Threat Research

Backchannel Diplomacy: APT29’s Rapidly Evolving Diplomatic Phishing Operations | Mandiant

GoogleCloudIntel

Mandiant and Google TAG tracked an increased tempo of APT29 diplomatic-focused phishing in H1 2023, with significant changes to delivery chains, anti-analysis measures, and victim filtering to protect payloads and prolong operations. The group shifted ROOTSAW HTML-smuggling to server-hosted first stages, added user-agent/IP filtering and decoys, and rotated in multiple in-memory and on-disk downloaders and droppers. #APT29 #ROOTSAW

Keypoints

  • APT29 intensified diplomatic phishing around Ukraine in early 2023, expanding targeting to embassies and allied governments while increasing operational tempo.
  • The group evolved its long-running ROOTSAW HTML-smuggling chain by moving first-stage payloads server-side (compromised sites, WordPress) to reduce artifact exposure and researcher access.
  • Server-side victim profiling (user-agent and IP checks), decoy document delivery, and timed removal of staged payloads were used to avoid detection and hinder analysis.
  • Delivery formats diversified: HTML/HTA, PDF-embedded HTML, SVG attachments, LNK launchers, and direct ISO/ZIP downloads replaced or supplemented traditional HTML attachments.
  • Multiple second-stage downloaders and loaders were observed (BURNTBATTER, DONUT, SPICYBEAT, MUSKYBEAT, STATICNOISE, DAVESHELL, ICEBEAT), often performing in-memory execution and reflective injection.
  • APT29 used legitimate cloud services and platforms (Dropbox, OneDrive, Zulip, Microsoft Graph) for payload hosting and command-and-control to blend with normal traffic.
  • Obfuscation (JavaScript Obfuscator), RC4 encoding, unique per-payload keys, and other anti-analysis measures were repeatedly applied to extend operational longevity.

MITRE Techniques

  • [T1566.002] Spearphishing Link – APT29 delivered phishing links (including shortened URLs) that redirected to actor-controlled sites hosting ROOTSAW or weaponized archives (‘the first wave … used a phishing link generated by a URL shortening service “https://tinyurl[.]com/mrxcjsbs”’).
  • [T1566.001] Spearphishing Attachment – Malicious PDFs, SVGs, ISO and ZIP attachments were used as initial lures to deliver ROOTSAW droppers or direct archives (’emails contained a PDF attachment … The PDF contains a link to an actor-hosted ROOTSAW variant’ and ‘victims were delivered a malicious ISO or ZIP file’).
  • [T1105] Ingress Tool Transfer – The campaigns downloaded staged payloads (ISO/ZIP/HTA/HTML) from compromised sites and cloud services to the victim host (‘When visited, the URL downloaded the ROOTSAW dropper “e-yazi.htm” … to drop additional files onto the victim machine, including a malicious ISO’).
  • [T1027] Obfuscated Files or Information – APT29 applied multiple obfuscation methods, including JavaScript obfuscators and RC4 encryption, to hide payloads and strings (‘the group has experimented with various obfuscation techniques such as the use of JavaScript Obfuscator’ and ‘MUSKYBEAT is an in-memory dropper that decodes the next-stage payload and strings using RC4’).
  • [T1055] Process Injection – In-memory loaders and reflective techniques were used to load payloads directly into processes (‘BURNTBATTER is an in-memory loader responsible for decrypting and executing a payload from disk into a running process’ and ‘DAVESHELL is shellcode that functions as an in-memory dropper relying on reflective injection’).
  • [T1574.001] DLL Side-Loading / Hijack Execution Flow – Legitimate binaries and side-loaded DLLs were used to execute malicious code (‘victims are presented with either a Windows shortcut (LNK) file or a legitimate software binary, that when opened, executes an accompanying DLL’).
  • [T1102] Web Service – The actor used legitimate third-party services and platforms for command-and-control and hosting follow-on capabilities (e.g., Zulip, Dropbox, OneDrive, Microsoft Graph) (‘ICEBEAT’s use of the open source Zulip messaging platform for command and control (C2) … download a next-stage payload from either DropBox or Microsoft’s OneDrive’).

Indicators of Compromise

  • [Domain/URL] Compromised hosting and redirectors – https://resetlocations[.]com/bmw.htm, https://parquesanrafael[.]cl/note.html (used to host ROOTSAW and deliver ISOs/ZIPs)
  • [File hash (MD5)] First-stage droppers and archives – a3067a0262e651e94329869f43a51722 (e-yazi.htm), eeded26943a7b2fdef7608fb21bbfd66 (e-yazi.iso), and many more hashes (dozens listed in the report).
  • [File name] Malicious lure files and payloads – e-yazi.htm (ROOTSAW dropper), invitation.iso (malicious ISO), invitation_farewell_de_emb.hta (HTML smuggler).
  • [Malware/tool names] Downloaders and loaders observed – BURNTBATTER, MUSKYBEAT, SPICYBEAT, STATICNOISE, DONUT, DAVESHELL, ICEBEAT (used for in-memory loading, RC4 decoding, cloud retrieval, reflective injection, and C2).
  • [C2 / Hosting endpoints] Command & control and hosting endpoints – uses Zulip and cloud APIs (e.g., calls to Microsoft Graph endpoints and domains such as kitaeri[.]com and sgrfh[.]org.pk for profiling/beaconing).

APT29 refined and diversified the ROOTSAW-centered delivery chain to reduce forensic exposure and frustrate researchers. Initially relying on HTML smuggling to embed a JavaScript dropper in attachments, the group moved first-stage payloads to compromised web servers (including WordPress) and began delivering HTML/HTA via PDFs, SVG attachments, shortened links, and direct ISO/ZIP downloads. Server-side profiling checks (user-agent and IP queries), decoy document delivery when checks fail, and the timely removal of staged payloads limited access to artifacts and prevented acquisition by public repositories.

The post-compromise chain frequently uses in-memory and fileless techniques: position-independent shellcode created with DONUT; in-memory loaders like BURNTBATTER that decrypt and inject payloads into running processes; reflective-injection shellcode variants like DAVESHELL; RC4-decoding in MUSKYBEAT; and STATICNOISE and SPICYBEAT downloaders that retrieve final payloads from cloud services. Legitimate binaries and DLL side-loading are used to execute or escalate (LNK files and legitimate executables used to load malicious DLLs), and the group repeatedly applies obfuscation tools (JavaScript obfuscators, unique per-payload keys) and delivery guardrails to limit detection and analysis.

Command-and-control and payload hosting have been blended into legitimate services to further mask activity: follow-on payloads and beacons have been fetched from Dropbox, OneDrive, Microsoft Graph endpoints, and Zulip messaging, while actor-controlled domains and compromised sites host staged archives and decryption keys. Across campaigns in 2023, APT29 rotated multiple downloader families and delivery containers (HTML/HTA, PDF-embedded HTML, SVG, LNK, ISO, ZIP), suggesting parallel initial-access operators handing off to centralized exploitation tooling that prioritizes in-memory execution and researcher evasion.

Read more: https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint