Adrian Johnson
TLDR:
- A Russia-linked threat actor, APT28, used a car sale phishing lure to deliver the HeadLace malware
- The campaign targeted diplomats starting in March 2024 and utilized a modular Windows backdoor
A Russia-linked threat actor known as APT28 has been linked to a new campaign using a car for sale as a phishing lure to deliver a modular Windows backdoor called HeadLace. The campaign targeted diplomats and began in March 2024. APT28, also known as BlueDelta, Fancy Bear, and other aliases, reused successful tactics previously used by APT29, another Russian nation-state group. The attacks involved the use of a legitimate service called webhook[.]site to host malicious HTML pages, offering a ZIP archive for download to Windows machines.
The malicious archive contained files such as a legitimate Windows calculator executable, a DLL, and a batch script, which were used to sideload the HeadLace backdoor. This backdoor was designed to retrieve files from a malicious URL and execute commands to download and execute files on the target system. APT28’s infrastructure varies for different attack campaigns but frequently relies on freely available services like webhook[.]site.
Overall, APT28’s campaign using the HeadLace malware via a car sale phishing lure represents a sophisticated and targeted cyber espionage effort aimed at diplomatic entities. The group’s use of legitimate services and repurposing of successful tactics highlight the evolving and adaptive nature of advanced cyber threat actors like APT28.
