Russian Hacker Group Linked To Major Global Phishing Scheme

APT28, a hacker entity with ties to Russia better known by the moniker Fancy Bear, has been connected to several active phishing attempts that use sham papers that purport to be from governments and non-governmental organizations (NGOs) across North and South America, Europe, South Caucasus & Central Asia.

The information was made public over three months after it was discovered that the enemy was deploying HeadLace, a specially designed backdoor, through ruses associated with the current Israel-Hamas conflict.

Since then, APT28 has also sent phishing messages to Polish and Ukrainian government institutions in PDF formats with the intention of deploying specialized implants and information thieves such as MASEPIE, OCEANMAP, and STEELHOOK.

The PDFs contain URLs that point to infected websites that have the ability to misuse both the "search:" application protocol and the "search-ms:" URI handler. While the protocol acts as a means of contacting Windows' desktop search program, the handler enables apps and HTML links to initiate personalized local searches on a device.

Consequently, the victims find themselves conducting searches on a server under the control of the attacker and encountering malware displayed in Windows Explorer. The victims are encouraged to download and execute this malware, which is disguising itself as a PDF file.

Although the victims' identities are unknown, it is reasonable to believe that they are citizens of the same nations as the governments and non-governmental organizations that are the targets of the attacks: Georgia, Argentina, Ukraine, Belarus, Kazakhstan, Poland, Armenia, Azerbaijan, and the United States.