{ "id": "c453c993-eeb4-478a-8a9b-070c66971cf5", "created_at": "2026-04-06T00:21:22.732336Z", "updated_at": "2026-04-10T03:37:32.82569Z", "deleted_at": null, "sha1_hash": "c6f646f9e30b80638d024a4353f7b418ff18e9a8", "title": "Diplomats Beware: Cloaked Ursa Phishing With a Twist", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4344499, "plain_text": "Diplomats Beware: Cloaked Ursa Phishing With a Twist\r\nBy Unit 42\r\nPublished: 2023-07-12 · Archived: 2026-04-05 13:27:21 UTC\r\nExecutive Summary\r\nRussia’s Foreign Intelligence Service hackers, which we call Cloaked Ursa (aka APT29, UAC-0004, Midnight\r\nBlizzard/Nobelium, Cozy Bear) are well known for targeting diplomatic missions globally. Their initial access attempts over\r\nthe past two years have predominantly used phishing lures with a theme of diplomatic operations such as the following:\r\nNotes verbale (semiformal government-to-government diplomatic communications)\r\nEmbassies’ operating status updates\r\nSchedules for diplomats\r\nInvitations to embassy events\r\nThese types of lures are generally sent to individuals who handle this type of embassy correspondence as part of their daily\r\njobs. They are meant to entice targets to open the files on behalf of the organization they work for.\r\nRecently, Unit 42 researchers observed instances of Cloaked Ursa using lures focusing on the diplomats themselves more\r\nthan the countries they represent. We have identified Cloaked Ursa targeting diplomatic missions within Ukraine by\r\nleveraging something that all recently placed diplomats need – a vehicle.\r\nWe observed Cloaked Ursa targeting at least 22 of over 80 foreign missions located in Kyiv. While we don’t have details on\r\ntheir infection success rate, this is a truly astonishing number for a clandestine operation conducted by an advanced\r\npersistent threat (APT) that the United States and the United Kingdom publicly attribute to Russia’s Foreign Intelligence\r\nService (SVR).\r\nOur assessment that Cloaked Ursa is responsible for these lures is based on the following:\r\nSimilarities to other known Cloaked Ursa campaigns and targets\r\nUse of known Cloaked Ursa TTPs\r\nCode overlap with other known Cloaked Ursa malware\r\nThese unconventional lures are designed to entice the recipient to open an attachment based on their own needs and wants\r\ninstead of as part of their routine duties.\r\nThe lures themselves are broadly applicable across the diplomatic community and thus are able to be sent and forwarded to a\r\ngreater number of targets. They’re also more likely to be forwarded to others inside of an organization as well as within the\r\ndiplomatic community.\r\nOverall, these factors increase the odds of a successful compromise within targeted organizations. While not likely to fully\r\nsupplant diplomatic operations-themed lures, these lures focusing on individuals do provide Cloaked Ursa with new\r\nopportunities and a broader range of susceptible potential espionage targets.\r\nPalo Alto Networks customers receive protections against the types of threats discussed in this article by products including:\r\nCortex XDR\r\nWildFire\r\nCloud-Delivered Security Services for the Next-Generation Firewall, including Advanced URL Filtering and DNS\r\nSecurity\r\nIf you believe you have been compromised, the Unit 42 Incident Response team can provide a personalized response.\r\nBMW for Sale\r\nOne of the most recent of these novel campaigns that Unit 42 researchers observed appeared to use the legitimate sale of a\r\nBMW to target diplomats in Kyiv, Ukraine, as its jumping off point.\r\nThe campaign began with an innocuous and legitimate event. In mid-April 2023, a diplomat within the Polish Ministry of\r\nForeign Affairs emailed his legitimate flyer to various embassies advertising the sale of a used BMW 5-series sedan located\r\nin Kyiv. The file was titled BMW 5 for sale in Kyiv - 2023.docx.\r\nThe nature of service for professional diplomats is often one that involves a rotating lifestyle of short- to mid-term\r\nassignments at postings around the world. Ukraine presents newly assigned diplomats with unique challenges, being in an\r\narea of armed conflict between Russia and Ukraine.