{ "id": "a8e4dcc5-7232-4a76-a182-0f9fbc69eeaa", "created_at": "2026-04-06T00:19:17.229553Z", "updated_at": "2026-04-10T13:13:09.449542Z", "deleted_at": null, "sha1_hash": "879fc1f93ba0a76ce648a23769d5d7b0165adfee", "title": "Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1373684, "plain_text": "Analysis of cyberattack on U.S. think tanks, non-profits, public sector by\r\nunidentified attackers | Microsoft Security Blog\r\nBy Microsoft Defender Security Research Team\r\nPublished: 2018-12-03 · Archived: 2026-04-05 13:48:53 UTC\r\nReuters recently reported a hacking campaign focused on a wide range of targets across the globe. In the days leading to the\r\nReuters publication, Microsoft researchers were closely tracking the same campaign.\r\nOur sensors revealed that the campaign primarily targeted public sector institutions and non-governmental organizations like\r\nthink tanks and research centers, but also included educational institutions and private-sector corporations in the oil and gas,\r\nchemical, and hospitality industries.\r\nMicrosoft customers using the complete Microsoft Threat Protection solution were protected from the attack. Behavior-based protections in multiple Microsoft Threat Protection components blocked malicious activities and exposed the attack at\r\nits early stages. Office 365 Advanced Threat Protection caught the malicious URLs used in emails, driving the blocking of\r\nsaid emails, including first-seen samples. Meanwhile, numerous alerts in Windows Defender Advanced Threat\r\nProtection exposed the attacker techniques across the attack chain.\r\nThird-party security researchers have attributed the attack to a threat actor named APT29 or CozyBear, which largely\r\noverlaps with the activity group that Microsoft calls YTTRIUM. While our fellow analysts make a compelling case,\r\nMicrosoft does not yet believe that enough evidence exists to attribute this campaign to YTTRIUM.\r\nRegardless, due to the nature of the victims, and because the campaign features characteristics of previously observed\r\nnation-state attacks, Microsoft took the step of notifying thousands of individual recipients in hundreds of targeted\r\norganizations. As part of the Defending Democracy Program, Microsoft encourages eligible organizations to participate\r\nin Microsoft AccountGuard, a service designed to help these highly targeted customers protect themselves from\r\ncybersecurity threats.\r\nAttack overview\r\nThe aggressive campaign began early in the morning of Wednesday, November 14. The targeting appeared to focus on\r\norganizations that are involved with policy formulation and politics or have some influence in that area.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\r\nPage 1 of 9\n\nPhishing targets in different industry verticals\r\nAlthough targets are distributed across the globe, majority are located in the United States, particularly in and around\r\nWashington, D.C. Other targets are in Europe, Hong Kong, India, and Canada.\r\nPhishing targets in different locations\r\nThe spear-phishing emails mimicked sharing notifications from OneDrive and, as noted by Reuters, impersonated the\r\nidentity of individuals working at the United States Department of State. If recipients clicked a link on the spear-phishing\r\nemails, they began an exploitation chain that resulted in the implantation of a DLL backdoor that gave the attackers remote\r\naccess to the recipients’ machines.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\r\nPage 2 of 9\n\nAttack chain\r\nAnalysis of the campaign\r\nDelivery\r\nThe spear-phishing emails used in this attack resemble file-sharing notifications from OneDrive.\r\nThe emails contain a link to a legitimate, but compromised third-party website:\r\n1 hxxps://www.jmj.com/personal/nauerthn_state_gov/TUJE7QJl[random string]\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\r\nPage 3 of 9\n\nThe random strings are likely used to identify distinct targeted individuals who clicked on the link. However, all observed\r\nvariants of this link redirect to a specific link on the same site:\r\n1 hxxps://www.jmj.com/personal/nauerthn_state_gov/VFVKRTdRSm\r\nWhen users click the link, they are served a ZIP archive containing a malicious LNK file. All files in a given attack have the\r\nsame file name, for example, ds7002.pdf, ds7002.zip, and ds7002.lnk.\r\nInstallation\r\nThe LNK file represents the first stage of the attack. It executes an obfuscated PowerShell command that extracts a base64-\r\nencoded payload from within the LNK file itself, starting at offset 0x5e2be and extending 16,632 bytes.