{ "id": "2ca9d6d2-6b9e-4d6a-97e8-5340d95007ce", "created_at": "2026-04-06T00:07:18.53556Z", "updated_at": "2026-04-10T03:37:32.938554Z", "deleted_at": null, "sha1_hash": "ba1983f00e3d4f0d8ef6ad4352b0114f1da26bae", "title": "NOBELIUM’s EnvyScout infection chain goes in the registry, targeting embassies", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 641499, "plain_text": "NOBELIUM’s EnvyScout infection chain goes in the registry,\r\ntargeting embassies\r\nBy Felix Aimé\u0026nbsp;and\u0026nbsp;Sekoia TDR\r\nPublished: 2022-01-06 · Archived: 2026-04-05 18:02:33 UTC\r\nTable of contents\r\nNew EnvyScout infection chain analysis.\r\nInfrastructure analysis\r\nConclusion\r\nExternal references\r\nTactics, Techniques and Procedures (TTPs)\r\nRelated IOCs\r\nYara rules\r\nSigma rule\r\nRegistry Keys\r\nCobaltStrike configurations\r\nChat with our team!\r\nNOBELIUM is another name for the APT29 intrusion set¹, operated by a threat actor allegedly linked to the SVR\r\n(the Foreign Intelligence Service of the Russian Federation)². NOBELIUM has historically targeted government\r\norganizations, non-governmental organizations, think tanks, military, IT service providers, health technology and\r\nresearch, and telecommunications providers.\r\nDespite the low sophistication level of its phishing campaigns targeting Windows, NOBELIUM is well known for\r\nits agility once inside the victim’s network. Its operators are careful, patient and masterize cutting edge intrusion\r\ntechniques against the latest Microsoft technologies and services such as AzureAD. For example, NOBELIUM\r\nused a home made passive implant dubbed FoggyWeb to exfiltrate authentication tokens from ADFS servers in a\r\nstealthy way³.\r\nNOBELIUM made the headlines a little over a year ago, following the discovery of a sophisticated supply chain\r\nattack against the Solarwinds software, compromising thousands with a validator dubbed “SunBurst”⁴. Beyond its\r\nimpact and its sophistication, the attack – as disclosed by Kaspersky – had an interesting overlap with a backdoor\r\nused by TURLA⁴, an intrusion set that has been active for years and known to be allegedly linked to the Russian\r\nFSB. Joint operation between two Russian threat actors or NOBELIUM had access to the same code base? The\r\nquestion remains unanswered today but it is not the first time that overlaps between these two intrusion sets\r\nemerge⁵. \r\nThroughout 2021 and following the SolarWinds attack, NOBELIUM engaged in spear phishing campaigns by\r\nusing mails and social media messaging. These campaigns didn’t use any exploit to compromise Windows\r\nhttps://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/\r\nPage 1 of 15\n\nendpoints. They simply relied on malicious HTML attachments – called EnvyScout by Microsoft⁶– with a pinch\r\nof social engineering. By opening the attachment, the HTML file extracts from itself an ISO file by using a\r\ntechnique dubbed HTML Smuggling. The ISO is then downloaded by the victim and automatically mounted on\r\nthe victim’s workstation, leading at the end of the exploitation chain to execution of a CobaltStrike beacon.\r\nNew EnvyScout infection chain analysis.