\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-phishing/\r\nPage 1 of 10\n\nHow do you ship personal goods, procure safe accommodations and services, and arrange for reliable personal\r\ntransportation while in a new country? The sale of a reliable car from a trusted diplomat could be a boon for a recent arrival,\r\nwhich Cloaked Ursa viewed as an opportunity.\r\nWe assess that Cloaked Ursa likely first collected and observed this legitimate advertising flyer via one of the email’s\r\nrecipients’ mail servers being compromised, or by some other intelligence operation. Upon seeing its value as a generic yet\r\nbroadly appealing phishing lure, they repurposed it.\r\nTwo weeks later, on May 4, 2023, Cloaked Ursa emailed their illegitimate version of this flyer to multiple diplomatic\r\nmissions throughout Kyiv. These illegitimate flyers (shown in Figure 1) use benign Microsoft Word documents of the same\r\nname as that sent by the Polish diplomat.\r\nFigure 1. Example lure used in BMW campaign (SHA256\r\n311e9c8cf6d0b295074ffefaa9f277cb1f806343be262c59f88fbdf6fe242517).\r\nThe key difference with these illegitimate versions is that if a victim clicks on a link offering “more high quality photos,” a\r\nURL shortener service (either t[.]ly or tinyurl[.]com) will redirect them to a legitimate site. This site would have been\r\ncoopted by Cloaked Ursa, resulting in the download of a malicious payload.\r\nWhen a victim attempts to view any of the “high quality photos” (shown in Figure 2) in the download, the malware executes\r\nsilently in the background while the selected image displays on the victim’s screen.\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-phishing/\r\nPage 2 of 10\n\nFigure 2. Windows shortcut files masquerading as image files.\r\nFigure 3 illustrates the full execution flow.\r\nFigure 3. Execution flow.\r\nThese pictures are actually Windows shortcut files masquerading as PNG image files.\r\nWe’ve observed two versions of these illegitimate flyers. The only difference between the two is the shortened URL used in\r\neach case. The URLs ultimately redirect the victim to the same coopted site (hxxps://resetlocations[.]com/bmw.htm).\r\nAt the time of this writing, one of the flyer versions (SHA256:\r\n311e9c8cf6d0b295074ffefaa9f277cb1f806343be262c59f88fbdf6fe242517) is detected as malicious by multiple vendors\r\naccording to VirusTotal, while the other version (SHA256:\r\n8902bd7d085397745e05883f05c08de87623cc15fe630b36ad3d208f01ef0596) is not detected. For a full overview of the\r\nmalware, please refer to the Appendix.\r\nOverall, we observed Cloaked Ursa targeting at least 22 of over 80 foreign missions located in Kyiv in this campaign, as\r\nshown in Table 1. The actual number targeted is likely higher. This is staggering in scope for what generally are narrowly\r\nscoped and clandestine APT operations.\r\nKnown Embassies in Kyiv Targeted by Cloaked Ursa in BMW Campaign\r\nAlbania Iraq Norway\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-phishing/\r\nPage 3 of 10\n\nArgentina\r\nCanada\r\nCyprus\r\nDenmark\r\nEstonia\r\nGreece\r\nIreland\r\nKuwait\r\nKyrgyzstan\r\nLatvia\r\nLibya\r\nNetherlands\r\nSlovakia\r\nSpain\r\nSudan\r\nTurkey\r\nTurkmenistan\r\nUnited States\r\nUzbekistan\r\nTable 1. Known embassy targets of BMW campaign.\r\nFor the activity we observed, Cloaked Ursa used publicly available embassy email addresses for approximately 80% of the\r\ntargeted victims. The remaining 20% consisted of unpublished email addresses not found on the surface web.\r\nThis indicates that attackers likely also used other collected intelligence to generate their victim target list, to ensure they\r\nwere able to maximize their access to desired networks. The majority of the targeted organizations in this campaign were\r\nembassies. However, we also observed Cloaked Ursa targeting both Turkish Ministry of Trade representatives in Ukraine\r\n(via their ticaret[.]gov[.]tr work emails) and their embassy in the BMW campaign.