of “NV - Non-working days\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/\r\nPage 3 of 15\n\nof the Embassy of Portugal” and originated from a potentially compromised Portuguese government email account.\r\nFigure 3. Email to Austrian Ministry of Foreign Affairs.\r\nDays later, on Feb. 17, 2022, another phishing campaign was discovered with a lure of “Embassy closure due to COVID-19.” The text of the email stated that the Embassy of the Republic of Turkey was being transferred to a state of isolation and\r\nwas closing to the public. While the target of that campaign remains unknown, the original email was eventually seen by an\r\nemployee of the Portuguese Ministry of Foreign Affairs who promptly forwarded the malicious email to their embassy staff\r\nin Egypt. Both of these email campaigns contained the malicious EnvyScout dropper.\r\nFigure 4. Email to Portuguese Embassy in Egypt.\r\nCampaign 2\r\nBeginning with the most recent spear phishing activity first, we analyzed a diplomatic-themed PDF file named Agenda.pdf\r\n(SHA256: ce9802b22a37ae26c02b1f2c3225955a7667495fce5b106113434ab5a87ae28a).\r\nFigure 5. VirusTotal detections for campaign 2 lure file Agenda.pdf\r\nThis PDF document contains information that appears to address a foreign embassy in Brazil while using Brazil's official\r\nlogo and notably misspelling “Brazil” as “Brzail.” The document was created on April 4, 2022, and later modified on June\r\n30, 2022. All three URL links in the document point to an internet-facing web server that is hosting a file named\r\nAgenda.html. This file is EnvyScout, a malicious HTML document. The contents of Agenda.pdf are shown in Figure 6\r\nbelow.\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/\r\nPage 4 of 15\n\nFigure 6. Campaign 2 lure file Agenda.pdf\r\nA high-level overview of campaign 2 is depicted below in Figure 7.\r\nFigure 7. Campaign 2 overview.\r\nEnvyScout – Agenda.html, Malicious HTML File\r\nEnvyScout can be described as an auxiliary tool that is used to further infect the target with the actor's implant. It is used to\r\ndeobfuscate the contents of the secondary malware, which is a malicious ISO file. This technique is known as HTML\r\nSmuggling. In this case, the file Agenda.html is responsible for deobfuscating a payload, and also for writing a malicious\r\nISO file to the intended target hard drive. The payload file is an ISO file named Agenda.iso. It should be noted that the word\r\n“Agenda” is used throughout this attack, starting with the lure file, Agenda.pdf, and then carrying through to the named files\r\non the target's hard drive.\r\nThe deobfuscation of the embedded payload is performed by subtracting 17 from each value. Once complete, the data is\r\nsaved as Agenda.iso.\r\nFigure 8. Deobfuscation routine in EnvyScout Campaign 2.\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/\r\nPage 5 of 15\n\nThe saving of the ISO is performed via JavaScript with the first attempt using the msSaveOrOpenBlob method. This method\r\nis the same as a user using Internet Explorer wanting to download and save/open a file from the internet. In the event this\r\nfails, a second file save method is used, console.save. This method creates a FileBlob from the input, and then automatically\r\ndownloads it to the target. At this stage of infection, the user is prompted to open Agenda.iso by double clicking it.\r\nFigure 9. Agenda.html ISO download.\r\nLayers to Code Execution\r\nOnce the ISO has been downloaded, user interaction is required in order to achieve code execution on the victim machine.\r\nThe user must double-click the ISO file and subsequently double-click the shortcut file, Information.lnk, to kick off the\r\nunpacking and infection process.\r\nFigure 10. Layers to Stage 2 payload.\r\nAgenda.iso - Malicious ISO Image\r\nFigure 11. Agenda.iso\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/\r\nPage 6 of 15\n\nAgenda.iso (SHA256: 347715f967da5debfb01d3ba2ede6922801c24988c8e6ea2541e370ded313c8b) is the malicious ISO\r\nfile created by EnvyScout (Agenda.html). At the time of writing, only one vendor on VirusTotal identified this sample as\r\nmalicious.\r\nOnce double-clicked by the user and mounted by the operating system, the following is displayed to the user via Windows\r\nFile Explorer:\r\nFigure 12. Agenda.iso contents; hidden files not enabled.\r\nBy default, Windows File Explorer doesn’t show hidden files. The only file presented is Information.lnk. If “show hidden\r\nitems” is selected, Windows File Explorer displays the following:\r\nFigure 13. Agenda.iso contents; hidden files is enabled.\r\nTable 2. Agenda.iso embedded file properties – Campaign 2.\r\nAgenda.iso has the following properties:\r\nCreated on: 6/29/2022 3:27:43 PM\r\nLabel: INFO\r\nApplication ID: IMGBURN V2.5.8.0 - THE ULTIMATE IMAGE BURNER!\r\nVolume Set ID: UNDEFINED\r\nInformation.lnk – Microsoft Shortcut File\r\nThis file is responsible for starting the infection chain on the target machine. It has the following properties:\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/\r\nPage 7 of 15\n\nLink CLSID: 00021401-0000-0000-C000-000000000046\r\nCommand line arguments: /k start agenda.exe\r\nIcon location: %windir%/system32/shell32.dll\r\nTarget ansi: %windir%/system32/cmd.exe\r\nCreation, Modified, Accessed: None\r\nMS-PROPSTORE value: 46588ae2-4cbc-4338-bbfc-139326986dce\r\nConverts to: S-1-5-21-2842427291-3266668846-140208303-1103\r\n*Note about the SID in this lnk file. The SID has been found in other APT29 sample lure files (lnk) bundled with Cobalt\r\nStrike.\r\nOnce the shortcut file is double-clicked by the user, cmd.exe is used to execute agenda.exe in the current working directory.\r\nThe /k parameter passed to cmd.exe instructs cmd.exe to carry out the execution and wait for agenda.exe to complete.\r\nAgenda.exe – Adobe Executable\r\nAgenda.exe is part of Adobe software, and is originally named WCChromeNativeMessagingHost.exe. It is digitally signed\r\nby Adobe, Inc., and is being used to evade detection from endpoint protection and antivirus software by abusing the trust of\r\ndigitally signed applications. The technique is commonly referred to as DLL Side Loading.\r\nVcruntime140.dll – DLL loaded by agenda.exe\r\nVcruntime140 is a dependency file for agenda.exe. Since it exists in the same directory as agenda.exe, Windows will load it,\r\nmaking the APIs it contains available to it. Vcruntime140.dll is a common runtime library for Microsoft Visual Studio\r\n(Visual C++) versions 2015/2017/2019. Visual C++ runtime libraries are used for running programs developed in Microsoft\r\nVisual Studio. However, this file is not the legitimate Microsoft file, as it has been altered to load the actor’s malicious DLL,\r\nvctool140.dll. Hijacking a common library file, such as vcruntime140.dll, avoids obvious detection, as one would assume\r\nthe file is legitimate.\r\nVctool140.dll – DLL loaded by vcruntime140.dll\r\nVctool140.dll is the actor’s core file. It searches for a payload file named underscore (_), decompresses it in memory into a\r\n.Net x64 executable and loads it. The file compression algorithm is Microsoft Zip (MSZIP), which requires the dependency\r\nfile of cabinet.dll. Cabinet.dll is a Microsoft Windows library that is used to decompress Windows cabinet files, and it is\r\ntypically installed on all Windows operating systems.\r\nThe technical details of how code execution is achieved are beyond the scope of this blog. In summary, it is achieved by\r\ninstantiating the .Net Common Language Runtime (CLR) and using the ICorRuntimeHost interface to execute the loaded\r\nassembly. The technique is loading the CLR using native code. The in-memory code is an x64 .Net binary that is named\r\nGoogleDrive.\r\nPayload – GoogleDrive\r\nThe decompressed payload is that of a .Net X64 executable that has been named GoogleDrive. It has the following\r\nproperties:\r\nFigure 14. GoogleDrive metadata.