{ "id": "6249b272-266e-432b-ba71-2f9552076b4b", "created_at": "2026-04-06T00:12:13.328942Z", "updated_at": "2026-04-10T03:37:16.748983Z", "deleted_at": null, "sha1_hash": "797eccc0458f8d7b77899d89a13b2758076a4675", "title": "What’s in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 760376, "plain_text": "What’s in an ASP? Creative Phishing Attack on Prominent\r\nAcademics and Critics of Russia\r\nBy Google Threat Intelligence Group\r\nPublished: 2025-06-18 · Archived: 2026-04-05 16:20:25 UTC\r\nWritten by: Gabby Roncone, Wesley Shields\r\nUPDATE (July 10)\r\nIn late June 2025, Google Threat Intelligence Group (GTIG) discovered continued UNC6293 operations that\r\ndemonstrate an evolution in the group’s tradecraft. Using similar lure themes as previously observed activity,\r\nUNC6293 continued the ASP phishing campaign against prominent academics, critics of Russia, and journalists\r\nusing different ASP names, potentially as a response to our publication of their tradecraft. In a different campaign,\r\nUNC6293 sought to convince targets to link an attacker-controlled device to their Microsoft 365 account through\r\nMicrosoft’s device code authentication flow.\r\nIn an attempt to continue the ASP campaign, UNC6293 attempted to re-establish contact with specific individuals\r\nthat had previously engaged with the initial phishing attempts. GTIG observed UNC6293 creating multiple new\r\naccounts with similar usernames to ones used previously and already disabled. UNC6293 also used different ASP\r\nnames in this continuation wave of the campaign. Due to the engagement with their initial campaign, UNC6293\r\ndemonstrated a desire to keep the ruse of being State Department employees alive and re-engage with specific\r\nindividual targets from the previous campaign.\r\nUNC6293 also began to send tailored invitations to virtual meetings through calendar invites. These invitations\r\nincluded links to Zoom and Google Meet as well as a Microsoft authentication URL for an attacker controlled\r\napplication.\r\nhttps://login.microsoft[.]com/\u003credacted\u003e/oauth2/authorize?client_id=\r\nfc45d3d0-d870-4c83-b3f7-08ebca61d3a0\u0026prompt=\r\nnone\u0026response_mode=form_post\r\nClicking the Microsoft authentication URL starts a redirect chain that includes an actor-controlled domain:\r\nhttps://rediruri[.]app/\u003credacted\u003e\r\nThe attacker-controlled URL is only visible in the browser for a short period of time before it redirects the target\r\nto a Microsoft 365 authentication page (Figure 4).\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia\r\nPage 1 of 5\n\nFigure 4: Microsoft 365 authentication page after redirect\r\nGiven the demonstrated patience, persistence and creativity of this threat actor, GTIG strongly recommends\r\nfollowing the mitigations outlined in the initial version of this blog post to protect against any further ASP\r\nphishing campaigns from UNC6293 or other threat actors. Social engineering attacks abusing legitimate\r\nauthentication features are difficult to defend against; as a result, we suggest individuals who may be targeted by\r\nthis group use Google’s enhanced security resources such as the Advanced Protection Program (APP).\r\nIntroduction\r\nIn cooperation with external partners, Google Threat Intelligence Group (GTIG) observed a Russia state-sponsored cyber threat actor impersonating the U.S. Department of State. From at least April through early June\r\n2025, this actor targeted prominent academics and critics of Russia, often using extensive rapport building and\r\ntailored lures to convince the target to set up application specific passwords (ASPs). Once the target shares the\r\nASP passcode, the attackers establish persistent access to the victim’s mailbox. Two distinct campaigns are\r\ndetailed in this post. This activity aligns with Citizen Lab’s recent research on social engineering attacks against\r\nASPs, another useful resource for high risk users.\r\nGTIG tracks this activity as UNC6293, a likely Russia state-sponsored cyber actor we assess with low confidence\r\nis associated with APT29 / ICECAP. After establishing rapport, the attacker sent phishing lures disguised as\r\nmeeting invitations, and added spoofed Department of State email addresses on the cc line of the initial outreach\r\nto increase the legitimacy of the contact attempt. The initial phishing email itself is not directly malicious, but\r\nencourages the victim to respond to set up a meeting.