{ "id": "e6d0cb11-770e-420b-9a2a-3d034844eca8", "created_at": "2026-04-06T00:19:46.974913Z", "updated_at": "2026-04-10T03:37:32.631601Z", "deleted_at": null, "sha1_hash": "e67ab1f6dc798d88e9947c24ecc68db3ed8416a4", "title": "Breaking down NOBELIUM’s latest early-stage toolset | Microsoft Security Blog", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3054337, "plain_text": "Breaking down NOBELIUM’s latest early-stage toolset | Microsoft\r\nSecurity Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-05-28 · Archived: 2026-04-05 14:32:47 UTC\r\nAs we reported in earlier blog posts, the threat actor NOBELIUM recently intensified an email-based attack that it\r\nhas been operating and evolving since early 2021. We continue to monitor this active attack and intend to post\r\nadditional details as they become available. In this blog, we highlight four tools representing a unique infection\r\nchain utilized by NOBELIUM: EnvyScout, BoomBox, NativeZone, and VaporRage. These tools have been\r\nobserved being used in the wild as early as February 2021, attempting to gain a foothold on a variety of sensitive\r\ndiplomatic and government entities.\r\nAs part of this blog, Microsoft Threat Intelligence Center (MSTIC) is releasing an appendix of indicators of\r\ncompromise (IOCs) for the community to better investigate and understand NOBELIUM’s most recent operations.\r\nNote: The NOBELIUM indicators of compromise (IOCs) associated with this activity are available in\r\nCSV on the MSTIC GitHub.\r\nUpdate [06/01/2021]: We updated the NOBELIUM IOCs to include MD5 hashes. \r\nThis sophisticated NOBELIUM attack requires a comprehensive incident response to identify, investigate, and\r\nrespond. Get the latest information and guidance from Microsoft at https://aka.ms/nobelium. We have also\r\noutlined related alerts in Microsoft 365 Defender, so that security teams can check to see if activity has been\r\nflagged for investigation.\r\nEach of the NOBELIUM tools discussed in this blog is designed for flexibility, enabling the actor to adapt to\r\noperational challenges over time. While its technical specifics are not unprecedented, NOBELIUM’s operational\r\nsecurity priorities have likely influenced the design of this toolset, which demonstrate preferable features for an\r\nactor operating in potentially high-risk and high-visibility environments. These attacker security priorities are:\r\nUse of trusted channels: BoomBox is a uniquely developed downloader used to obtain a later-stage\r\npayload from an actor-controlled Dropbox account. All initial communications leverage the Dropbox API\r\nvia HTTPS.\r\nOpportunity for restraint: Consistent with other tools utilized by NOBELIUM, BoomBox, VaporRage,\r\nand some variants of NativeZone conduct some level of profiling on an affected system’s environment.\r\nMSTIC is currently unaware if these tools benefit from any server-side component. It is plausible that this\r\ndesign may allow NOBELIUM to selectively choose its targets and gain a level of understanding of\r\npotential discovery should the implant be run in environments unfamiliar to the actor.\r\nAmbiguity: VaporRage is a unique shellcode loader seen as the third-stage payload. VaporRage can\r\ndownload, decode, and execute an arbitrary payload fully in-memory. Such design and deployment\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 1 of 18\n\npatterns, which also include staging of payloads on a compromised website, hamper traditional artifacts\r\nand forensic investigations, allowing for unique payloads to remain undiscovered.\r\nNOBELIUM is an actor that operates with rapid operational tempo, often leveraging temporary infrastructure,\r\npayloads, and methods to obfuscate their activities. We suspect that NOBELIUM can draw from significant\r\noperational resources that are often showcased in their periodic campaigns. Since December, the security\r\ncommunity has identified a growing collection of payloads attributed to the actor, including the GoldMax,\r\nGoldFinder, and Sibot malware identified by Microsoft, as well as TEARDROP (FireEye), SUNSPOT\r\n(CrowdStrike), Raindrop (Symantec) and, most recently, FLIPFLOP (Volexity).