\r\nEncoded content in the LNK file\r\nThe encoded payload—another heavily obfuscated PowerShell script—is decoded and executed:\r\nDecoded second script\r\nThe second script carves out two additional resources from within the .LNK file:\r\nds7002.PDF (A decoy PDF)\r\ncyzfc.dat (The first stage implant)\r\nCommand and control\r\nThe first-stage DLL, cyzfc.dat, is created by the PowerShell script in the path %AppData%\\Local\\cyzfc.dat. It is a 64-bit\r\nDLL that exports one function: PointFunctionCall.\r\nThe PowerShell script then executes cyzfc.dat by calling rundll32.exe. After connecting to the first-stage command-and-control server at pandorasong[.]com (95.216.59.92), cyzfc.dat begins to install the final payload by taking the following\r\nactions:\r\n1. Allocate a ReadWrite page for the second-stage payload\r\n2. Extract the second-stage payload as a resource\r\n3. Take a header that is baked into the first payload with a size 0xEF bytes\r\n4. Concatenate the header with the resource, starting at byte 0x12A.\r\n5. De-XOR the second-stage payload with a rolling XOR (ROR1), starting from key 0xC5.\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\r\nPage 4 of 9\n\nThe second stage is an instance of Cobalt Strike, a commercially available penetration testing tool, which performs the\r\nfollowing steps:\r\n1. Define a local named pipe with the format \\\\.\\pipe\\MSSE-\u003cnumber\u003e-server, where \u003cnumber\u003e is a random number\r\nbetween 0 and 9897\r\n2. Connecting to the pipe, write it global data with size 0x3FE00\r\n3. Implement a backdoor over the named pipe:\r\n1. Read from the pipe (maximum 0x3FE00 bytes) to an allocated buffer\r\n2. DeXOR the payload onto a new RW memory region, this time with a much simple XOR key: simple XORing\r\nevery 4 bytes with 0x7CC2885F\r\n3. Turn the region to be RX\r\n4. Create a thread that starts running the payload’\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\r\nPage 5 of 9\n\nThe phase that writes to global data to the pipe actually writes a third payload. That payload is XORed with the same\r\nXORing algorithm used for reading. When decrypted, it forms a PE file with a Meterpreter header, interpreting instructions\r\nin the PE header and moving control to a reflective loader:\r\nThe third payload eventually gets loaded and connects to the command-and-control (C\u0026C) server address that is baked-in\r\ninside configuration information in the PE file. This configuration information is de-XORed at the third payload runtime:\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\r\nPage 6 of 9\n\nThe configuration information itself mostly contains C\u0026C information:\r\nCobaltStrike is a feature-rich penetration testing tool that provides remote attackers with a wide range of capabilities,\r\nincluding escalating privileges, capturing user input, executing arbitrary commands through PowerShell or WMI,\r\nperforming reconnaissance, communicating with C\u0026C servers over various protocols, and downloading and installing\r\nadditional malware.\r\nEnd-to-end defense through Microsoft Threat Protection\r\nMicrosoft Threat Protection is a comprehensive solution for enterprise networks, protecting identities, endpoints, user data,\r\ncloud apps, and infrastructure. By integrating Microsoft services, Microsoft Threat Protection facilitates signal sharing and\r\nthreat remediation across services. In this attack, Office 365 Advanced Threat Protection and Windows Defender Advanced\r\nThreat Protection quickly mitigated the threat at the onset through durable behavioral protections.\r\nOffice 365 ATP has enhanced phishing protection and coverage against new threats and polymorphic variants. Detonation\r\nsystems in Office 365 ATP caught behavioral markers in links in the emails, allowing us to successfully block campaign\r\nemails—including first-seen samples—and protect targeted customers. Three existing behavioral-based detection algorithms\r\nquickly determined that the URLs were malicious. In addition, Office 365 ATP uses security signals from Windows\r\nDefender ATP, which had a durable behavior-based antivirus detection (Behavior:Win32/Atosev.gen!A) for the second-stage\r\nmalware. If you are not already secured against advanced cyberthreat campaigns via email, begin a free Office 365 E5\r\ntrial today.\r\nSafe Links protection in Office 365 ATP protects customers from attacks like this by analyzing unknown URLs when\r\ncustomers try to open them. Zero-hour Auto Purge (ZAP) actively removes emails post-delivery after they have been\r\nverified as malicious—this is often critical in stopping attacks that weaponize embedded URLs after the emails are sent.