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia\r\nPage 2 of 5\n\nFigure 1: Keir Giles, a prominent British researcher on Russia, posted this screenshot of an email header with fake\r\nU.S. Department of State emails that was part of a UNC6293 campaign\r\nTargets who responded received an email with a benign PDF lure attached. The State Department themed lure is\r\ncustomized to the target and contains instructions to securely access a fake Department of State cloud\r\nenvironment. This included directing victims to go to https://account.google.com and create an Application\r\nSpecific Password (ASP) or “app passwords.” ASPs are randomly generated 16-character passcodes that allow\r\nthird-party applications to access your Google Account, intended for applications and devices that do not support\r\nfeatures like 2-step verification (2SV). To use an ASP you must set it up and provide a name for the application.\r\nIn campaign one, the ASP name suggested in the lure PDF was “ms.state.gov” and in campaign two, we observed\r\na Ukrainian and Microsoft themed ASP name. After creating the ASP, the attackers directed the target to send\r\nthem the 16-character code. The attackers then set up a mail client to use the ASP, likely with the end goal of\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia\r\nPage 3 of 5\n\naccessing and reading the victim’s email correspondence. This method also allows the attackers to have persistent\r\naccess to accounts.\r\nCampaign  Sender Theme ASP Name Attacker Infrastructure Used\r\nCampaign\r\n1\r\nState\r\nDepartment\r\nms.state.gov\r\n91.190.191.117 - Residential\r\nproxy\r\nCampaign\r\n2\r\nUnknown\r\nUkrainian and Microsoft-themed\r\nASP\r\n91.190.191.117 - Residential\r\nproxy\r\nAttackers logged into victim accounts primarily using residential proxies and VPS servers, in some cases re-using\r\ninfrastructure to access different victim or attacker accounts. As a result, we were able to connect the two distinct\r\ncampaigns we observed to the same cluster. We have re-secured the Gmail accounts compromised by these\r\ncampaigns.\r\nMitigations\r\nGTIG is committed to our mission of understanding and countering advanced threats. We use the results of our\r\nresearch to ensure that Google's products are secure and to protect our users and enterprise customers. \r\nUsers have complete control over their ASPs and may create or revoke them on demand. Upon creation, Google\r\nsends a notification to the corresponding account Gmail, recovery email address, and any device signed in with\r\nthat Google account to ensure the user intended to enable this form of authentication.\r\nGoogle provides enhanced security resources such as the Advanced Protection Program (APP), intended for\r\nindividuals at high risk of targeted attacks and exposure to other serious threats. Opting to use the APP prevents an\r\naccount from creating an ASP due to the program’s heightened security requirements.\r\nWe are committed to sharing our findings with the security community and with companies and individuals that\r\nmay have been targeted by these activities, and we hope that improved understanding of tactics and techniques\r\nwill enhance threat hunting capabilities and lead to stronger user protections across the industry.\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia\r\nPage 4 of 5\n\nLure PDF Document\r\nSHA256: 329fda9939930e504f47d30834d769b30ebeaced7d73f3c1aadd0e48320d6b39\r\nPosted in\r\nThreat Intelligence\r\nSource: https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia\r\nhttps://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia" ], "report_names": [ "creative-phishing-academics-critics-of-russia" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "cd635054-5cbb-4219-957b-ecf639cf408a", "created_at": "2026-01-20T02:00:03.657314Z", "updated_at": "2026-04-10T02:00:03.910206Z", "deleted_at": null, "main_name": "UNC6293", "aliases": [], "source_name": "MISPGALAXY:UNC6293", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434333, "ts_updated_at": 1775792236, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/797eccc0458f8d7b77899d89a13b2758076a4675.pdf", "text": "https://archive.orkl.eu/797eccc0458f8d7b77899d89a13b2758076a4675.txt", "img": "https://archive.orkl.eu/797eccc0458f8d7b77899d89a13b2758076a4675.jpg" } }