\r\nWhile there were a handful of emails sent directly to individuals’ work addresses within the campaign, the majority of the\r\ntargeted emails consisted of general inboxes for the embassy, such as country.embassy@mfa[.]gov[.]xx. Despite the thought\r\nand detail put into targets for this campaign, at least two of the email addresses contained errors and never reached the\r\nintended targets. Overall, the use of these group inboxes likely increased the odds of the emails being reviewed and passed\r\non to individuals within the embassies looking for transportation.\r\nWith a few of the embassies we observed being targeted, this was done via group emails hosted on free online webmail\r\nservices. While these services offer some protection, they also outsource a portion of the security provided to targeted\r\norganizations and their employees to external entities. The use of free online webmail could have the unintended\r\nconsequence of increasing a diplomatic organization’s difficulty in observing and understanding the totality of threats\r\ntargeting it while also increasing its attack surface.\r\nTurkish Diplomats: Humanitarian Assistance for Earthquake\r\nAnother of the novel Cloaked Ursa campaigns we observed likely targeted the Turkish Ministry of Foreign Affairs (MFA)\r\nearlier in 2023, within a February to March timeframe. While we were unable to obtain the malicious email lure associated\r\nwith this campaign, we know that it related to a document that purported to be Turkish MFA guidance on humanitarian\r\nassistance pertaining to the Feb. 21, 2023, earthquake in Turkey. The earthquake in late February further ravaged a region\r\nalready devastated by a massive earthquake two weeks earlier, which ultimately killed more than 50,000 and displaced more\r\nthan 5.9 million people.\r\nWe were able to determine this second campaign targeting the MFA based on a PDF (shown in Figure 4) that was contained\r\nin a downloaded payload (SHA256: 0dd55a234be8e3e07b0eb19f47abe594295889564ce6a9f6e8cc4d3997018839 – for a\r\nfull overview of the malware, please refer to the Appendix).\r\nNot one to let a disaster and the highly sympathetic charge it generates go to waste, Cloaked Ursa likely saw a lure providing\r\nMFA guidance on humanitarian support for this tragedy as a way to ensure a high level of interest from their targets – these\r\nrecipients would feel a patriotic obligation and would understand the MFA’s expectations to support their nation and its\r\nvictims. In addition, given the timely and momentous nature of the lure, it was almost certainly forwarded by concerned\r\nemployees to others in their organization who would be interested in the guidance.\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-phishing/\r\nPage 4 of 10\n\nFigure 4. Excerpt from Turkish MFA memorandum.\r\nConclusion\r\nDiplomatic missions will always be a high-value espionage target. Sixteen months into the Russian invasion of Ukraine,\r\nintelligence surrounding Ukraine and allied diplomatic efforts are almost certainly a high priority for the Russian\r\ngovernment.\r\nAs the above campaigns show, diplomats should appreciate that APTs continually modify their approaches – including\r\nthrough spear phishing – to enhance their effectiveness. They will seize every opportunity to entice victims into\r\ncompromise. Ukraine and its allies need to remain extra vigilant to the threat of cyber espionage, to ensure the security and\r\nconfidentiality of their information.\r\nRecommendations\r\nTrain newly assigned diplomats and employees to a diplomatic mission on the cybersecurity threats for the region\r\nprior to their arrival. This training should include the specific tactics, techniques and procedures (TTPs) used by\r\nAPTs in that region.\r\nAlways take extra precautions to observe URL redirection when using URL-shortening services.\r\nAlways be cautious of downloads, even from seemingly innocuous or legitimate sites. APTs routinely co-opt\r\nlegitimate sites or services for malicious purposes.\r\nAlways take extra precautions with attachments that require a web browser to open. These types of attachments\r\ninclude the following file extensions: .hta, .htm, .html, .mht, .mhtml, .svg, .xht and .xhtml.\r\nAlways verify file extension types to ensure you are opening the type of file you intend to. If the file extension does\r\nnot match, or if it is attempting to obfuscate its nature, it is very likely malicious.