Keypoints
- BlueBravo is a Russian-aligned APT tracked by Recorded Futureâs Insikt Group and shows activity similar to APT29 and Midnight Blizzard.
- Insikt Group discovered a new variant, GraphicalProton, which uses OneDrive or Dropbox for C2; GraphicalNeutrino previously used Notion for C2.
- The group delivers malware via themed lures and compromised websites, reusing lure themes to improve targeting against diplomatic and foreign-policy organizations.
- BlueBravo regularly misuses legitimate internet services (Trello, Firebase, Dropbox, Notion, OneDrive) to obfuscate C2 traffic and evade detection.
- Observed technical techniques include HTML smuggling, DLL side-loading/search-order hijacking, Right-to-Left override, dynamic API resolution, and registry startup persistence.
- Recorded Future expects continued evolution of malware variants and infrastructure, emphasizing the need for defenders to monitor LIS abuse and compromised sites.
MITRE Techniques
- [T1584] Compromise Infrastructure â BlueBravo uses compromised websites and infrastructure to host lures and deploy payloads. (âCompromise Infrastructureâ)
- [T1204.002] User Execution: Malicious File â Delivery relies on user-opening of malicious files delivered via themed lures. (âUser Execution: Malicious Fileâ)
- [T1547.001] Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder â Malware establishes persistence via registry run keys or startup entries. (âBoot or Logon Autostart Execution: Registry Run Keys / Startup Folderâ)
- [T1027.006] Obfuscated Files or Information: HTML Smuggling â Payloads are delivered using HTML smuggling techniques to evade detection. (âObfuscated Files or Information: HTML Smugglingâ)
- [T1027.007] Obfuscated Files or Information: Dynamic API Resolution â Samples perform dynamic API resolution to hinder static analysis. (âObfuscated Files or Information: Dynamic API Resolutionâ)
- [T1036.002] Masquerading: Right-to-Left Override â Attack artifacts use name-masking techniques such as right-to-left override to masquerade as benign files. (âMasquerading: Right-to-Left Overrideâ)
- [T1036.005] Masquerading: Match Legitimate Name or Location â Files are given legitimate-looking names/locations to blend with benign software. (âMasquerading: Match Legitimate Name or Locationâ)
- [T1140] Deobfuscate/Decode Files or Information â Malware deobfuscates or decodes embedded payloads at runtime. (âDeobfuscate/Decode Files or Informationâ)
- [T1574.001] Hijack Execution Flow: DLL Search Order Hijacking â Attackers abuse DLL search order to redirect execution to malicious libraries. (âHijack Execution Flow: DLL Search Order Hijackingâ)
- [T1574.002] Hijack Execution Flow: DLL Side-Loading â DLL side-loading is used to run malicious code under the guise of legitimate binaries. (âHijack Execution Flow: DLL Side-Loadingâ)
- [T1562.001] Impair Defenses: Disable or Modify Tools â Samples include behavior to disable or modify defensive tools on compromised hosts. (âImpair Defenses: Disable or Modify Toolsâ)
- [T1033] System Owner/User Discovery â Malware collects information about the system user to support targeting and footprinting. (âSystem Owner/User Discoveryâ)
- [T1082] System Information Discovery â Samples gather system information to tailor follow-on activity. (âSystem Information Discoveryâ)
- [T1071.001] Application Layer Protocol: Web Protocols â C2 communications occur over standard web protocols to blend with normal traffic. (âApplication Layer Protocol: Web Protocolsâ)
- [T1102.002] Web Service: Bidirectional Communication â Cloud storage and web services (OneDrive, Dropbox, Notion) are used for bidirectional C2. (âWeb Service: Bidirectional Communicationâ)
- [T1105] Ingress Tool Transfer â Tools and payloads are transferred into victims using ingress mechanisms, including cloud-hosted files. (âIngress Tool Transferâ)
Indicators of Compromise
- [Domains] compromised domains used to host lures/payloads â te-as[.]no, easym6[.]com, and 7 more domains observed
- [URLs] access points associated with activity â te-as[.]no/wine[.]php, reidao[.]com/dashboard.php, and 7 more URLs observed
- [File hashes] sample hashes tied to GraphicalProton/associated payloads â 9da5339a5a7519b8b639418ea34c9a95f1189273, 22b037f0a42579b45530bed196dd2b47fd4d4dff, and dozens of additional hashes
- [File names/paths] filenames and artifacts observed on compromised hosts â AppvIsvSubsystems64.dll, Note.exe, plus many .lnk/.iso files and $Recycle.Bin artifacts
Recorded Futureâs technical analysis shows BlueBravoâs operational procedure begins with targeted lures delivered through compromised websites and themed spearphishing assets. Those lures host or download obfuscated payloads (HTML smuggling delivery) packaged as ISO, ZIP, or shortcut (.lnk) files; users executing these malicious files trigger user-execution chains that deploy GraphicalProton or related loaders. In several samples attackers use Right-to-Left override and legitimate-looking filenames/locations to masquerade artifacts and rely on dynamic API resolution and runtime deobfuscation to frustrate static detection.
Postâexecution behavior includes establishing persistence via registry Run keys or startup entries and abusing DLL search-order hijacking and side-loading to load malicious libraries under trusted binaries. The malware performs host discovery (system owner and system information), attempts to disable or modify defensive tools, and stages additional payloads via ingress tool transfer. For command-and-control, BlueBravo shifts among legitimate internet services â historically Notion for GraphicalNeutrino and now OneDrive/Dropbox for GraphicalProton â using standard web protocols and web-service bidirectional channels to blend C2 with normal traffic and exfiltrate data.
Defensive focus should be on monitoring LIS usage for anomalous API/file-access patterns, validating downloads from compromised domains and URLs (listed in IOCs), scanning incoming ISO/ZIP/LNK artifacts and executable DLLs for known hashes and suspicious side-loading behavior, and hardening endpoints against registry autoruns and DLL hijacking. Continuous tracking of compromised infrastructure and evolving lure themes is advised, as BlueBravo is likely to iterate on payload delivery, persistence, and C2 mechanisms to evade detection.