APT28 deploys the HeadLace malware against targeted countries

APT28, one of the most notorious Russian-backed advanced persistent threat groups, has started a widespread cyber espionage campaign. This cybercriminal campaign uses sophisticated lures about the Israel-Hamas conflict to distribute a custom backdoor named HeadLace malware.

The scope of this cyberespionage campaign is extensive as it targets various entities in 13 different nations, including Hungary, Türkiye, Australia, Poland, Belgium, Ukraine, Germany, Azerbaijan, Saudi Arabia, Kazakhstan, Italy, Latvia, and Romania.

Researchers noted that the campaign employs authentic documents from academic, finance, and diplomatic centres to lure victims and execute their malicious process.

 

APT28’s HeadLace malware operation includes highly targeted techniques to compromise infrastructures in various regions.

 

According to investigations, APT28’s modus operandi involves a highly targeted approach, allowing them to launch the HeadLace malware exclusively to specific infrastructures in the earlier-mentioned countries.

This approach highlights the precision and sophistication of the ongoing cyber-espionage effort. The lures used by the hackers in this campaign are specially crafted baits to single out European entities. In addition, these campaigns primarily target organisations that directly influence the allocation of humanitarian aid that would benefit the victims of geopolitical conflicts.

The hackers use decoys in their attacks to impersonate documents associated with prominent institutions such as the United Nations, the Bank of Israel, the U.S. Congressional Research Service, the European Parliament, a Ukrainian think tank, and an Azerbaijan-Belarus Intergovernmental Commission.

In addition, some attacks exploit the WinRAR flaw (CVE-2023-38831) through RAR archives to spread the HeadLace backdoor, a technique initially disclosed in attacks on critical infrastructure in Ukraine by CERT-UA.

However, what sets this campaign apart is its adoption of previously observed patterns. The hackers rely on official documents as lures, which suggests a shift in focus, emphasising a unique target audience engaged in emerging policy creation.

This method concerns security researchers about the potential compromise of global foreign policy centres, highlighting that such breaches could provide officials with advanced insights into critical dynamics surrounding international security and humanitarian priorities.

This new revelation correlates with CERT-UA linking another threat actor, UAC-0050, to a massive email-based phishing attack against Ukraine and Poland to deploy malicious payloads, such as Remcos RAT and Meduza Stealer.

This new trend in the cybercriminal landscape should prompt organisations to increase their vigilance and cooperation among nations to remain one step ahead against these cyber espionage campaigns that want to take advantage of current conflicts.