\r\nOn  October 21st, 2021, a new EnvyScout HTML file related to the NOBELIUM intrusion\r\nset (3d18bc4bfe1ec7b6b73a3fb39d490b64) matched one of our YARA rule on VirusTotal with a detection ratio of\r\n1 on 56.\r\nThe rule was done on the possible obfuscated variants of a JavaScript loop used in the EnvyScout initial file\r\ndisclosed by Microsoft (32e0940e1715392280d4bdb514d9cf11)⁶.\r\nTable 1. Comparison of the two loops\r\nIt is worth noting that’s not the only resemblance between the two files, both also have the same headers, with the\r\nsame MOTW comment⁷, such as:\r\nExtract 1. Headers in 32e0940e’ and 3d18bc4b’  files\r\nAs seen during other phishing campaigns reported in open-source, this file uses the “HTML Smuggling”\r\ntechnique to extract a malicious ISO file. By looking at its content, this file seems to have targeted at least one\r\nIranian embassy, as shown below:\r\nhttps://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/\r\nPage 2 of 15\n\nFigure 1. Message shown to the user by the HTML file 3d18bc4bfe1ec7b6b73a3fb39d490b64.\r\nFollowing this first discovery, another similar HTML file came out in early\r\nDecember (b87073c34a910f20a83c04c8efbd4f43) but this time with no text except the title “Covid information”.\r\nThe content may have been deleted by the submitters in order to prevent victim identification. However, the next\r\ninfection chain stage revealed that it targeted at least one Turkey Embassy. It is worth noting that these EnvyScout\r\nfiles don’t contain any SMB trap, web bug, telemetry script or redirection to some 0day exploit targeting iOS as\r\npreviously seen by Google TAG⁸.\r\nIf we take a look at the ISO files metadata, the ISO volume name is the HTA file title and there are some\r\ninteresting timestamps such as the “Root Directory Create Date” or the “Volume Create Date”. In the first\r\nsample, 3d18bc4bfe1ec7b6b73a3fb39d490b64, the timestamps values are 2021:10:20 11:27:18-07:00 (UTC\r\ntime). Whereas in the second sample, which was uploaded a bit later on VirusTotal, the timestamps values\r\nare 2021:11:12 09:28:40-08:00 (UTC time).\r\nThese dates indicate the last time that the volume was mounted. This is quite interesting as the ISO files were\r\nactually simply extracted and decoded from the HTML files. It seems therefore likely that NOBELIUM built the\r\npayloads (or tested its whole attack chain) at these dates. If that is indeed the case, it would mean that the first\r\nsample 3d18bc4bfe1ec7b6b73a3fb39d490b64 was created a day before it was uploaded to VirusTotal.\r\nUnlike the previously described NOBELIUM spear-phishing attacks disclosed by Microsoft, the downloaded ISO\r\nfiles no longer contained a malicious DLL and a shortcut aimed to launch that DLL. In both cases, the ISO simply\r\nembeds a malicious HTML Application (HTA) file, executing the rest of the exploitation chain. For the HTA file\r\ncorresponding to the first HTML file (3d18bc4bfe1ec7b6b73a3fb39d490b64), the HTA file contains the same\r\nmessage as the HTML file. For the second HTML file (b87073c34a910f20a83c04c8efbd4f43), the HTA file\r\ncontains a message similar to the first file but this time mentions an “Embassy of the Republic of Turkey”:\r\nhttps://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/\r\nPage 3 of 15\n\nFigure 2. The HTA b84c00ae9e7f9684b36d75a1a09f8210 message.