Dutch cybersecurity company EclecticIQ recently published a report on a phishing campaign targeting NATO-aligned countries. The threat actor used the open-source chat application Zulip for command-and-control and to disguise its activities behind genuine web traffic.
The campaign disguises malicious payloads as PDF documents with diplomatic lures to deliver the Duke malware. This malware has previously been attributed to Russian APT29. If a target clicks on one of the malicious PDF files, an HTML dropper executes code to pack in an HTML application that deploys Duke. The threat actors then use Zulip’s API to create an actor-controlled chat room and remotely control the compromised hosts. APT29 commonly uses legitimate internet services, such as Zulip, Google Drive, and Dropbox for its operations. The state-sponsored threat actors primarily target government and political organizations, research firms, and critical industries in the U.S. and Europe. Researchers also observed an unknown group using similar tactics against Chinese-speaking users.
Read More:
https://thehackernews.com/2023/08/russian-hackers-use-zulip-chat-app-for.html