![Lab[7] Defensive Technologies](https://lab7defensive.com/wp-content/uploads/2023/05/Web-1920-–-2-90x90.png)
APT28, also known as Fancy Bear, has launched a new cyber attack using the HeadLace malware to target diplomats. This Russia-linked threat actor is employing phishing lures to deploy the modular Windows backdoor.
“The campaign likely targeted diplomats and began as early as March 2024,” stated a report by Palo Alto Networks Unit 42, attributing it with medium to high confidence to APT28. This group is also known by various names, including BlueDelta, Fancy Bear, Fighting Ursa, Forest Blizzard, FROZENLAKE, Iron Twilight, ITG05, Pawn Storm, Sednit, Sofacy, and TA422.
Interestingly, car-for-sale phishing lures were previously used by another Russian nation-state group, APT29, in May 2023. This suggests that APT28 is adapting successful tactics for its own operations.
Earlier this May, the same threat actor was implicated in multiple campaigns across Europe, using the HeadLace malware and credential-harvesting web pages.
These attacks are marked by the use of a legitimate service, webhook[.]site, a common tool in APT28’s cyber operations along with Mocky. This service hosts a malicious HTML page that first checks if the target machine is running Windows. If so, it offers a ZIP archive for download (“IMG-387470302099.zip”). If the system is not Windows-based, it redirects to a decoy image hosted on ImgBB, specifically of an Audi Q7 Quattro SUV.
The archive contains three files: a legitimate Windows calculator executable disguised as an image file (“IMG-387470302099.jpg.exe”), a DLL (“WindowsCodecs.dll”), and a batch script (“zqtxmo.bat”).
The calculator binary sideloads the malicious DLL, a component of the HeadLace backdoor, which runs the batch script. This script executes a Base64-encoded command to retrieve a file from another webhook[.]site URL. This file is saved as “IMG387470302099.jpg” in the user’s downloads folder, renamed to “IMG387470302099.cmd” before execution, and then deleted to remove traces of malicious activity.
“While Fighting Ursa uses different infrastructures for various attack campaigns, they frequently rely on these freely available services,” Unit 42 noted. “Moreover, the tactics in this campaign align with previously documented Fighting Ursa operations, and the HeadLace backdoor is unique to this threat actor.”
Lab[7] will continue to track APT28’s controversial techniques and tactics to report out to the general public and other security researchers. Follow us on LinkedIn or check back in at Lab[7] Threat Watch to stay up to date!