\r\nDespite growing community visibility since the exposure of the SolarWinds attack in late 2020, NOBELIUM has\r\ncontinued to target government and diplomatic entities across the globe. We anticipate that as these operations\r\nprogress, NOBELIUM will continue to mature their tools and tactics to target a global audience.\r\nWhile this post focuses on a single wave of the campaign comprised of the mentioned four malware families, it\r\nalso highlights variations in the campaign wherein methodologies were altered per wave. The list of indicators in\r\nthe appendix expands beyond this single wave.\r\nEnvyScout: NV.html (malicious HTML file)\r\nNV.html, tracked by Microsoft as EnvyScout, can be best described as a malicious dropper capable of de-obfuscating and writing a malicious ISO file to disk. EnvyScout is chiefly delivered to targets of NOBELIUM by\r\nway of an attachment to spear-phishing emails.\r\nThe HTML \u003cbody\u003e section of NV.html contains four notable components:\r\nComponent #1: Tracking and credential-harvesting URLs\r\nIn one variant of EnvyScout, the \u003cbody\u003e section contains two URLs, as shown above.\r\nThe first, prefixed with a file:// protocol handler, is indicative of an attempt to coax the operating system to send\r\nsensitive NTLMv2 material to the specified actor-controlled IP address over port 445. It is likely that the attacker\r\nis running a credential capturing service, such as Responder, at the other end of these transactions. Later, brute-forcing of these credentials may result in their exposure.\r\nThe second URL, which resolves to the same IP address as the former at the time of analysis, remotely sources an\r\nimage that is part of the HTML lure. This technique, sometimes referred to as a “web bug”, serves as a read\r\nreceipt of sorts to NOBELIUM, validating that the prospective target followed through with opening the malicious\r\nattachment.\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 2 of 18\n\nComponent #2: FileSaver JavaScript helper code\r\nThe second portion of EnvyScout is a modified version of the open-source tool FileSaver, which is intended to\r\nassist in the writing of files to disk via JavaScript. The code is borrowed directly from the publicly available\r\nvariants with minor alterations, including whitespace removal, conversion of hex parameters to decimal, and\r\nrenamed variables. By combining this code with components #3 and #4 detailed below, NOBELIUM effectively\r\nimplements a methodology known as HTML smuggling. This methodology may circumvent static analysis of\r\nknown malicious file types by obscuring them within dynamically altered content upon execution. When\r\ncombined with dynamic analysis guardrails, this can be an effective way to subvert detections of both types.\r\nComponent #3: Obfuscated ISO file\r\nThe third section of EnvyScout contains a payload stored as an encoded blob. This payload is decoded by XOR’ng\r\neach character with a single-byte key, which then leads to a Base64 payload that is then decoded and written to\r\ndisk via components #2 and #4.\r\nComponent #4: De-obfuscator and dropper script\r\nThe final component of EnvyScout is a short code snippet responsible for decoding the ISO in the Base64\r\nencoded/XOR’d blob, and saving it to disk as NV.img with a mime type of “application/octet-stream”. At this stage\r\nof infection, the user is expected to open the downloaded ISO, NV.img, by double clicking it.\r\nAs Microsoft has been tracking waves of this campaign for months, we have identified various modifications to\r\nthe actor’s toolkit that were not present in every instance of EnvyScount but are nonetheless notable for defenders:\r\nEnvyScout variation #1:\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 3 of 18\n\nIn some iterations of the actor’s phishing campaigns, EnvyScout contained execution guardrails wherein\r\nwindow.location.pathname was called, and its values were leveraged to ensure that the first two entries in the array\r\nof characters returned were “C” and “:”. If this condition was not met—indicating the sample was not being\r\nexecuted from the C: drive—the embedded ISO was not written to disk.\r\nAs the attacker had gathered qualities from detonations of previous entries in the campaign via the Firebase\r\nfingerprinting JavaScript detailed in a prior blog post, this was assessed to be an execution guardrail to deter\r\nanalysis and dynamic execution of the samples bearing these guardrails. Having witnessed both iterations of\r\nEnvyScout in the wild allows us to infer the intent of some of the information gathered from earlier instances.