{
	"id": "3c2cd7d0-9c71-4490-951c-341eb2483ac1",
	"created_at": "2026-04-06T00:15:14.803118Z",
	"updated_at": "2026-04-10T03:37:32.769951Z",
	"deleted_at": null,
	"sha1_hash": "730d27db4c4ba8aa1067062f2135ce68d1092e11",
	"title": "Nobelium Returns to the Political World Stage | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 54855,
	"plain_text": "Nobelium Returns to the Political World Stage | FortiGuard Labs\r\nBy Fred Gutierrez\r\nPublished: 2022-02-24 · Archived: 2026-04-05 16:29:33 UTC\r\nNobelium, also known as APT29 and Cozy Bear, is a highly sophisticated group of Russian-sponsored\r\ncybercriminals. Approximately two years ago, countless system administrators and IT teams were forced to work\r\naround the clock to address Nobelium’s attack on SolarWinds. And last year, they similarly targeted numerous IT\r\nsupply chains in the hopes of being able to embed themselves once again deep inside IT networks. But fast\r\nforward to today, and the Nobelium group seems to have shifted their focus. This time, rather than targeting\r\nsoftware solutions, they have begun targeting embassies. While these attacks may not impact the average\r\nWindows computer user, they do have potentially larger political ramifications.\r\nFortiGuard Labs has uncovered evidence that the Nobelium group is impersonating someone associated with the\r\nTurkish embassy in targeted email-based attacks. We will be analyzing one such attack that uses Omicron/Covid-19 as a lure. Those working in or around embassies are urged to be extra diligent when opening emails.\r\nIn this blog, we will highlight techniques and code reuse by Nobelium. We will also highlight the usage of JARM,\r\nwhich is a widely used technology created by Salesforce to fingerprint and track malicious servers.  \r\nAffected Platforms: Windows\r\nImpacted Users: Windows users associated with the targeted embassies\r\nImpact: Compromised machines are under the control of the threat actor\r\nSeverity Level: Medium\r\nThe source email address seems to be a legitimate, albeit compromised email account of a government department\r\nfocused on social affairs. In tracing this, however, this email comes from a French-speaking country in Africa. It is\r\ndisguised as coming from a Turkish embassy and sent to a Portuguese-speaking nation, although it is written in\r\nEnglish.\r\nThe email itself comes with a .HTML file attachment. This file contains malicious JavaScript designed to create\r\nan .ISO file on the user’s computer. Figure 2 shows some similarities between a previous Nobelium attack and this\r\ncurrent version.\r\nThe original HTML Smuggling attack conducted by Nobelium used EnvyScout to convert a text blob into an .ISO\r\nfile. EnvyScout is one of the toolsets used as a dropper in spearphishing attacks by this APT group. As seen in\r\nFigure 2, both samples used an application type of “x-cd-image.” This part of the attack has changed very little.\r\nHowever, Figure 3 below shows the function used to create the .ISO file has been streamlined from previous\r\niterations.\r\nOnce the .ISO file has been created on the user’s machine, the attack requires a user to open the file. By default,\r\nopening an .ISO file on modern versions of Windows causes it to mount the file on the next available drive letter.\r\nOnce mounted, the files can be seen. Figure 4 below shows this part of the attack chain.\r\nhttps://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage\r\nPage 1 of 4\n\nOne of the previous variants of the Nobelium attack was dated almost exactly one year prior to the current attack.\r\nBoth versions contain malicious shortcuts that point to a DLL file. In the current version, the DLL file inside the\r\nbin folder is named “DeleteDateConnectionPosition.dll.”