\r\nWhen received as an attachment to an email, or when downloaded from a link within an email, always look for\r\nhidden files and directories in archives such as those with the extensions .zip, .rar, .7z, .tar and .iso. The presence of\r\nhidden files or directories could indicate the archive is malicious.\r\nConsider disabling JavaScript as a rule.\r\nPalo Alto Networks customers receive protections against the types of threats discussed in this article by products including:\r\nCortex XDR\r\nWildFire\r\nCloud-Delivered Security Services for the Next-Generation Firewall, including Advanced URL Filtering and DNS\r\nSecurity.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response\r\nteam or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks disclosed this activity to Microsoft and Dropbox.\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-phishing/\r\nPage 5 of 10\n\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber\r\nThreat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to\r\nsystematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nSamples\r\n311e9c8cf6d0b295074ffefaa9f277cb1f806343be262c59f88fbdf6fe242517\r\n8902bd7d085397745e05883f05c08de87623cc15fe630b36ad3d208f01ef0596\r\n47e8f705febc94c832307dbf3e6d9c65164099230f4d438f7fe4851d701b580b\r\n79a1402bc77aa2702dc5dca660ca0d1bf08a2923e0a1018da70e7d7c31d9417f\r\n38f8b8036ed2a0b5abb8fbf264ee6fd2b82dcd917f60d9f1d8f18d07c26b1534\r\n706112ab72c5d770d89736012d48a78e1f7c643977874396c30908fa36f2fed7\r\nc62199ef9c2736d15255f5deaa663158a7bb3615ba9262eb67e3f4adada14111\r\ncd4956e4c1a3f7c8c008c4658bb9eba7169aa874c55c12fc748b0ccfe0f4a59a\r\n0dd55a234be8e3e07b0eb19f47abe594295889564ce6a9f6e8cc4d3997018839\r\n60d96d8d3a09f822ded0a3c84194a5d88ed62a979cbb6378545b45b04353bb37\r\n03959c22265d0b85f6c94ee15ad878bb4f2956a2b0047733edbd8fdc86defc48\r\nURLs\r\nhxxp://tinyurl[.]com/ysvxa66c\r\nhxxp://t[.]ly/1IFg\r\nhxxps://resetlocations[.]com/bmw.htm\r\nhxxps://tinyurl[.]com/mrxcjsbs\r\nhxxps://simplesalsamix[.]com/e-yazi.html\r\nhxxps://www.willyminiatures[.]com/e-yazi.html\r\nKnown Email Senders\r\ndawid.tomaszewski@resetlocations[.]com\r\nops.rejon4@kazmierz[.]pl\r\nBMW Payload: Dropbox and MS Graph API Tokens and Secrets\r\nTeams_test\r\n840aae0d-cd89-4869-bce1-94222c33035e\r\nM.R3_BL2.-\r\nCYZcTMwdTTD5X9lMxE*wscQcrZ56RUoklIvNkUw5pW1kJ9tfqvv1vRT8VgOb8uXtJTPB3E2CKV!pmm4V6DF8TRvo60QFCxMnUAnuv3jJ7\r\niofd62cx8jy9vyp\r\nsx6qt5iw2t9y7r8\r\nGCy8UdFrumsAAAAAAAAAASYLcT6_Rjx8PYFAvKH3Q3fT27eYzNsXJYCz7320YBIM\r\nTurkey MFA Payload: Dropbox and MS Graph API Tokens and Secrets\r\ne0f94357-98c9-475d-94eb-27b6c74a6429\r\nmytestworkapp1\r\nM.R3_BL2.-\r\nCUanxFBYCxVzJ6hwSYPoLZ49NQ3X*y5rETt!aN*487MvafwQFn7kevSiXUwpGnHaquakM8vH6iESLDlXP38hmqQn98rRLvOzWwlKmD!8X\r\n3a1n71ujslwse9v\r\n75vedbskd505jyk\r\nHd0j7avNBxsAAAAAAAAAARq2fs5Ei8Z0-ahPPeB1McEek6NMzkGRmYHuxjsCZTfE\r\nAdditional Resources\r\nEspionage Campaign Linked to Russian Intelligence Services – Cybersecurity Emergency Response Team Poland\r\n(CERT.PL)\r\nCloaked Ursa / APT29 Phishing Tweet (March 10, 2023) – Palo Alto Networks, Unit 42\r\nIOCs: Cloaked Ursa / APT29 Phishing Tweet (March 10, 2023) – Palo Alto Networks, Unit 42\r\nRussian APT29 Hackers Use Online Storage Services, DropBox and Google Drive – Palo Alto Networks, Unit 42\r\nAppendix\r\nTechnical Analysis of BMW Campaign\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-phishing/\r\nPage 6 of 10\n\nThe hyperlinks found within the malicious BMW 5 for sale in Kyiv - 2023.docx flyers (SHA256:\r\n311e9c8cf6d0b295074ffefaa9f277cb1f806343be262c59f88fbdf6fe242517 and (SHA256:\r\n8902bd7d085397745e05883f05c08de87623cc15fe630b36ad3d208f01ef0596) lead to a site\r\n(hxxps://resetlocations[.]com/bmw.htm) that was offline in mid-June, but they originally retrieved a large HTA file.\r\n(SHA256: 47e8f705febc94c832307dbf3e6d9c65164099230f4d438f7fe4851d701b580b) This HTA file contains roughly 10\r\nMB of Base64-encoded and XORed data, followed by JavaScript code.\r\nThe JavaScript code would first make a request to the same domain on the URI kll.php, before decoding the embedded data\r\nmentioned above and triggering the browser to download it using msSaveOrOpenBlob, or a mix of createElement and\r\ncreateObjectURL should msSaveOrOpenBlob fail. The downloaded file is assigned the name bmw.iso (SHA256:\r\n79a1402bc77aa2702dc5dca660ca0d1bf08a2923e0a1018da70e7d7c31d9417f), matching the theme seen thus far.