\r\nEnvyScout variation #2:\r\nIn at least one instance of EnvyScout delivery, we observed further enumeration of the executing browser’s\r\nenvironment, wherein the user-agent was used to determine whether a Windows machine received an ISO\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 4 of 18\n\npayload. If the visitor arrived via iOS, they were redirected to external infrastructure.\r\nNV.img (malicious ISO file)\r\nWhen a target user opens NV.img (dropped by EnvyScout) by double-clicking it, the default behavior on Windows\r\n10 is to mount the ISO image at the next available drive letter. Windows Explorer subsequently displays the\r\ncontents of the mounted ISO in a window, similar to what users see when they open folders or compressed\r\narchives.\r\nAs shown above, the mounted ISO contains a single visible file, a shortcut file named NV. However, adjusting the\r\nfile and folder settings in Windows to show hidden files and folders exposes a hidden folder named NV and a\r\nhidden executable named BOOM.exe:\r\nThe user is likely expected to interact with NV.lnk, but manual execution of the hidden file BOOM.exe also results\r\nin the infection of the system. The individual contents of each file are detailed below.\r\nThe use of ISO as a vessel for malicious payloads is further notable due to the lack of mark of the web\r\npropagation on the contents, which may impact both host-based detections and reduce friction to user interaction\r\nwith the contents.\r\nNV.pdf (decoy document)\r\nThe hidden NV directory in the mounted ISO contains a decoy PDF file named NV.pdf which contains a decoy\r\nadvisory:\r\nAs described later in this analysis, the contents of the NV directory are displayed to the user by BOOM.exe.\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 5 of 18\n\nNV.lnk (malicious shortcut)\r\nNV.lnk is a shortcut/launcher for the hidden file BOOM.exe. As shown below, the shortcut leverages a living-off-the-land binary (LOLBin) and technique to proxy the execution of BOOM.exe using the following hardcoded\r\nshortcut target value: C:WindowsSystem32rundll32.exe c:windowssystem32advpack.dll,RegisterOCX BOOM.exe.\r\nNote that Microsoft also saw a variation of this LNK file containing the following shortcut target value:\r\nC:WindowsSystem32cmd.exe /c start BOOM.exe.\r\nNumerous other LNKs were identified and are referenced in the appendix linked in this post. Methodologies\r\nvaried, as did metadata in the LNKs themselves. For instance, the sample with the SHA-256:\r\n48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0 contained a target of\r\n“%windir%/system32/explorer.exe Documents.dll,Open”, while the absolute path in the sample was\r\n“C:Windowssystem32rundll32.exe”.\r\nAs referenced in Volexity’s blog post on the latest campaign, the LNK metadata was widely removed, and what\r\nremained varied between waves. Icons were often folders, meant to trick targets into thinking they were opening a\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 6 of 18\n\nshortcut to a folder.\r\nMicrosoft also observed the following targets for known LNK files:\r\nC:WindowsSystem32rundll32.exe IMGMountingService.dll MountImgHelper\r\nC:WindowsSystem32rundll32.exe diassvcs.dll InitializeComponent\r\nC:WindowsSystem32rundll32.exe MsDiskMountService.dll DiskDriveIni\r\nC:Windowssystem32rundll32.exe data/mstu.dll,MicrosoftUpdateService\r\nBoomBox: BOOM.exe (malicious downloader)\r\nBOOM.exe, tracked by Microsoft as “BoomBox”, can be best described as a malicious downloader. The\r\ndownloader is responsible for downloading and executing the next-stage components of the infection. These\r\ncomponents are downloaded from Dropbox (using a hardcoded Dropbox Bearer/Access token).\r\nWhen executed, BoomBox ensures that a directory named NV is present in its current working directory;\r\notherwise it terminates. If the directory is present, BoomBox displays the contents of the NV directory in a new\r\nWindows Explorer window (leaving it up to the user to open the PDF file).