\r\nIn the past, one of the payloads used was a Cobalt Strike beacon, and this is the case in this current version. Given\r\nthe current political situation, it is clearly in Russia’s best interest to know what other governments are thinking,\r\nplanning, and doing, and successful installation of a Cobalt Strike beacon provides a foothold into the embassies\r\nthey are interested in monitoring. To achieve this objective, the shortcut launches the DLL using an export named\r\n“DeleteDateConnectionPosition.”\r\nMany of the exports inside the DLL contain junk code. As such, debugging the malware is faster than statically\r\nanalyzing it. Once completed we discovered a C2 server, as shown below.\r\nAccording to our sources, this server is not a shared server and the IP address only contains the sinitude[.]com\r\ndomain.\r\nJARM Fingerprinting\r\nFor those unfamiliar with JARM, it is a technology developed by Salesforce to fingerprint servers for the purposes\r\nof clustering. Specifically, JARM revolves around a server’s TLS implementation. As further explained by\r\nSalesforce, it is not a secure crypto function, and as a result, it may produce false positives. Nevertheless, it has\r\nbeen a fairly accurate way to group malicious servers into relevant clusters.\r\nThe JARM signature for sinitude[.]com has been found on numerous servers. Many of these servers have also\r\nacted as Cobalt Strike beacon C2 servers. During the course of our investigation, we found that this JARM\r\nsignature was also found on C2 servers associated with the malware family BazarLoader. BazarLoader, among\r\nother things, contains code and application guardrails that makes sure it is not running on a Russian computer.\r\nBy looking at network traffic since the beginning of this year, we found that several IP addresses are connected to\r\nsinitude[.]com. However, our data indicates that only one IP address (back in January) actually created a full\r\nconnection to communicate with the C2. This IP address is located in Kharkiv, the second largest city in Ukraine.\r\nThis Kharkiv IP address itself has communicated with unique malware families and is part of the TOR network.\r\nConclusion\r\nIn this latest attack, Nobelium has used techniques similar to those they have used in the past. Malicious emails\r\nremain the predominant way to infiltrate organizations, and Nobelium takes advantage of that attack vector. The\r\nbiggest difference now is the political landscape. While previous attacks carried out by Nobelium may have been\r\nmore technical in nature, this latest round has far more consequences on the political world stage.  \r\nFortinet Protections\r\nThe FortiGuard Antivirus Service detects and blocks both the .ISO and DLL files as\r\nW64/CobaltStrike_Beacon.A!tr.\r\nThe FortiGuard Antivirus Service detects and blocks the malicious html email attachment as JS/Agent.ONO!tr.\r\nhttps://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage\r\nPage 2 of 4\n\nAll relevant network IOCs are blocked by the WebFiltering client.\r\nMITRE TTPs\r\nInitial Access\r\nPhishing: Spearphishing Attachment T1566.001\r\nExecution\r\nCommand and Scripting Interpreter: JavaScript T1059.007\r\nUser Execution: Malicious File T1204.002\r\nDefense Evasion\r\nBuild Image on Host T1612\r\nDeobfuscate/Decode Files or Information T1140\r\nObfuscated Files or Information: HTML Smuggling T1027.006\r\nCommand and Control\r\nApplication Layer Protocol: Web Protocols T1071.001\r\nImpact\r\nResource Hijacking T1496\r\nIOCs\r\nhttps://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage\r\nPage 3 of 4\n\nFile IOCs\r\nCovid.html (SHA2: A896C2D16CADCDEDD10390C3AF3399361914DB57BDE1673E46180244E806A1D0)\r\nCovid.iso (SHA2: 3CB0D2CFF9DB85C8E816515DDC380EA73850846317B0BB73EA6145C026276948)\r\nDeleteDateConnectionPosition.dll (SHA2:\r\n6EE1E629494D7B5138386D98BD718B010EE774FE4A4C9D0E069525408BB7B1F7)\r\nNetwork IOCs\r\nSinitude[.]com\r\nJARM Signature:  2ad2ad0002ad2ad0002ad2ad2ad2ade1a3c0d7ca6ad8388057924be83dfc6a\r\nLearn more about FortiGuard Labs global threat intelligence and research and the FortiGuard Security\r\nSubscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage\r\nhttps://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/nobelium-returns-to-the-political-world-stage"
	],
	"report_names": [
		"nobelium-returns-to-the-political-world-stage"
	],
	"threat_actors": [
		{
			"id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba",
			"created_at": "2022-10-25T16:07:24.36191Z",
			"updated_at": "2026-04-10T02:00:04.954902Z",
			"deleted_at": null,
			"main_name": "UNC2452",
			"aliases": [
				"Dark Halo",
				"Nobelium",
				"SolarStorm",
				"StellarParticle",
				"UNC2452"
			],
			"source_name": "ETDA:UNC2452",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89",
			"created_at": "2022-10-25T15:50:23.739197Z",
			"updated_at": "2026-04-10T02:00:05.275809Z",
			"deleted_at": null,
			"main_name": "UNC2452",
			"aliases": [
				"UNC2452",
				"NOBELIUM",
				"StellarParticle",
				"Dark Halo"
			],
			"source_name": "MITRE:UNC2452",
			"tools": [
				"Sibot",
				"Mimikatz",
				"Cobalt Strike",
				"AdFind",
				"GoldMax"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e",
			"created_at": "2024-06-04T02:03:07.956135Z",
			"updated_at": "2026-04-10T02:00:03.689959Z",
			"deleted_at": null,
			"main_name": "IRON HEMLOCK",
			"aliases": [
				"APT29 ",
				"ATK7 ",
				"Blue Kitsune ",
				"Cozy Bear ",
				"The Dukes",
				"UNC2452 ",
				"YTTRIUM "
			],
			"source_name": "Secureworks:IRON HEMLOCK",
			"tools": [
				"CosmicDuke",
				"CozyCar",
				"CozyDuke",
				"DiefenDuke",
				"FatDuke",
				"HAMMERTOSS",
				"LiteDuke",
				"MiniDuke",
				"OnionDuke",
				"PolyglotDuke",
				"RegDuke",
				"RegDuke Loader",
				"SeaDuke",
				"Sliver"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "a241a1ca-2bc9-450b-a07b-aae747ee2710",
			"created_at": "2024-06-19T02:03:08.150052Z",
			"updated_at": "2026-04-10T02:00:03.737173Z",
			"deleted_at": null,
			"main_name": "IRON RITUAL",
			"aliases": [
				"APT29",
				"Blue Dev 5 ",
				"BlueBravo ",
				"Cloaked Ursa ",
				"CozyLarch ",
				"Dark Halo ",
				"Midnight Blizzard ",
				"NOBELIUM ",
				"StellarParticle ",
				"UNC2452 "
			],
			"source_name": "Secureworks:IRON RITUAL",
			"tools": [
				"Brute Ratel C4",
				"Cobalt Strike",
				"EnvyScout",
				"GoldFinder",
				"GoldMax",
				"NativeZone",
				"RAINDROP",
				"SUNBURST",
				"Sibot",
				"TEARDROP",
				"VaporRage"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb",
			"created_at": "2023-01-06T13:46:38.393409Z",
			"updated_at": "2026-04-10T02:00:02.955738Z",
			"deleted_at": null,
			"main_name": "APT29",
			"aliases": [
				"Cloaked Ursa",
				"TA421",
				"Blue Kitsune",
				"BlueBravo",
				"IRON HEMLOCK",
				"G0016",
				"Nobelium",
				"Group 100",
				"YTTRIUM",
				"Grizzly Steppe",
				"ATK7",
				"ITG11",
				"COZY BEAR",
				"The Dukes",
				"Minidionis",
				"UAC-0029",
				"SeaDuke"
			],
			"source_name": "MISPGALAXY:APT29",
			"tools": [
				"SNOWYAMBER",
				"HALFRIG",
				"QUARTERRIG"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "70872c3a-e788-4b55-a7d6-b2df52001ad0",
			"created_at": "2023-01-06T13:46:39.18401Z",
			"updated_at": "2026-04-10T02:00:03.239111Z",
			"deleted_at": null,
			"main_name": "UNC2452",
			"aliases": [
				"DarkHalo",
				"StellarParticle",
				"NOBELIUM",