\r\nOnce downloaded, execution is reliant on the user clicking the downloaded file, which mounts the disk image to the system\r\nand opens up Windows File Explorer. This reveals nine total files masquerading as images, which are instead LNK shortcut\r\nfiles (shown in the execution flow diagram in Figure 3).\r\nA hidden folder named $Recycle.Bin is created alongside the LNK files. This folder contains the real PNG images as well as\r\nthree DLLs, an encrypted payload and a legitimate copy of Microsoft Word named windoc.exe.\r\nIf one of the LNK files is clicked, the following command line is executed. Note that the image name is changed depending\r\non the LNK file clicked:\r\nWhile windoc.exe is not malicious, it does attempt to load several DLLs on runtime and falls victim to DLL hijacking. As a\r\nresult, it will load two of the three DLLs within its current directory, namely APPVISVSUBSYSTEMS64.dll (SHA256:\r\n38f8b8036ed2a0b5abb8fbf264ee6fd2b82dcd917f60d9f1d8f18d07c26b1534) and MSVCP140.dll. (SHA256:\r\n706112ab72c5d770d89736012d48a78e1f7c643977874396c30908fa36f2fed7). The third DLL (Mso20Win32Client.dll) does\r\nnot appear to be essential to the malware’s functioning and is added so that windoc.exe runs correctly, similarly to the DLL\r\ndescribed below.\r\nMSVCP140 is not digitally signed, but does not contain any malicious functionality. It appears to only contain a select few\r\nexports from a legitimate copy of MSVCP140. It’s likely that this was included to execute windoc.exe on systems that did\r\nnot have Microsoft Visual C++ Redistributables – at least enough so that it would load APPVISVSUBSYSTEMS64.\r\nAPPVISVSUBSYSTEMS64, on the other hand, is a fairly obfuscated DLL. It leverages a large number of unnecessary\r\nassembly instructions, including the following, likely hindering decompilation efforts and slowing down analysis:\r\nPsllq\r\nEmms\r\nPcmpeqd\r\nPunpckhbw\r\nAPPVISVSUBSYSTEMS64 contains a number of anti-analysis techniques, including the following:\r\nMaking sure its process name is set to windoc.exe\r\nChecking that the system has more than one processor\r\nLeveraging NtQueryObject to search for any existing Debug Objects, to check for the existence of a debugger\r\nIf these checks are all passed, the sample will proceed to open the encrypted payload file found within the ISO file, in this\r\ncase named ojg2.px. (SHA256: c62199ef9c2736d15255f5deaa663158a7bb3615ba9262eb67e3f4adada14111). Once read\r\ninto memory, it will decrypt the file using an XOR operation, which results in a secondary shellcode layer.\r\nThe shellcode is then injected into the first two active Windows processes that it can inject into, such as taskhost.exe or\r\nsihost.exe, using a technique that is somewhat similar to one previously used by Cloaked Ursa (as recently described by the\r\nMilitary Counterintelligence Service and CERT.PL).\r\nFirst, the shellcode is mapped and copied into the remote process using NtMapViewOfSection before a new remote thread is\r\ncreated in a suspended state using NtCreateThreadEx. The interesting aspect of this injection technique is that instead of the\r\ncreated thread pointing to the shellcode entry point or any Windows API, it is given a start address of a function within the\r\nAPPVISVSUBSYSTEMS64 process. It’s possible that the authors did this to evade monitoring tools from identifying a\r\nnewly created thread pointing to malicious shellcode.\r\nBefore the thread is resumed with NtResumeThread, APPVISVSUBSYSTEMS64 will use NtGetContextThread and\r\nNtSetContextThread to modify the RCX register (which will contain the thread entry) to point to the entry point of the\r\nshellcode.\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-phishing/\r\nPage 7 of 10\n\nFigure 5. Creation of thread pointing to a local function (resolves API) and modification of thread context.\r\nThis results in the resumed thread calling RtlUserThreadStart, which will move the value in the RCX register to R9 before\r\ncalling it, thus triggering the shellcode.