\r\nNext, BoomBox ensures that the following file is not present on the system (if so, it terminates):\r\n%AppData%MicrosoftNativeCacheNativeCacheSvc.dll (this file is covered later in this analysis). BoomBox\r\nperforms enumeration of various victim host qualities, such as hostname, domain name, IP address, and username\r\nof the victim system to compile the following string (using example values):\r\nNext, BoomBox AES-encrypts the host information string above using the hardcoded encryption key\r\n“123do3y4r378o5t34onf7t3o573tfo73” and initialization vector (IV) value “1233t04p7jn3n4rg”. To masquerade\r\nthe data as contents of a PDF file, BoomBox prepends and appends the magic markers for PDF to the AES-encrypted host information string above:\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 7 of 18\n\nBoomBox proceeds to upload the data above (masquerading as a PDF file) to a dedicated-per-victim-system\r\nfolder in Dropbox. For demonstration purposes, an example HTTP(s) POST request used to upload the file/data to\r\nDropbox is included below.\r\nTo ensure the file has been successfully uploaded to Dropbox, BoomBox utilizes a set of regular expression values\r\nto check the HTTP response from Dropbox. As shown below, the regular expressions are used to check the\r\npresence of the is_downloadable, path_lower, content_hash, and size fields (not their values) in the HTTP\r\nresponse received from Dropbox. Notably, BoomBox disregards the outcome of this check and proceeds, even if\r\nthe upload operation is unsuccessful.\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 8 of 18\n\nNext, BoomBox downloads an encrypted file from Dropbox. For demonstration purposes, an example HTTP(s)\r\nPOST request used to download the encrypted file from Dropbox is shown below.\r\nAfter successfully downloading the encrypted file from Dropbox, BoomBox discards the first 10 bytes from the\r\nheader and 7 bytes from the footer of the encrypted file, and then AES-decrypts the rest of the file using the\r\nhardcoded encryption key “123do3y4r378o5t34onf7t3o573tfo73” and IV value “1233t04p7jn3n4rg”. BoomBox\r\nwrites the decrypted file to the file system at %AppData%MicrosoftNativeCacheNativeCacheSvc.dll. It then\r\nestablishes persistence for NativeCacheSvc.dll by creating a Run registry value named MicroNativeCacheSvc:\r\nHKCUSoftwareMicrosoftWindowsCurrentVersionRunMicroNativeCacheSvc\r\nThe Run registry value is populated with the following command, which is used to execute NativeCacheSvc.dll\r\nusing rundll32.exe and by calling its export function named “_configNativeCache”:\r\nrundll32.exe %AppData%MicrosoftNativeCacheNativeCacheSvc.dll _configNativeCache\r\nNext, BoomBox downloads a second encrypted file from the Dropbox path /tmp/readme.pdf, discards the first 10\r\nbytes from the header and 7 bytes from the footer of the encrypted file, and then AES-decrypts the rest of the file\r\n(using the same AES IV and key as above). It writes the decrypted file at\r\n%AppData%SystemCertificatesCertPKIProvider.dll and proceeds to execute the previously dropped file\r\nNativeCacheSvc.dll using the same rundll32.exe command as above.\r\nAs the final reconnaissance step, if the system is domain-joined, BoomBox executes an LDAP query to gather\r\ndata such as distinguished name, SAM account name, email, and display name of all domain users via the filter (\u0026\r\n(objectClass=user)(objectCategory=person)).\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 9 of 18\n\nThe enumerated data is AES-encrypted (using the same IV and key as before), encapsulated in a fake PDF file (as\r\npreviously described), and uploaded to the Dropbox path /new/\u003cVictim_ID\u003e, where \u003cVictim_ID\u003e is the MD5\r\nhash of the victim’s system name, for example: /new/432B65EF29F84E6043A80C15EBA12FD2.\r\nNativeZone: NativeCacheSvc.dll (malicious loader)\r\nNativeCacheSvc.dll, tracked by Microsoft as “NativeZone” can best be described as a malicious loader responsible\r\nfor utilizing rundll32.exe to load the malicious downloader component CertPKIProvider.dll.\r\nThe malicious functionality of NativeCacheSvc.dll is located inside a DLL export named configNativeCache.\r\nAs shown above, the export function executes rundll32.exe to load\r\n%AppData%SystemCertificatesLibCertPKIProvider.dll by calling its export function named eglGetConfigs.