\r\nIt was compiled on June 29, 2022, and masquerades as a Google product. The binary is using Google Drive API to\r\ncommunicate with a Google account for uploads and downloads to a Google Drive share. It uses the following to\r\nauthenticate to Google's services:\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/\r\nPage 8 of 15\n\nClient_Id = 477421423157-doqkohd8ihvnpgtsnbld4e4kd1lbs01b.apps.googleusercontent.com\r\nClient_Secret = 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\r\nRefresh_Token = 1//0czAXEdbKrikVCgYIARAAGAwSNwF-L9IrjcOVo9aYPFogMEutV6W3cSJMh195N7Ty2cHvtpXf3FNQ9QKDHwN5SKG9FmrMSw5fnsI\r\nGoogle Drive network authentication example, as shown below:\r\nFigure 15. GoogleDrive authentication.\r\nThe sample has the following PDB string:\r\nFigure 16. PDB string.\r\nOnce authenticated with Google, the following events occur:\r\n1. For runtime persistence, checks if the registry key AgendaE exists in:\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\r\n2. If the key does not exist, it is created with the following values:\r\n1. C:\\Users\\[USERNAME]\\AppData\\Roaming\\agenda.exe\r\n2. Copies the following files to C:\\Users\\[USERNAME]\\AppData\\Roaming\\\r\n1. _\r\n2. agenda.exe\r\n3. vcruntime14.dll\r\n4. vctool140.dll\r\n3. Generates a random number.\r\n4. Retrieves the username from the running process.\r\n5. Computes the SHA256 of the username.\r\n6. Retrieves information from the victim such as: running processes, machine name and network IP information.\r\n7. Encrypts the data collected in step 6 via the following:\r\n1. XOR encrypt using a 44-byte key of\r\n0x8F380CDA296F34DE27697A1A53051849B69D59E528D7E669F17CF8D3CF220B6696DA776534401C8A0F0C31C6\r\n2. Base64 encoded step a.\r\n8. Uploads the data collected from step 7 to the Google Drive share with a unique client ID and a .txt file extension.\r\n9. Creates a comment for the file uploaded in step 8.\r\n10. Checks to see if any files are available to download for the current user ID.\r\n1. If any files exist, download them – these are payloads.\r\n2. Payload files are AES-CBC encrypted.\r\n1. AES key:0x9ECD936FE845D4B20175880E74410851EC3DB30412CB0E57BA6A8E958CB87E21\r\n2. AES IV: 0x4F083C8599B2F330694A38CA9741409C\r\n3. Payloads are .Net assembly files\r\n11. Loads and executes downloaded payload file in memory.\r\n12. Finishes.\r\nCampaign 1\r\nFor the first campaign observed in late May 2022, the target was a NATO country’s Ministry of Foreign Affairs. Similar to\r\nthe campaign described above, this campaign also used lure files named Agenda.pdf. While two files were delivered to the\r\nintended target, for the purpose of this section, we provide analysis on the execution flow for SHA256\r\na0bdd8a82103f045935c83cb2186524ff3fc2d1324907d9bd644ea5cefacbaaf.\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/\r\nPage 9 of 15\n\nFigure 17. VirusTotal detections for campaign 1 lure file Agenda.pdf\r\nThis sample was sent to the target on May 24, 2022 with the following information:\r\nEmail Sender: matysovi@seznam[.]cz\r\nEmail Subject: Meeting request - Ambassador of Portugal\r\nSource IP: 77.75.78[.]212\r\nSource Country: Czech Republic (CZ)\r\nThis PDF document contains information that appears to address a foreign nation’s embassy in Portugal, and even uses an\r\nofficial Portuguese government logo. The document was created on April 4, 2022, and later modified on May 24, 2022. All\r\nthree URL links in the document point to a DropBox URL that is hosting a file named, Agenda.html. Similar to the\r\ncampaign above, Agenda.html is EnvyScout, a malicious HTML document. The contents of Agenda.pdf are shown in Figure\r\n18 below.\r\nFigure 18. Campaign 1 lure file Agenda.pdf\r\nA high level overview of campaign 1 is depicted below in figure 19 below.\r\nFigure 19. Campaign 1 overview.\r\nThe naming convention for the files involved in both campaigns is the same. For brevity, we will focus on the differences\r\nbetween the two campaigns.