\r\nNote the slight typos they made in this message at “transfered” (just like in the first HTML file) and “thes”.\r\nIn both cases, the HTA file contains hidden HTML elements embedding the content of two different registry\r\nvalues. The first registry value carries a shellcode loader written in PowerShell dedicated to decode and load a\r\nshellcode, contained in the second registry value. Once the values are saved in the registry, the HTA launches a\r\nPowershell command line which will load and execute the content of the first registry key, as shown below:\r\nExtract 2. Extract of the HTA b84c00ae9e7f9684b36d75a1a09f8210.\r\nIt is worth noting that prior to loading the shellcode, the registry keys containing the malicious payloads are\r\ndeleted, a nice try to prevent forensic analysis. Furthermore, the registry key names differ in the two samples\r\n(Javasoft and MSOffice). In the two cases, the shellcode loads and executes in memory a DLL embedded in it.\r\nBoth DLLs contain dozens of dead exports, are heavily obfuscated in the same manner with a lot of junk code and\r\nfake calls to the Windows API. They are used to decrypt and load an encrypted CS beacon splitted in seven\r\ndifferent parts inside the DLL. To resume, they seem to act as the loader dubbed NativeZone (variant 1) as\r\ndescribed by Microsoft in their blogpost⁶. To summarize, you can see below the full infection chain used in these\r\nrecent spear phishing attacks:\r\nhttps://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/\r\nPage 4 of 15\n\nFigure 3. Infection chain of 3d18bc4bfe1ec7b6b73a3fb39d490b64.\r\nBoth CobaltStrike configurations were extracted easily and can be found in the Appendix. It is interesting to note\r\nthat the public keys and the user-agent are the same. Furthermore, the user-agent should not be used often in real\r\ncorporate environments as it is associated with Windows 8 and you could therefore look for that on your networks\r\nfor hunting purposes.\r\nTwo different C2s have been extracted, midcitylanews[.]com for the sample targeting Iran and dom-news[.]com for the sample targeting Turkey.\r\nInfrastructure analysis\r\nThe domains midcitylanews[.]com and dom-news[.]com retrieved from the CobaltStrike beacons have been\r\nregistered more than a year prior to their use by the threat actor which could indicate that NOBELIUM tried to\r\nprevent malicious domains detection based on their creation date.\r\nThese domains resolved VPS IP addresses having their 80 and 443 ports open. They seem to have been configured\r\nby using an Nginx forwarder configuration for CobaltStrike C2 dubbed “cs2nginx” and available for anyone on\r\nGithub⁹. \r\nhttps://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/\r\nPage 5 of 15\n\nHowever, even if the domains were registered a year ago, the associated C2 servers were set up around the end of\r\nseptember, 2021. Therefore, this time delta, the use of cs2nginx and the pattern of the typosquatting domains (e.g.