				"Solar Phoenix",
				"Midnight Blizzard"
			],
			"source_name": "MISPGALAXY:UNC2452",
			"tools": [
				"SNOWYAMBER",
				"HALFRIG",
				"QUARTERRIG"
			],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a",
			"created_at": "2022-10-25T15:50:23.548494Z",
			"updated_at": "2026-04-10T02:00:05.292748Z",
			"deleted_at": null,
			"main_name": "APT29",
			"aliases": [
				"APT29",
				"IRON RITUAL",
				"IRON HEMLOCK",
				"NobleBaron",
				"Dark Halo",
				"NOBELIUM",
				"UNC2452",
				"YTTRIUM",
				"The Dukes",
				"Cozy Bear",
				"CozyDuke",
				"SolarStorm",
				"Blue Kitsune",
				"UNC3524",
				"Midnight Blizzard"
			],
			"source_name": "MITRE:APT29",
			"tools": [
				"PinchDuke",
				"ROADTools",
				"WellMail",
				"CozyCar",
				"Mimikatz",
				"Tasklist",
				"OnionDuke",
				"FatDuke",
				"POSHSPY",
				"EnvyScout",
				"SoreFang",
				"GeminiDuke",
				"reGeorg",
				"GoldMax",
				"FoggyWeb",
				"SDelete",
				"PolyglotDuke",
				"AADInternals",
				"MiniDuke",
				"SeaDuke",
				"Sibot",
				"RegDuke",
				"CloudDuke",
				"GoldFinder",
				"AdFind",
				"PsExec",
				"NativeZone",
				"Systeminfo",
				"ipconfig",
				"Impacket",
				"Cobalt Strike",
				"PowerDuke",
				"QUIETEXIT",
				"HAMMERTOSS",
				"BoomBox",
				"CosmicDuke",
				"WellMess",
				"VaporRage",
				"LiteDuke"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270",
			"created_at": "2022-10-25T16:07:23.341684Z",
			"updated_at": "2026-04-10T02:00:04.549917Z",
			"deleted_at": null,
			"main_name": "APT 29",
			"aliases": [
				"APT 29",
				"ATK 7",
				"Blue Dev 5",
				"BlueBravo",
				"Cloaked Ursa",
				"CloudLook",
				"Cozy Bear",
				"Dark Halo",
				"Earth Koshchei",
				"G0016",
				"Grizzly Steppe",
				"Group 100",
				"ITG11",
				"Iron Hemlock",
				"Iron Ritual",
				"Midnight Blizzard",
				"Minidionis",
				"Nobelium",
				"NobleBaron",
				"Operation Ghost",
				"Operation Office monkeys",
				"Operation StellarParticle",
				"SilverFish",
				"Solar Phoenix",
				"SolarStorm",
				"StellarParticle",
				"TEMP.Monkeys",
				"The Dukes",
				"UNC2452",
				"UNC3524",
				"Yttrium"
			],
			"source_name": "ETDA:APT 29",
			"tools": [
				"7-Zip",
				"ATI-Agent",
				"AdFind",
				"Agentemis",
				"AtNow",
				"BEATDROP",
				"BotgenStudios",
				"CEELOADER",
				"Cloud Duke",
				"CloudDuke",
				"CloudLook",
				"Cobalt Strike",
				"CobaltStrike",
				"CosmicDuke",
				"Cozer",
				"CozyBear",
				"CozyCar",
				"CozyDuke",
				"Danfuan",
				"EnvyScout",
				"EuroAPT",
				"FatDuke",
				"FoggyWeb",
				"GeminiDuke",
				"Geppei",
				"GoldFinder",
				"GoldMax",
				"GraphDrop",
				"GraphicalNeutrino",
				"GraphicalProton",
				"HAMMERTOSS",
				"HammerDuke",
				"LOLBAS",
				"LOLBins",
				"LiteDuke",
				"Living off the Land",
				"MagicWeb",
				"Mimikatz",
				"MiniDionis",
				"MiniDuke",
				"NemesisGemina",
				"NetDuke",
				"OnionDuke",
				"POSHSPY",
				"PinchDuke",
				"PolyglotDuke",
				"PowerDuke",
				"QUIETEXIT",
				"ROOTSAW",
				"RegDuke",
				"Rubeus",
				"SNOWYAMBER",
				"SPICYBEAT",
				"SUNSHUTTLE",
				"SeaDaddy",
				"SeaDask",
				"SeaDesk",
				"SeaDuke",
				"Sharp-SMBExec",
				"SharpView",
				"Sibot",
				"Solorigate",
				"SoreFang",
				"TinyBaron",
				"WINELOADER",
				"WellMail",
				"WellMess",
				"cobeacon",
				"elf.wellmess",
				"reGeorg",
				"tDiscoverer"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434514,
	"ts_updated_at": 1775792252,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/730d27db4c4ba8aa1067062f2135ce68d1092e11.pdf",
		"text": "https://archive.orkl.eu/730d27db4c4ba8aa1067062f2135ce68d1092e11.txt",
		"img": "https://archive.orkl.eu/730d27db4c4ba8aa1067062f2135ce68d1092e11.jpg"
	}
}