\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 10 of 18\n\nVaporRage: CertPKIProvider.dll (malicious downloader)\r\nCertPKIProvider.dll, tracked by Microsoft as “VaporRage” can best be described as a shellcode downloader. This\r\nversion of VaporRage contains 11 export functions including eglGetConfigs, which houses the malicious\r\nfunctionality of the DLL.\r\nAs mentioned in the previous section, NativeZone utilizes rundll32.exe to execute the eglGetConfigs export\r\nfunction of CertPKIProvider.dll. Upon execution, the export function first ensures the NativeZone DLL\r\n%AppData%MicrosoftNativeCacheNativeCacheSvc.dll is present on the system (else it terminates). Next, the\r\nexport function issues an HTTP(s) GET request to a legitimate but compromised WordPress site\r\nholescontracting[.]com. The GET request is comprised of the dynamically generated and hardcoded values, for\r\nexample:\r\nThe purpose of the GET request is to first register the system as compromised and then to download an XOR-encoded shellcode blob from the WordPress site (only if the system is of interest to the actor). Once successfully\r\ndownloaded, the export function XOR decodes the shellcode blob (using a hardcoded multi-byte XOR key\r\n“346hrfyfsvvu235632542834”).\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 11 of 18\n\nIt then proceeds to execute the decoded shellcode in memory by jumping to the beginning of the shellcode blob in\r\nan executable memory region. The download-decode-execute process is repeated indefinitely, approximately\r\nevery hour, until the DLL is unloaded from memory. VaporRage can execute any compatible shellcode provided\r\nby its C2 server, including a Cobalt Strike stage shellcode.\r\nAdditional Custom Cobalt Strike loader from NOBELIUM\r\nAs described in a previous blog, NOBELIUM has used multiple custom Cobalt Strike Beacon loaders (likely\r\ngenerated using custom Artifact Kit templates) to enable their malicious activities. These include TEARDROP,\r\nRaindrop, and other custom loaders.\r\nSince our last publication, we have identified additional variants of NOBELIUM’s custom Cobalt Strike loaders.\r\nInstead of assigning a name to each short-lived and disposable variant, Microsoft will be tracking NOBELIUM’s\r\ncustom Cobalt Strike loaders and downloaders for the loaders under the name NativeZone. As seen in previous\r\ncustom NOBELIUM Cobalt Strike loaders, the new loader DLLs also contain decoy export names and function,\r\nas well as code and strings borrowed from legitimate applications.\r\nThe new NativeZone loaders can be grouped into two variants:\r\nVariant #1: These loaders embed an encoded/encrypted Cobalt Strike Beacon stage shellcode\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 12 of 18\n\nVariant #2: These loaders load an encoded/encrypted Cobalt Strike Beacon stage shellcode from another\r\naccompanying file (e.g., an RTF file).\r\nIn the succeeding sections, we discuss some of the new NativeZone Cobalt Strike Beacon variants we have\r\nobserved in our investigation.\r\nNativeZone variant #1\r\nSimilar to the previous NOBELIUM custom Cobalt Strike loaders, such as TEARDROP and Raindrop, these\r\nNativeZone loaders are responsible for decoding/decrypting an embedded Cobalt Strike Beacon stage shellcode\r\nand executing it in memory. Some of the NativeZone loaders feature anti-analysis guardrails to thwart analysis of\r\nthe samples.\r\nIn these versions of NativeZone, the actor has used a variety of encoding and encryption methodologies to\r\nobfuscate the embedded shellcode. For example, in the example below, the NativeZone variant uses a simple byte-swap decoding algorithm to decode the embedded shellcode:\r\nAnother sample featuring a different decoding methodology to decode the embedded shellcode is shown below:\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 13 of 18\n\nAnother sample, featuring a de-obfuscation methodology leveraging AES encryption algorithm to decrypt the\r\nembedded shellcode, is shown below:\r\nYet another NativeZone sample leveraging AES for decrypting an embedded Cobalt Strike shellcode blob is\r\nshown below (note the syntax differences compared to the sample above):\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 14 of 18\n\nAnother sample featuring a different decoding methodology along with leveraging CreateThreadpoolWait() to\r\nexecute the decoded shellcode blob is