\r\nthe use on “news” keyword for many of them) can lead to some infrastructure illumination. Here is the\r\ninfrastructure which can be grabbed by using this heuristic.\r\nTable 3. Infrastructure discovered possibly linked to NOBELIUM\r\nIt is interesting to note that like the infrastructure disclosed by the CERT-FR in December, 2021¹⁰, this cluster is\r\ndistributed between several autonomous systems, which seems also to be one characteristic of NOBELIUM. \r\nDuring this investigation, we found other C2s servers using the same technique and potentially linked to other\r\nthreat actors or red teams. We decided to publish this list in the appendix for threat hunting purposes in your\r\nnetwork.\r\nConclusion\r\nThe infection chain and the indicators shown above suggest that NOBELIUM is associated with this attack\r\ncampaign. After having burned EnvyScout against occidental targets, NOBELIUM seems to reuse this infection\r\nchain against other countries. However, due to the low complexity of the infection chain and the previous blog\r\nposts covering EnvyScout, it could be, although we write this with very low confidence, just another threat actor\r\ncopycatting NOBELIUM.\r\nExternal references\r\n¹ Alert (AA21-148A) Sophisticated Spearphishing Campaign Targets Government Organizations, IGOs, and\r\nNGOs, CISA, May 28, 2021\r\n² Further TTPs associated with SVR cyber actors, NCSC, May 7, 2021\r\n³ FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor, Microsoft, September 27, 2021\r\nhttps://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/\r\nPage 6 of 15\n\n⁴ SUNBURST Additional Technical Details, Mandian, December 24, 2020\r\n⁵ Sunburst backdoor – code overlaps with Kazuar, Kaspersky, January 11, 2021\r\n⁶ Breaking down NOBELIUM’s latest early-stage toolset, Microsoft, May 28, 2021\r\n⁷ Mark of the Web, Microsoft, May 11, 2015\r\n⁸ How we protect users from 0-day attacks, Google TAG, July 12, 2021\r\n⁹ Cs2modrewrite’s source code on Github\r\n¹⁰ Phishing campaigns by the Nobelium intrusion set, CERT-FR, December 6, 2021\r\nTactics, Techniques and Procedures (TTPs)\r\nT1583.001 – Acquire Infrastructure: Domains\r\nT1583.003 – Acquire Infrastructure: Virtual Private Server\r\nT1566.001 – Phishing: Spearphishing Attachment\r\nT1566.003 – Phishing: Spearphishing via Service\r\nT1059.001 – Command and Scripting Interpreter: PowerShell\r\nT1204.002 – User Execution: Malicious File\r\nT1027.006 – Obfuscated Files or Information: HTML Smuggling\r\nT1071.001 – Application Layer Protocol: Web Protocols\r\nThe IOCs are provided “as is”. All the IOCs can be downloaded in JSON STIX2.1 and CSV formats on the\r\nSEKOIA.IO Github: https://www.github.com/SEKOIA-IO/Community/tree/main/IOCs\r\nDomains\r\ncrochetnews[.]com\r\ndom-news[.]com\r\nreadnewshot[.]com\r\npharaosjournal[.]com\r\nbfilmnews[.]com\r\ntheanalyticsnews[.]com\r\ngalatinonews[.]com\r\nmidcitylanews[.]com\r\nmuslimnewsdaily[.]com\r\nIP Addresses\r\n31.42.177[.]78\r\n158.255.211[.]40\r\n45.14.70[.]186\r\n46.102.152[.]118\r\n139.99.178[.]56\r\nhttps://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/\r\nPage 7 of 15\n\n95.183.51[.]161\r\n195.144.21[.]159\r\n103.232.53[.]230\r\n194.62.42[.]109\r\nOther domains suspected to use cs2nginx\r\nThese domains are suspected to use cs2nginx. We haven’t been able to link them to NOBELIUM and they could be\r\nrelated to other threats. They are provided “as is”, only for hunting purposes in your own network.