\r\nAgenda.html (SHA256: cbe92abb2e275770fdff2e9187dee07cce1961b13c0eda94237aceeb06eefbbd) is a malicious HTML\r\nfile (EnvyScout) that is hosted on DropBox and is identical to the file used in campaign 2 with the exception of the\r\ndeobfuscation routine that is used to build the malicious ISO file. In campaign 1, the malicious ISO file is generated by\r\nsubtracting 13 from each value (instead of 17), as shown below.\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/\r\nPage 10 of 15\n\nFigure 20. Deobfuscation routine in EnvyScout campaign 1.\r\nThe deobfuscated payload, agenda.iso (SHA256:\r\nde06cf27884440f51614a41623a4b84e0cb3082d6564ee352f6a4d8cf9d92ec5) has the same file names and hidden file\r\nattributes as campaign 2. However, the Windows shortcut file is now named Agenda.lnk versus Information.lnk. A complete\r\nfile listing is shown below in table 3.\r\nTable 3. Agenda.iso embedded file properties - Campaign 1.\r\nAgenda.iso has the following properties:\r\nCreated on: 5/24/2022 1:56:19 PM\r\nLabel: AGENDA\r\nApplication ID: IMGBURN V2.5.8.0 - THE ULTIMATE IMAGE BURNER!\r\nVolume Set ID: UNDEFINED\r\nOnce a user double-clicks the Windows shortcut file, Agenda.lnk, the same runtime artifacts occur as in campaign 2, as\r\ndepicted below:\r\nFigure 21. Depiction of runtime artifacts.\r\nThe underscore file is the MSZIP compressed payload. It is in-memory loaded by the actor’s loader, vctool140.dll. Once\r\ndecompressed, it is the same code base as in campaign 2, a Google Drive x64 .Net binary. The differences between this\r\nGoogle Drive binary and campaign 2 are:\r\nIt was compiled on May 24, 2022.\r\nFor persistence, creates the following registry key:\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\AdobeUpdate\r\nThe credentials for the Google Drive account are:\r\nClientId: 891757970989-9ejifbns5l2to04dtp4uofsi1jtuuftk.apps.googleusercontent.com\r\nClientSecret: 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\r\nRefreshToken: 1//09QkhnFYvBS_uCgYIARAAGAkSNwF-L9IrMBe27bDvHC1mqbkHJ3_W4xZRd2sT8G04lbff4U_fFBIrvYKtWQ1CJKm4FxPnfHUGFAI\r\nXOR key:\r\n0xDDE5C7BB5B3A13E63A46D9BA9586B86A0BFAE23B6160DF7B14DE5AF187A96F15686034B506EE787E886238\r\nAES-CBC key: 0x5F7C003E182BBC08B66717894AC934E54FDA2C809391A3FC09CDB7563B707811\r\nAES IV: 0x4E8E525004C2DBFFFED47E9C087EBA4C\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/\r\nPage 11 of 15\n\nLike campaign 2, both samples share the same PDB string of:\r\nFigure 22. PDB string.\r\nConclusion\r\nCloaked Ursa has been attributed to Russia’s Foreign Intelligence Service (SVR) by both the United States and the United\r\nKingdom. Over the past six months, they have launched several phishing campaigns targeting foreign diplomatic missions.\r\nSince early May, Cloaked Ursa has continued to evolve their abilities to deliver malware using popular online storage\r\nservices. Their two most recent campaigns demonstrate their sophistication and their ability to obfuscate the deployment of\r\ntheir malware through the use of DropBox and Google Drive services. This is a new tactic for this actor and one that proves\r\nchallenging to detect due to the ubiquitous nature of these services and the fact that they are trusted by millions of customers\r\nworldwide.\r\nWe encourage all organizations to review their email policies and the IoCs provided in this report in order to address this\r\nthreat.\r\nSpecial thanks to Google’s Threat Analysis Group (TAG) and DropBox for their collaboration and support for this research.\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber\r\nThreat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to\r\nsystematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nProtections and Mitigations\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this group:\r\nWildFire cloud-based threat analysis service accurately identifies the known samples as malicious.\r\nThreat Prevention provides protection against Cobalt Strike Beacon traffic.