\r\nAll of these protections and signals on the attack entry point are shared with the rest of the Microsoft Threat Protection\r\ncomponents. Windows Defender ATP customers would see alerts related to the detection of the malicious emails by Office\r\n365 ATP, as well the behavior-based antivirus detection.\r\nWindows Defender ATP detects known filesystem and network artifacts associated with the attack. In addition, the actions\r\nof the LNK file are detected behaviorally. Alerts with the following titles are indicative of this attack activity:\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\r\nPage 7 of 9\n\nArtifacts associated with an advanced threat detected\r\nNetwork activity associated with an advanced threat detected\r\nLow-reputation arbitrary code executed by signed executable\r\nSuspicious LNK file opened\r\nNetwork protection blocks connections to malicious domains and IP addresses. The following attack surface reduction rule\r\nalso blocks malicious activities related to this attack:\r\nBlock executable files from running unless they meet a prevalence, age, or trusted list criteria\r\nThrough Windows Defender Security Center, security operations teams could investigate these alerts and pivot to machines,\r\nusers, and the new Incidents view to trace the attack end-to-end. Automated investigation and response capabilities, threat\r\nanalytics, as well as advanced hunting and new custom detections, empower security operations teams to defend their\r\nnetworks from this attack. To test how Windows Defender ATP can help your organization detect, investigate, and respond\r\nto advanced attacks, sign up for a free Windows Defender ATP trial.\r\nThe following Advanced hunting query can help security operations teams search for any related activities within the\r\nnetwork:\r\n1\r\n2\r\n3\r\n4\r\n5\r\n6\r\n7\r\n8\r\n9\r\n10\r\n11\r\n12\r\n13\r\n14\r\n15\r\n16\r\n17\r\n18\r\n19\r\n20\r\n21\r\n//Query 1: Events involving the DLL container\r\nlet fileHash = \"9858d5cb2a6614be3c48e33911bf9f7978b441bf\";\r\nfind in (FileCreationEvents, ProcessCreationEvents, MiscEvents,\r\nRegistryEvents, NetworkCommunicationEvents, ImageLoadEvents)\r\nwhere SHA1 == fileHash or InitiatingProcessSHA1 == fileHash\r\n| where EventTime \u003e ago(10d)\r\n//Query 2: C\u0026C connection\r\nNetworkCommunicationEvents\r\n| where EventTime \u003e ago(10d)\r\n| where RemoteUrl == \"pandorasong.com\"\r\n//Query 3: Malicious PowerShell\r\nProcessCreationEvents\r\n| where EventTime \u003e ago(10d)\r\n| where ProcessCommandLine contains\r\n\"-noni -ep bypass $zk='\r\nJHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5rIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGls\r\n//Query 4: Malicious domain in default browser commandline\r\nProcessCreationEvents\r\n| where EventTime \u003e ago(10d)\r\n| where ProcessCommandLine contains\r\n//Query 5: Events involving the ZIP\r\nlet fileHash = \"cd92f19d3ad4ec50f6d19652af010fe07dca55e1\";\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\r\nPage 8 of 9\n\n22\r\n23\r\n24\r\n25\r\n26\r\n27\r\n28\r\n29\r\n30\r\nfind in (FileCreationEvents, ProcessCreationEvents, MiscEvents,\r\nRegistryEvents, NetworkCommunicationEvents, ImageLoadEvents)\r\nwhere SHA1 == fileHash or InitiatingProcessSHA1 == fileHash\r\n| where EventTime \u003e ago(10d)\r\nThe provided queries check events from the past ten days. Change EventTime to focus on a different period.\r\nWindows Defender Research team, Microsoft Threat Intelligence Center, and Office 365 ATP research team\r\nIndicators of attack\r\nFiles (SHA-1)\r\nds7002.ZIP: cd92f19d3ad4ec50f6d19652af010fe07dca55e1\r\nds7002.LNK: e431261c63f94a174a1308defccc674dabbe3609\r\nds7002.PDF (decoy PDF): 8e928c550e5d44fb31ef8b6f3df2e914acd66873\r\ncyzfc.dat (first-stage): 9858d5cb2a6614be3c48e33911bf9f7978b441bf\r\nURLs\r\nhxxps://www.jmj[.]com/personal/nauerthn_state_gov/VFVKRTdRSm\r\nC\u0026C servers\r\npandorasong[.]com (95.216.59.92) (first-stage C\u0026C server)\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows Defender Security\r\nIntelligence.\r\nFollow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.\r\nSource: https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\r\nhttps://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/\r\nPage 9 of 9", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://cloudblogs.microsoft.com/microsoftsecure/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" ], "report_names": [ "analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434757, "ts_updated_at": 1775826789, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/879fc1f93ba0a76ce648a23769d5d7b0165adfee.pdf", "text": "https://archive.orkl.eu/879fc1f93ba0a76ce648a23769d5d7b0165adfee.txt", "img": "https://archive.orkl.eu/879fc1f93ba0a76ce648a23769d5d7b0165adfee.jpg" } }