\r\nupdates.uk[.]com\r\nonlinebusinessadviceuk[.]com\r\nassets.completehealthcareuk[.]net\r\nd2rwiki[.]net\r\ntaiwancht[.]com\r\nherosofthestorms[.]com\r\nnote.legendsec[.]net\r\nfaststartbusiness[.]com\r\nmsdnsvc[.]com\r\nassets.bettendorfhealthcare[.]com\r\neblogpro[.]com\r\ngetdsoft[.]com\r\nthemobilecard[.]com\r\nc***solutions[.]support\r\nv*****managernent[.]com\r\ne*****x[.]me\r\nimg.microsoftupdate.cc\r\nwindows.msgetupdate.com\r\nfwd.splunk.eu.com\r\nfile.updateswindows.com\r\nFiles MD5 hashes\r\n054940ba8908b9e11f57ee081d1140cb\r\nb84c00ae9e7f9684b36d75a1a09f8210\r\n3d18bc4bfe1ec7b6b73a3fb39d490b64\r\nb87073c34a910f20a83c04c8efbd4f43\r\nd4fdf63d88da2d59569bb621b18bf5e4\r\n41dd8cee47c036e7e9e92c395c5d1feb\r\nb7ca8c46dc1bfc1d9cb9ce04a4928153\r\ncc08a6df151b8879a4969b2e99086b48\r\n4365057ef0c5a9518d95d53eab5995a8\r\nYara rules\r\nhttps://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/\r\nPage 8 of 15\n\nrule apt_nobelium_powsershell_reg_loader_decoded {\r\n meta:\r\n id = “c8ee9c40-fa28-4b9a-98e8-88ccc4a16091“\r\n description = “Matches the decoded version of the Powershell loader stored in the registry“\r\n version = “1.0“\r\n creation_date = “2021-12-07“\r\n modification_date = “2021-12-07“\r\n classification = “TLP:WHITE“\r\n source=“SEKOIA“\r\n strings:\r\n $x = “FromBase64String((gp HKCU:\\\\\\\\SOFTWARE\\\\\\\\“\r\n $y = “Remove-ItemProperty HKCU:\\\\\\\\SOFTWARE\\\\\\\\“\r\n $z = “Invoke([IntPtr]::Zero)“\r\n condition:\r\n filesize \u003c 3KB and\r\n $x and #y == 2 and\r\n $z at (filesize-22)\r\n}\r\nrule apt_nobelium_hta_reg_dropper {\r\n meta:\r\n id = “9f6a2154-c33a-4c38-9667-7479bf49c310“\r\n description = “Matches HTA dropper file used by NOBELIUM and ISO files containing it“\r\n hash = “054940ba8908b9e11f57ee081d1140cb“\r\n hash = “b7ca8c46dc1bfc1d9cb9ce04a4928153“\r\n version = “1.0“\r\n creation_date = “2021-12-07”\r\n modification_date = “2021-12-07“\r\n classification = “TLP:WHITE“\r\n source=“SEKOIA“\r\n strings:\r\n $w = “RegWrite(“ nocase\r\n $x = { 2b 3d 20 64 6f 63 75 6d\r\n 65 6e 74 2e 67 65 74 45\r\n 6c 65 6d 65 6e 74 42 79\r\n 49 64 28 22 [0-4] 22 29\r\n 2e 69 6e 6e 65 72 48 54\r\n 4d 4c }\r\n $y = “\u003cbody onload=“ nocase\r\n $z = “hidden“ nocase\r\n condition:\r\n $y and\r\n (3 \u003c #z) and\r\n (3 \u003c #x) and\r\n (1 \u003c #w)\r\nhttps://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/\r\nPage 9 of 15\n\n}\r\nrule apt_nobelium_hta_in_iso {\r\n meta:\r\n id = “874ab41b-5c60-4303-8776-e1c10313a401“\r\n description = “Matches ISO file embedding HTA“\r\n hash = “d4fdf63d88da2d59569bb621b18bf5e4“\r\n hash = “cc08a6df151b8879a4969b2e99086b48“\r\n version = “1.0“\r\n creation_date = “2021-12-02”\r\n modification_date = “2021-12-02“\r\n classification = “TLP:WHITE“\r\n source=“SEKOIA“\r\n strings:\r\n $ = “ImgBurn v2“\r\n $ = “\u003chta:application“\r\n condition:\r\n all of them and\r\n filesize \u003e 1MB and\r\n filesize \u003c 3MB\r\n}\r\nrule apt_nobelium_html_smuggling_iso {\r\n meta:\r\n id = “9bd5b626-8ea3-4607-a858-58deff18396c“\r\n version = “1.0“\r\n description = “Detect HTML smuggling with ISO“\r\n hash = “b87073c34a910f20a83c04c8efbd4f43”\r\n hash = “3d18bc4bfe1ec7b6b73a3fb39d490b64“\r\n source = “SEKOIA“\r\n creation_date = “2022-01-02”\r\n modification_date = “2022-01-02“\r\n classification = “TLP:WHITE“\r\n strings:\r\n $ = “new Blob“\r\n $ = “.click();“\r\n $ = { 28 [1-20] 2c 22 [1-20]\r\n 2e 69 73 6f 22 2c 22 61\r\n 70 70 6c 69 63 61 74 69\r\n 6f 6e 2f 78 2d 63 64 2d\r\n 69 6d 61 67 65 22 29 }\r\n condition:\r\n filesize \u003e 1MB and filesize \u003c 2MB and all of them\r\n}\r\nhttps://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/\r\nPage 10 of 15\n\nrule apt_nobelium_b64_to_Uint8Array {\r\n meta:\r\n id = “66c9b00b-f021-4115-b9ec-d1e1f491ce72“\r\n description = “Detect Base64 decode to Uint8Array used in NOBELIUM HTML files“\r\n hash = “3d18bc4bfe1ec7b6b73a3fb39d490b64“\r\n version = “1.0“\r\n creation_date = “2021-12-02”\r\n modification_date = “2021-12-02“\r\n classification = “TLP:WHITE“\r\n source=“SEKOIA“\r\n strings:\r\n $a1 = “atob(“\r\n $l0 = { 20 3c 20 [2-10] 2e 6c 65 6e 67 74 68 3b 20 69 2b 2b 29 7b }\r\n $l1 = { 5b 69 5d 20 3d 20 [2-10] 2e 63 68 61 72 43 6f 64 65 41 74 28 69 29 3b }\r\n $a2 = “new Uint8Array“\r\n condition:\r\n $l0 in (@a1..@a2) and\r\n $l1 in (@a1..@a2) and\r\n filesize \u003e 1MB and filesize \u003c 3MB\r\n}\r\nimport “pe“\r\nrule apt_nobelium_cs_loader_obfuscation {\r\n meta:\r\n id = “5f21b031-3dc1-4dad-b775-6099bfcb0472“\r\n version = “1.0“\r\n description = “Detect obfuscated CobaltStrike loaders used by NOBELIUM”\r\n hash = “41dd8cee47c036e7e9e92c395c5d1feb“\r\n hash = “4365057ef0c5a9518d95d53eab5995a8“\r\n source = “SEKOIA“\r\n creation_date = “2022-01-04“\r\n modification_date = “2022-01-04“\r\n classification = “TLP:WHITE“\r\n strings:\r\n $j1 = { DD 05 ?? ?? ?? ?? DD 9D }\r\n $j2 = { C7 85 ?? ?? ?? ?? ?? ?? ?? ?? C7 85 }\r\n $c1 = { 81 7D ?? FF 00 00 00 0F 8E ?? ?? FF FF }\r\n condition:\r\n pe.characteristics \u0026 pe.DLL and\r\n pe.number_of_exports \u003e 20 and\r\n filesize \u003e 300KB and filesize \u003c 400KB and\r\n #j1 \u003e 50 and #j2 \u003e 50 and #c1 == 2\r\n }\r\nhttps://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/\r\nPage 11 of 15\n\nSigma rule\r\nid: d9114938-6877-48d8-a785-bc07cb7220ff\r\ntitle: PowerShell invoking in the command line a registry value to execute.\r\ndescription: Detects a d9114938 execution which grabs a value in the windows registry to execute it.\r\nreferences:\r\n – MD5 hash: b84c00ae9e7f9684b36d75a1a09f8210\r\n – MD5 hash: 054940ba8908b9e11f57ee081d1140cb\r\nstatus: experimental\r\nauthor: ‘SEKOIA.IO’\r\ndate: 2022/01/03\r\ntags:\r\n – attack.T1059.001\r\nlogsource:\r\n category: process_creation\r\n product: windows\r\ndetection:\r\n selection:\r\n Image|contains: ‘powershell’\r\n CommandLine|contains: ‘HKCU’\r\n selection2\r\n CommandLine|contains:\r\n – ‘invoke-expression’\r\n – ‘iex’\r\n CommandLine|contains:\r\n – ‘gp’\r\n – ‘Get-ItemProperty’\r\n condition: selection and selection2\r\nlevel: medium\r\nRegistry Keys\r\nHKCU\\SOFTWARE\\MSOffice\\Version\r\nHKCU\\SOFTWARE\\MSOffice\\path\r\nHKCU\\SOFTWARE\\JavaSoft\\Ver\r\nHKCU\\SOFTWARE\\JavaSoft\\Ver2\r\nCobaltStrike configurations\r\nConfiguration of the CobaltStrike beacon launched from the Iranian decoy (from 1768.py, Didier Stevens’ tool):\r\nConfig found: xorkey b’.’ 