\r\nThe goal of the shellcode is to extract the final executable file payload in memory and transfer execution to it. This payload\r\nis the final sample in the infection chain and is responsible for handling communication to and from the command and\r\ncontrol (C2) server.\r\nThe final payload contains a large array of obfuscation techniques, including string encryption and junk functions, as well as\r\nmodifying exception handling structures to place “try and except” clauses part way through assembly instructions. This\r\neffectively breaks the instructions when disassembling, as many disassemblers will take these structure values into\r\nconsideration when parsing a binary file. This results in a mangled control flow graph and failed decompilation due to the\r\nmodifications in the exception handling structures.\r\nFor communication, the payload uses both the Microsoft Graph and Dropbox API. Cloaked Ursa has previously leveraged\r\nDropbox as a C2 server. However, Cloaked Ursa’s use of Microsoft Graph API to facilitate C2 communications appears to\r\nbe a relatively new addition to their toolkit.\r\nIn addition to the string encrypted tokens and API keys required to communicate with these platforms, there is another string\r\nthat stands out (shown in Figure 6), used when communicating with the Microsoft Graph API: Teams_test.\r\nFigure 6. String decryption functions used to decrypt core Dropbox and Microsoft Graph API information.\r\nGiven that the Graph API allows for interacting with a number of different Microsoft 365 Services including Microsoft\r\nTeams, it’s possible that this was an initial test for communicating via Teams or the Graph API.\r\nIf communication fails via the Graph API several times, communication via Dropbox is attempted. Several decrypted strings\r\nin the binary provide insight into the use of Dropbox for communication:\r\nPreviously, Cloaked Ursa-linked payloads that communicate with Dropbox had wrapped communications in a packet that\r\nresembled an MP3 file. The MP3 magic bytes (ID3\\x04\\x00\\x00\\x00\\x00\\x00#TSSE) were prepended to the encrypted data\r\nand uploaded to Dropbox as an MP3 file.\r\nIn this sample, it appears that they have opted to use BMP files. The threat actor-owned C2 will upload commands to\r\nDropbox that are wrapped in the BMP format. These commands are retrieved by the payload and then parsed, decrypted and\r\nexecuted. Any data that the payload uploads to Dropbox will also be encrypted and wrapped in the BMP format.\r\nIn terms of handled commands, the payload accepts five possible requests from the C2 server, as described in the table\r\nbelow.\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-phishing/\r\nPage 8 of 10\n\nCommand Value Command Description\r\n0 Inject shellcode into explorer.exe or smartscreen.exe\r\n1 Execute specified command with CMD.exe\r\n2 Read from local file\r\n3 Write data to local file\r\n4 Spawn and inject code into WerFault.exe\r\nTable 2. Commands handled by sample.\r\nBased on the lack of additional commands, it’s likely this is merely a loader for a further sample. As of mid-June, the\r\nDropbox and Graph API credentials are no longer valid, preventing access to any information that was uploaded to either\r\nplatform.\r\nTechnical Analysis of Turkey Campaign\r\nWe identified an additional sample with similar characteristics to other attributed Cloaked Ursa campaigns, which we\r\nbelieve to have been targeting the Turkish Ministry of Foreign Affairs. We did not observe the lure or lures used in this\r\ncampaign, but we are able to identify the attack chain after the original lure. We assess that the original lure enticed the\r\ntarget to click on hxxps:// simplesalsamix[.]com/e-yazi.html. The URL is no longer active, but it originally retrieved an\r\nHTTP smuggling file named e-yazi.html (SHA256:\r\ncd4956e4c1a3f7c8c008c4658bb9eba7169aa874c55c12fc748b0ccfe0f4a59a).\r\nThe downloaded file is assigned the name e-yazi.zip. (SHA256:\r\n0dd55a234be8e3e07b0eb19f47abe594295889564ce6a9f6e8cc4d3997018839). This sample contains five files.\r\nOnce again, a legitimate WinWord.exe binary was found within the archive, named e-yazi.docx.exe. However, whitespace\r\nwas added between the .docx and .exe, resulting in the file appearing as a document file.