\r\nAdvanced URL Filtering and DNS Security identify domains associated with this group as malicious.\r\nCortex XDR prevents the execution of known malware samples as malicious and also prevents the execution of Cobalt\r\nStrike using Behavioral Threat Protection.\r\nIf you think you may have been impacted or have an urgent matter, get in touch with the Unit 42 Incident Response team or\r\ncall:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nIndicators of Compromise\r\nLure File Samples-PDFs:\r\nCE9802B22A37AE26C02B1F2C3225955A7667495FCE5B106113434AB5A87AE28A\r\nF9B10323B120D8B12E72F74261E9E51A4780AC65F09967D7F4A4F4A8EABC6F4C\r\nA0BDD8A82103F045935C83CB2186524FF3FC2D1324907D9BD644EA5CEFACBAAF\r\nISO File Samples:\r\n347715F967DA5DEBFB01D3BA2EDE6922801C24988C8E6EA2541E370DED313C8B\r\nDE06CF27884440F51614A41623A4B84E0CB3082D6564EE352F6A4D8CF9D92EC5\r\nEnvyScout Samples-HTML Files:\r\n0ED71B0F4F83590CCA66C0C9E9524A0C01D7A44CF06467C3AE588C1FE5B13118\r\nCBE92ABB2E275770FDFF2E9187DEE07CCE1961B13C0EDA94237ACEEB06EEFBBD\r\nMalicious DLLs:\r\nA018F4D5245FD775A17DC8437AD55C2F74FB6152DD4FDF16709A60DF2A063FFF\r\n9230457E7B1AB614F0306E4AAAF08F1F79C11F897F635230AA4149CCFD090A3D\r\nFBA3A311A4C0A283753B5A0CDCADD3FE19F5A1174F03CB966F14D04BBF3D73EE\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/\r\nPage 12 of 15\n\nCompressed Payload Files-Underscore Files:\r\n09F0EA9B239385EB22F794DCECAEC1273BE87F3F118A2DA067551778971CA677\r\n56CFFE5E224ACBE5A7E19446238E5BB9110D9200B6B1EA8B552984D802B71547\r\nDecompressed in-memory payload:\r\n295452A87C0FBB48EB87BE9DE061AB4E938194A3FE909D4BCB9BD6FF40B8B2F0\r\nBC9AD574C42BC7B123BAAAFB3325CE2185E92E46979B2FAADDD4BC80DDFAC88A\r\nInfrastructure linked to samples:\r\nporodicno[.]ba/wp-content/Agenda.html\r\nwethe6and9[.]ca/wp-content/Agenda.html\r\ndropbox[.]com/s/raw/dhueerinrg9k97k/agenda.html\r\nCobalt Strike C2s:\r\ncrossfity[.]com\r\ntechspaceinfo[.]com\r\nCobalt Strike IPs:\r\n185.47.128[.]39\r\n31.31.74[.]79\r\nRegistry Keys:\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\AgendaE\r\nHKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\AdobeUpdate\r\nEmail Senders:\r\nmatysovi@seznam[.]cz\r\nEmails:\r\n761ED73512CB4392B98C84A34D3439240A73E389F09C2B4A8F0CCE6A212F529C\r\n4C1ED0F6470D0BBE1CA4447981430E8CEB1157D818656BE9C8A992C56C10B541\r\nXQL Hunting Queries for Cortex XDR\r\nQuery 1:\r\n// Description: Detect execution of legitimate Adobe binary renamed to Agenda.exe and abused for DLL Side\r\nLoading\r\ndataset = xdr_data\r\n| filter\r\n    event_type = PROCESS and\r\n    (\r\n        action_process_signature_vendor = \"Adobe Inc.\" or\r\n        action_process_signature_vendor contains \"Adobe Systems\"\r\n    ) and\r\n    action_process_image_name = \"Agenda.exe\"\r\n| fields agent_hostname, actor_effective_username, actor_process_image_path, actor_process_command_line,\r\naction_process_image_path, action_process_signature_vendor, action_process_signature_status,\r\naction_process_image_command_line\r\nQuery 2:\r\n// Description: Search for registry key indicator matches\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/\r\nPage 13 of 15\n\ndataset = xdr_data\r\n| filter event_type = ENUM.REGISTRY and action_registry_key_name contains\r\n\"\"\"\\\\SOFTWARE\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\"\"\" and\r\n    (\r\n        action_registry_value_name = \"AgendaE\" or\r\n        action_registry_value_name = \"AdobeUpdate\"\r\n    )\r\n| fields event_type, event_sub_type, agent_hostname, actor_effective_username, actor_process_command_line,\r\naction_registry*\r\nQuery 3:\r\n// Description: Search for SHA256, IP, or domain indicator matches\r\ndataset = xdr_data | filter\r\naction_file_sha256 in\r\n(\"09F0EA9B239385EB22F794DCECAEC1273BE87F3F118A2DA067551778971CA677\",\"56CFFE5E224ACBE5A7E19446238E5BB9110D9200\r\nOR\r\naction_module_sha256 in\r\n(\"09F0EA9B239385EB22F794DCECAEC1273BE87F3F118A2DA067551778971CA677\",\"56CFFE5E224ACBE5A7E19446238E5BB9110D9200\r\nOR\r\ndst_action_external_hostname ~=\".