0x00000000 0x000041f0\r\nhttps://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/\r\nPage 12 of 15\n\n0x0001 payload type 0x0001 0x0002 8 windows-beacon_https-reverse_https\r\n0x0002 port 0x0001 0x0002 443\r\n0x0003 sleeptime 0x0002 0x0004 60000\r\n0x0004 maxgetsize 0x0002 0x0004 1398104\r\n0x0005 jitter 0x0001 0x0002 30\r\n0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100\r\n0x0008 server,get-uri 0x0003 0x0100 ‘midcitylanews.com,/news/update/aaa’\r\n0x000e SpawnTo 0x0003 0x0010 (NULL …)\r\n0x001d spawnto_x86 0x0003 0x0040 ‘%windir%\\\\syswow64\\\\dllhost.exe’\r\n0x001e spawnto_x64 0x0003 0x0040 ‘%windir%\\\\sysnative\\\\dllhost.exe’\r\n0x001f CryptoScheme 0x0001 0x0002 0\r\n0x001a get-verb 0x0003 0x0010 ‘GET’\r\n0x001b post-verb 0x0003 0x0010 ‘POST’\r\n0x001c HttpPostChunk 0x0002 0x0004 0\r\n0x0025 license-id 0x0002 0x0004 1359593325\r\n0x0026 bStageCleanup 0x0001 0x0002 0\r\n0x0027 bCFGCaution 0x0001 0x0002 0\r\n0x0009 useragent 0x0003 0x0100 ‘Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, l\r\n0x000a post-uri 0x0003 0x0040 ‘/form/sent/ppw’\r\n0x000b Malleable_C2_Instructions 0x0003 0x0100 ‘\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x03’\r\n0x000c http_get_header 0x0003 0x0200\r\n Content-Type: text/html\r\n Cache-Control: no-cache\r\n v1.5472\r\n0x000d http_post_header 0x0003 0x0200\r\n !Content-Type: multipart/form-data\r\n Cache-Control: no-cache\r\n /.jpg\r\n0x0036 HostHeader 0x0003 0x0080 (NULL …)\r\n0x0032 UsesCookies 0x0001 0x0002 0\r\n0x0023 proxy_type 0x0001 0x0002 2 IE settings\r\n0x003a 0x0003 0x0080 ‘\\x00\\x05\\x90’\r\n0x0039 0x0003 0x0080 ‘\\x00\\x05p’\r\n0x0037 0x0001 0x0002 0\r\n0x0028 killdate 0x0002 0x0004 0\r\n0x0029 textSectionEnd 0x0002 0x0004 0\r\n0x002b process-inject-start-rwx 0x0001 0x0002 4 PAGE_READWRITE\r\n0x002c process-inject-use-rwx 0x0001 0x0002 32 PAGE_EXECUTE_READ\r\n0x002d process-inject-min_alloc 0x0002 0x0004 17500\r\n0x002e process-inject-transform-x86 0x0003 0x0100 ‘\\x00\\x00\\x00\\x02\\x90\\x90’\r\n0x002f process-inject-transform-x64 0x0003 0x0100 ‘\\x00\\x00\\x00\\x02\\x90\\x90’\r\n0x0035 process-inject-stub 0x0003 0x0010 ‘\\x0câõTDäy5\\x16µ¯ég¾\\x92U’\r\n0x0033 process-inject-execute 0x0003 0x0080 ‘\\x06\\x00\u0026\\x00\\x00\\x00\\x06ntdll\\x00\\x00\\x00\\x00\\x13RtlUser\r\n0x0034 process-inject-allocation-method 0x0001 0x0002 1\r\n0x0000\r\nGuessing Cobalt Strike version: 4.1+ (max 0x003a)\r\nhttps://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/\r\nPage 13 of 15\n\nConfiguration of the CobaltStrike beacon launched from the Turkish decoy (from 1768.py, Didier Stevens’ tool):\r\n Config found: xorkey b’.’ 