\r\nAlongside the WinWord.exe, a file named APPVISVSUBSYSTEMS64.dll (SHA256:\r\n60d96d8d3a09f822ded0a3c84194a5d88ed62a979cbb6378545b45b04353bb37\r\n) was present once again, as well as a file named okxi4t.z (SHA256:\r\n03959c22265d0b85f6c94ee15ad878bb4f2956a2b0047733edbd8fdc86defc48). This file is similar to the previously\r\nmentioned ojg2.px in that it contains encrypted shellcode.\r\nOn execution of WinWord.exe, APPVISVSUBSYSTEMS64.dll is sideloaded and (assuming the standard anti-analysis\r\nchecks were passed) it would open and read the data from okxi4t.z before decrypting it and injecting it into the first running\r\nprocess it can.\r\nThe injected shellcode shares a number of similarities with code seen in the BMW-related sample, such as the following:\r\nGeneral execution flow\r\nFunctionality to unhook numerous Windows API calls\r\nIts obfuscation techniques\r\nWe were also able to confirm that the shellcode contained overlaps with the fourth-stage shellcode dropper loader, shown in\r\nFigure 7, as described in the Cloaked Ursa QUARTERRIG malware report by Military Counterintelligence Service and\r\nCERT.PL. The same algorithm and payload structure can be seen within the injected shellcode, as shown in Figure 8, aside\r\nfrom minor differences such as the values of the magic_const and hashed_str.\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-phishing/\r\nPage 9 of 10\n\nFigure 7. CERT.PL shellcode structure image. (Source: Figure 10 of the QUARTERRIG Malware Analysis\r\nReport, 2023)\r\nFigure 8. Extracted shellcode blob.\r\nThe final payload within this infection chain is somewhat similar to the BMW-linked final payload, in that it leverages both\r\nMicrosoft Graph API and the Dropbox API for C2 communication. Instead of Teams_test being the project name, it’s set to\r\nmytestworkapp1. The hard-coded API tokens are also different from the initially analyzed sample.\r\nSimilar obfuscation was employed within this sample, including string encryption and control flow obfuscation via abusing\r\nthe exception handling structures. However, there are no junk functions added to the sample, resulting in a much smaller file\r\nsize of 498 KB.\r\nIt’s worth noting that the string encryption algorithms appear to line up with those seen within the Cloaked Ursa\r\nSNOWYAMBER and QUARTERRIG malware reports by the Military Counterintelligence Service and CERT.PL. Many of\r\nthe string decryption functions leverage inline assembly keys (as seen in Figure 9), while the rest retrieve keys from the\r\n.rdata directory.\r\nFigure 9. First (left) and second (right) string decryption function types.\r\nIt’s clear that Cloaked Ursa remains dedicated to identifying legitimate platforms to host their C2 servers, based on their\r\nusage of the Microsoft Graph API within these two samples, as well as past reports describing C2 communication via Notion\r\nand Google Drive.\r\nUpdated July 20, 2023, at 12:43 p.m. PT to change UAC-0029 to UAC-0004. \r\nSource: https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/\r\nhttps://unit42.paloaltonetworks.com/cloaked-ursa-phishing/\r\nPage 10 of 10\n\nusage of the Microsoft and Google Drive. Graph API within these two samples, as well as past reports describing C2 communication via Notion\nUpdated July 20, 2023, at 12:43 p.m. PT to change UAC-0029 to UAC-0004.\nSource: https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/ \n Page 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://unit42.paloaltonetworks.com/cloaked-ursa-phishing/" ], "report_names": [ "cloaked-ursa-phishing" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d", "created_at": "2022-10-25T16:07:24.139848Z", "updated_at": "2026-04-10T02:00:04.878798Z", "deleted_at": null, "main_name": "Safe", "aliases": [], "source_name": "ETDA:Safe", "tools": [ "DebugView", "LZ77", "OpenDoc", "SafeDisk", "TypeConfig", "UPXShell", "UsbDoc", "UsbExe" ], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434882, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c6f646f9e30b80638d024a4353f7b418ff18e9a8.pdf", "text": "https://archive.orkl.eu/c6f646f9e30b80638d024a4353f7b418ff18e9a8.txt", "img": "https://archive.orkl.eu/c6f646f9e30b80638d024a4353f7b418ff18e9a8.jpg" } }