Skip to main content
Mallory
Back to threat actors
Russia2 malware families

Cloaked Ursa

Also known ascloaked_ursa

Cloaked Ursa is a Russia-linked espionage threat actor publicly attributed by the United States and the United Kingdom to Russia’s Foreign Intelligence Service (SVR). It is also tracked as APT29, Midnight Blizzard, Nobelium, Cozy Bear, and UAC-0004. The group is well known for targeting diplomatic missions globally. The provided content describes Cloaked Ursa conducting spear-phishing and social-engineering operations, including use of compromised accounts to send Microsoft Teams messages with malicious links that redirected victims to credential-harvesting pages mimicking Microsoft login portals in late 2024. The actor was also observed using spear phishing prior to internal Microsoft 365 / Entra tenant exploration. The content further links Cloaked Ursa to use of the ROADtools framework in late 2021 after initial access via spear phishing. Reported capabilities associated with this tooling include tenant reconnaissance, enumeration of Entra ID resources, token acquisition and exchange, replay of stolen session assets, rogue device registration, and stealthy use of legitimate Microsoft APIs. Unit 42 also reported Cloaked Ursa phishing campaigns in 2023 against diplomatic targets in Ukraine and Turkey. In Kyiv, the actor repurposed a legitimate BMW-for-sale flyer and sent malicious versions to diplomatic missions, targeting at least 22 of more than 80 foreign missions. The infection chain used URL shorteners, a compromised website, HTA delivery, ISO files, LNK files masquerading as PNG images, and DLL sideloading via APPVISVSUBSYSTEMS64.dll and a legitimate Word binary. The final payload used Microsoft Graph API and Dropbox API for command and control, included anti-analysis checks, and supported shellcode injection, command execution, and file read/write operations. A separate likely campaign targeted the Turkish Ministry of Foreign Affairs with a humanitarian-assistance-themed lure after the February 2023 earthquakes. The reported malware shared code and tradecraft overlap with previously reported Cloaked Ursa tooling, including QUARTERRIG and similarities to SNOWYAMBER string encryption techniques. Based on the provided content, Cloaked Ursa is a state-linked espionage actor focused on diplomatic and cloud identity targets, using phishing, credential theft, collaboration-platform abuse, cloud reconnaissance, token abuse, and stealthy post-compromise activity.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

24 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

10 of 15 tactics39 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
1 technique
T1583
Acquire Infrastructure
T1583.006
Web Services
TA0001
Initial Access
2 techniques
T1078
Valid Accounts
T1566×3
Phishing
T1566.001
Spearphishing Attachment
T1566.002
Spearphishing Link
T1566.003
Spearphishing via Service
TA0002
Execution
3 techniques
T1059
Command and Scripting Interpreter
T1059.003
Windows Command Shell
T1059.007
JavaScript
T1106
Native API
T1574
Hijack Execution Flow
TA0003
Persistence
2 techniques
T1078
Valid Accounts
T1547
Boot or Logon Autostart Execution
T1547.009
Shortcut Modification
TA0004
Privilege Escalation
3 techniques
T1055
Process Injection
T1078
Valid Accounts
T1547
Boot or Logon Autostart Execution
T1547.009
Shortcut Modification
TA0005
Stealth
9 techniques
T1027
Obfuscated Files or Information
T1036
Masquerading
T1055
Process Injection
T1078
Valid Accounts
T1140
Deobfuscate/Decode Files or Information
T1218
System Binary Proxy Execution
T1218.005
Mshta
T1497
Virtualization/Sandbox Evasion
T1574
Hijack Execution Flow
T1622
Debugger Evasion
TA0006
Credential Access
1 technique
T1056
Input Capture
TA0007
Discovery
3 techniques
T1497
Virtualization/Sandbox Evasion
T1526×2
Cloud Service Discovery
T1622
Debugger Evasion
TA0009
Collection
2 techniques
T1056
Input Capture
T1560
Archive Collected Data
TA0011
Command and Control
3 techniques
T1071
Application Layer Protocol
T1071.001
Web Protocols
T1105
Ingress Tool Transfer
T1132
Data Encoding
ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
QUARTERRIGWe were also able to confirm that the shellcode contained overlaps with the fourth-stage shellcode dropper loader, shown in Figure 7, as described in the Cloaked Ursa QUARTERRIG malware report by Military Counterintelligence Service and CERT.PL.1May 26, 2026
SNOWYAMBERIt’s worth noting that the string encryption algorithms appear to line up with those seen within the Cloaked Ursa SNOWYAMBER and QUARTERRIG malware reports by the Military Counterintelligence Service and CERT.PL.1May 26, 2026
ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
palo alto networks unit 42 blogNews
Jun 8, 2026
When “Hi, This Is IT” Comes Through Microsoft Teams

Uses compromised accounts and Microsoft Teams-based social engineering to send malicious links that redirect victims to credential-harvesting pages impersonating Microsoft login portals.

Read more
security online infoNews
May 28, 2026
ROADtools Cloud Attack Toolkit: Threat Intelligence Report

Used ROADtools in a 2021 campaign, employing spear phishing followed by internal cloud tenant reconnaissance.

Read more
cyber security newsNews
May 27, 2026
ROADtools Misused in Cloud Attacks to Steal Tokens and Bypass MFA Controls - Cyber Security News

Used ROADtools in cloud intrusions after initial access via spear phishing, leveraging it for discovery, persistence, and defense evasion in Microsoft Azure/Entra ID environments.

Read more
palo alto networks unit 42 blogNews
Jul 12, 2023
Diplomats Beware: Cloaked Ursa Phishing With a Twist

Conducting cyber espionage against diplomatic missions, particularly foreign embassies and ministries connected to Ukraine, using spear-phishing lures themed around diplomats’ personal needs and humanitarian guidance to deliver multi-stage malware.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping24

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.