*crossfity.com|.*techspaceinfo.com\" OR\r\ndns_query_name ~=\".*crossfity.com|.*techspaceinfo.com\" OR\r\naction_external_hostname ~=\".*crossfity.com|.*techspaceinfo.com\" OR\r\naction_remote_ip in (\"185.47.128.39\",\"31.31.74.79\")\r\n| fields agent_hostname, agent_version,causality_actor_process_image_path, actor_process_image_path, action_file_path, action_file_sha256, action\r\nTable of Contents\r\nExecutive Summary\r\nLatest Campaigns\r\nRecent Related Cloaked Ursa Campaigns\r\nCampaign 2\r\nEnvyScout – Agenda.html, Malicious HTML File\r\nLayers to Code Execution\r\nAgenda.iso - Malicious ISO Image\r\nInformation.lnk – Microsoft Shortcut File\r\nAgenda.exe – Adobe Executable\r\nVcruntime140.dll – DLL loaded by agenda.exe\r\nVctool140.dll – DLL loaded by vcruntime140.dll\r\nPayload – GoogleDrive\r\nCampaign 1\r\nConclusion\r\nProtections and Mitigations\r\nIndicators of Compromise\r\nXQL Hunting Queries for Cortex XDR\r\nQuery 1:\r\nQuery 2:\r\nQuery 3:\r\nAdditional Resources\r\nRelated Articles\r\nBoggy Serpens Threat Assessment\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/\r\nPage 14 of 15\n\nSuspected China-Based Espionage Operation Against Military Targets in Southeast Asia\r\nNation-State Actors Exploit Notepad++ Supply Chain\r\nEnlarged Image\r\nSource: https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/cloaked-ursa-online-storage-services-campaigns/" ], "report_names": [ "cloaked-ursa-online-storage-services-campaigns" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "2ed8d590-defa-4873-b2de-b75c9b30931e", "created_at": "2023-01-06T13:46:38.730137Z", "updated_at": "2026-04-10T02:00:03.08136Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "TEMP.Zagros", "Seedworm", "COBALT ULSTER", "G0069", "ATK51", "Mango Sandstorm", "TA450", "Static Kitten", "Boggy Serpens", "Earth Vetala" ], "source_name": "MISPGALAXY:MuddyWater", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "156b3bc5-14b7-48e1-b19d-23aa17492621", "created_at": "2025-08-07T02:03:24.793494Z", "updated_at": "2026-04-10T02:00:03.634641Z", "deleted_at": null, "main_name": "COBALT ULSTER", "aliases": [ "Boggy Serpens ", "ENT-11 ", "Earth Vetala ", "ITG17 ", "MERCURY ", "Mango Sandstorm ", "MuddyWater ", "STAC 1171 ", "Seedworm ", "Static Kitten ", "TA450 ", "TEMP.Zagros ", "UNC3313 ", "Yellow Nix " ], "source_name": "Secureworks:COBALT ULSTER", "tools": [ "CrackMapExec", "Empire", "FORELORD", "Koadic", "LaZagne", "Metasploit", "Mimikatz", "Plink", "PowerStats" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "3c430d71-ab2b-4588-820a-42dd6cfc39fb", "created_at": "2022-10-25T16:07:23.880522Z", "updated_at": "2026-04-10T02:00:04.775749Z", "deleted_at": null, "main_name": "MuddyWater", "aliases": [ "ATK 51", "Boggy Serpens", "Cobalt Ulster", "G0069", "ITG17", "Mango Sandstorm", "MuddyWater", "Operation BlackWater", "Operation Earth Vetala", "Operation Quicksand", "Seedworm", "Static Kitten", "T-APT-14", "TA450", "TEMP.Zagros", "Yellow Nix" ], "source_name": "ETDA:MuddyWater", "tools": [ "Agentemis", "BugSleep", "CLOUDSTATS", "ChromeCookiesView", "Cobalt Strike", "CobaltStrike", "CrackMapExec", "DCHSpy", "DELPHSTATS", "EmPyre", "EmpireProject", "FruityC2", "Koadic", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "MZCookiesView", "Meterpreter", "Mimikatz", "MuddyC2Go", "MuddyRot", "Mudwater", "POWERSTATS", "PRB-Backdoor", "PhonyC2", "PowGoop", "PowerShell Empire", "PowerSploit", "Powermud", "QUADAGENT", "SHARPSTATS", "SSF", "Secure Socket Funneling", "Shootback", "Smbmap", "Valyria", "chrome-passwords", "cobeacon", "prb_backdoor" ], "source_id": "ETDA", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434331, "ts_updated_at": 1775826703, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/682ba94720640cd1ae5a0fc8632d3d40aeb0c951.pdf", "text": "https://archive.orkl.eu/682ba94720640cd1ae5a0fc8632d3d40aeb0c951.txt", "img": "https://archive.orkl.eu/682ba94720640cd1ae5a0fc8632d3d40aeb0c951.jpg" } }