below:\r\nBelow is an example of anti-analysis technique showing the loader checking if the victim system is a Vmware or\r\nVirtualBox VM:\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 15 of 18\n\nNativeZone variant #2\r\nUnlike variant #1, the NativeZone variant #2 samples do not contain the encoded/encrypted Cobalt Strike Beacon\r\nstage shellcode. Instead, these samples read the shellcode from an accompanying file that is shipped with the\r\nsample. For example, one NativeZone variant #2 sample was observed alongside an RTF file. The RTF file\r\ndoubles as both a decoy document and a shellcode carrier file. The RTF file contains the proper RTF file structure\r\nand data followed by an encoded shellcode blob (starting at offset 0x658):\r\nWhen the NativeZone DLL is loaded/executed, it first displays the RTF document to the user.\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 16 of 18\n\nAs mentioned above, the same RTF also contains the encoded Cobalt Strike stage shellcode. As shown below, the\r\nNativeZone DLL proceeds to extract the shellcode from the RTF file (starting at file offset 0x658 as shown\r\nabove), decode the shellcode and execute it on the victim system:\r\nNotes on new and old NOBELIUM PDB paths\r\nThe following example PDB paths were observed in the samples analyzed in this blog:\r\nBoomBox: C:Usersdev10vsDesktopProgObjBOOMBOOMBOOMobjReleaseBOOM.pdb\r\nNativeZone: c:usersdevuserdocumentsvisual studio 2013ProjectsDLL_stagelessReleaseDLL_stageless.pdb\r\nNativeZone: C:UsersDevUserDocumentsVisual Studio\r\n2013ProjectsDLL_stagelessReleaseDLL_stageless.pdb\r\nNativeZone: C:UsersdevDesktop나타나게 하다Dll6x64ReleaseDll6.pdb\r\nNote the presence of ‘dev’ user in the PDB paths above. A ‘dev’ username was previously observed in the PDB\r\npath of a NOBELIUM Cobalt Strike loader mentioned in our previous blog: c:buildworkspacecobalt_cryptor_far\r\n(dev071)farmanagerfarplatform.concurrency.hpp.\r\nComprehensive protections for persistence techniques\r\nThe sophisticated NOBELIUM attack requires a comprehensive incident response to identify, investigate, and\r\nrespond. Get the latest information and guidance from Microsoft at https://aka.ms/nobelium.\r\nMicrosoft Defender Antivirus\r\nMicrosoft Defender Antivirus detects the new NOBELIUM components discussed in this blog as the following\r\nmalware:\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 17 of 18\n\nTrojanDropper:JS/EnvyScout.A!dha\r\nTrojanDownloader:Win32/BoomBox.A!dha\r\nTrojan:Win32/NativeZone.A!dha\r\nTrojan:Win32/NativeZone.B!dha\r\nTrojan:Win32/NativeZone.C!dha\r\nTrojan:Win32/NativeZone.D!dha\r\nTrojanDownloader:Win32/VaporRage.A!dha\r\nMicrosoft Defender for Endpoint (EDR)\r\nAlerts with the following titles in the Security Center can indicate threat activity on your network:\r\nMalicious ISO File used by NOBELIUM\r\nCobalt Strike Beacon used by NOBELIUM\r\nCobalt Strike network infrastructure used by NOBELIUM\r\nEnvyScout malware\r\nBoomBox malware\r\nNativeZone malware\r\nVaporRage malware\r\nThe following alerts might also indicate threat activity associated with this threat, but they can also be triggered by\r\nunrelated threat activity:\r\nAn uncommon file was created and added to startup folder\r\nA link file (LNK) with unusual characteristics was opened\r\nAzure Sentinel\r\nWe have updated the related Azure Sentinel query to include these additional indicators. Azure Sentinel customers\r\ncan access this query in this GitHub repository.\r\nIndicators of compromise (IOCs)\r\nThe NOBELIUM IOCs associated with this activity are available in CSV on the MSTIC GitHub.\r\nSource: https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nhttps://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/\r\nPage 18 of 18", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MITRE" ], "references": [ "https://www.microsoft.com/security/blog/2021/05/28/breaking-down-nobeliums-latest-early-stage-toolset/" ], "report_names": [ "breaking-down-nobeliums-latest-early-stage-toolset" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434786, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e67ab1f6dc798d88e9947c24ecc68db3ed8416a4.pdf", "text": "https://archive.orkl.eu/e67ab1f6dc798d88e9947c24ecc68db3ed8416a4.txt", "img": "https://archive.orkl.eu/e67ab1f6dc798d88e9947c24ecc68db3ed8416a4.jpg" } }