0x00000000 0x0000bff0\r\n0x0001 payload type 0x0001 0x0002 8 windows-beacon_https-reverse_https\r\n0x0002 port 0x0001 0x0002 443\r\n0x0003 sleeptime 0x0002 0x0004 60000\r\n0x0004 maxgetsize 0x0002 0x0004 1398104\r\n0x0005 jitter 0x0001 0x0002 30\r\n0x0007 publickey 0x0003 0x0100 30819f300d06092a864886f70d010101050003818d0030818902818100a6be\r\n0x0008 server,get-uri 0x0003 0x0100 ‘dom-news.com,/info/www/robot’\r\n0x000e SpawnTo 0x0003 0x0010 (NULL …)\r\n0x001d spawnto_x86 0x0003 0x0040 ‘%windir%\\\\syswow64\\\\dllhost.exe’\r\n0x001e spawnto_x64 0x0003 0x0040 ‘%windir%\\\\sysnative\\\\dllhost.exe’\r\n0x001f CryptoScheme 0x0001 0x0002 0\r\n0x001a get-verb 0x0003 0x0010 ‘GET’\r\n0x001b post-verb 0x0003 0x0010 ‘POST’\r\n0x001c HttpPostChunk 0x0002 0x0004 0\r\n0x0025 license-id 0x0002 0x0004 1359593325\r\n0x0026 bStageCleanup 0x0001 0x0002 0\r\n0x0027 bCFGCaution 0x0001 0x0002 0\r\n0x0009 useragent 0x0003 0x0100 ‘Mozilla/5.0 (Windows NT 6.2) AppleWebKit/537.36 (KHTML, like\r\n0x000a post-uri 0x0003 0x0040 ‘/assets/image/awd’\r\n0x000b Malleable_C2_Instructions 0x0003 0x0100 ‘\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x03’\r\n0x000c http_get_header 0x0003 0x0200\r\n Content-Type: text/html\r\n Cache-Control: no-cache\r\n .html\r\n Cookie\r\n0x000d http_post_header 0x0003 0x0200\r\n Content-Type: image/jpeg\r\n Accept-Encoding: gzip, deflate\r\n Cache-Control: no-cache\r\n /.png\r\n0x0036 HostHeader 0x0003 0x0080 (NULL …)\r\n0x0032 UsesCookies 0x0001 0x0002 1\r\n0x0023 proxy_type 0x0001 0x0002 2 IE settings\r\n0x003a 0x0003 0x0080 ‘\\x00\\x05\\x90’\r\n0x0039 0x0003 0x0080 ‘\\x00\\x05p’\r\n0x0037 0x0001 0x0002 0\r\n0x0028 killdate 0x0002 0x0004 0\r\n0x0029 textSectionEnd 0x0002 0x0004 0\r\n0x002b process-inject-start-rwx 0x0001 0x0002 4 PAGE_READWRITE\r\n0x002c process-inject-use-rwx 0x0001 0x0002 32 PAGE_EXECUTE_READ\r\n0x002d process-inject-min_alloc 0x0002 0x0004 17500\r\n0x002e process-inject-transform-x86 0x0003 0x0100 ‘\\x00\\x00\\x00\\x02\\x90\\x90’\r\n0x002f process-inject-transform-x64 0x0003 0x0100 ‘\\x00\\x00\\x00\\x02\\x90\\x90’\r\n0x0035 process-inject-stub 0x0003 0x0010 ‘\\x0câõTDäy5\\x16µ¯ég¾\\x92U’\r\nhttps://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/\r\nPage 14 of 15\n\n0x0033 process-inject-execute 0x0003 0x0080 ‘\\x06\\x00\u0026\\x00\\x00\\x00\\x06ntdll\\x00\\x00\\x00\\x00\\x13RtlUserThre\r\n0x0034 process-inject-allocation-method 0x0001 0x0002 1\r\n0x0000\r\nGuessing Cobalt Strike version: 4.1+ (max 0x003a)\r\nRead our article on:\r\nChat with our team!\r\nWould you like to know more about our solutions?\r\nDo you want to discover our XDR and CTI products?\r\nDo you have a cybersecurity project in your organization?\r\nMake an appointment and meet us!\r\nAPT CTI\r\nShare this post:\r\nSource: https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/\r\nhttps://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.sekoia.io/en/nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies/" ], "report_names": [ "nobeliums-envyscout-infection-chain-goes-in-the-registry-targeting-embassies" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434038, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ba1983f00e3d4f0d8ef6ad4352b0114f1da26bae.pdf", "text": "https://archive.orkl.eu/ba1983f00e3d4f0d8ef6ad4352b0114f1da26bae.txt", "img": "https://archive.orkl.eu/ba1983f00e3d4f0d8ef6ad4352b0114f1da26bae.jpg" } }