Threat Research

BlueBravo Uses Ambassador Lure to Deploy GraphicalNeutrino Malware | Recorded Future

Securonix

BlueBravo is a threat group linked to Russian APT activity (AP T29/NOBELIUM and SVR) and deployed GraphicalNeutrino via a compromised site lure themed around ambassadors. It also increasingly uses legitimate Western services like Notion for C2 to blend malware traffic and evade detection. #GraphicalNeutrino #BlueBravo

Keypoints

  • BlueBravo overlaps with Russian APT activity tracked as APT29/NOBELIUM and aligns with SVR attribution.
  • New GraphicalNeutrino malware was staged in October 2022 inside a malicious ZIP file, with links to EnvyScout dropper usage.
  • Lures use ambassador/embassy-themed themes (e.g., “Ambassador`s schedule November 2022”) to target embassy staff or diplomats.
  • BlueBravo broadens its C2 infrastructure by shifting to Notion for command-and-control, after using Trello, Firebase, and Dropbox.
  • GraphicalNeutrino functions as a loader with anti-analysis techniques and uses Notion’s API/database for C2 and staging payloads.
  • Embassy-related targets are deemed high-value intelligence during geopolitical tensions, suggesting ongoing interest by SVR-aligned actors.

MITRE Techniques

  • [T1189] Drive-by Compromise – Drive-by compromise via compromised websites to deliver BlueBravo malware within archive files; “staging infrastructure continues the trend of using compromised websites to deliver BlueBravo malware within archive files. The delivery of these files uses the same HTML smuggling technique as EnvyScout.”
  • [T1574.001] DLL Search Order Hijacking – Execution facilitated by abusing DLL search order hijacking; “The malware also takes advantage of DLL search order hijacking for execution.”
  • [T1071.001] Web Protocols – C2 over web services (Notion API) – Notion is used for C2 communications and to store victim data and stage payloads; “GraphicalNeutrino uses the United States (US)-based, business automation service Notion for its C2. The use of the Notion service… for C2 communications and uses Notion’s database feature to store victim information and stage payloads for download.”
  • [T1027] Obfuscated/Compressed Files and Information – Anti-analysis measures include string encryption and API unhooking; “anti-analysis techniques including API unhooking, dynamically resolving APIs, string encryption, and sandbox evasion.”

Indicators of Compromise

  • [Domain] trello.com – Used previously for C2 data exchange by BEATDROP and later by BlueBravo.
  • [Domain] notion.so – Notion API used for C2 communications and data staging.
  • [File] Ambassador_Absense.docx – Lure file referenced in related reporting as part of embassy-themed phishing content.

Read more: https://www.recordedfuture.com/bluebravo-uses-ambassador-lure-deploy-graphicalneutrino-malware

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint