Cloaked Ursa Phishes Diplomats With Repurposed Lures and Cloud-Backed Malware
Unit 42 reported that Cloaked Ursa—also tracked as APT29, Midnight Blizzard, Nobelium, and Cozy Bear—ran phishing campaigns against diplomatic targets in Ukraine and Turkey, using lures tied to diplomats’ personal and professional interests. In one operation, the group repurposed a legitimate BMW-for-sale flyer originally sent by a Polish Ministry of Foreign Affairs diplomat and redistributed malicious versions to diplomatic missions in Kyiv, reaching at least 22 foreign missions. A separate campaign targeted the Turkish Ministry of Foreign Affairs with a lure themed around humanitarian assistance guidance following the February 2023 earthquakes.
The phishing chain redirected victims through URL shorteners to a compromised website that delivered malware through HTA, ISO, and LNK files disguised as PNG images, followed by DLL sideloading. Researchers said the payload used the Microsoft Graph API and Dropbox for command-and-control and shared code and tradecraft with previously reported Cloaked Ursa tooling, including overlap with QUARTERRIG, use of APPVISVSUBSYSTEMS64.dll, anti-analysis checks, shellcode injection, and obfuscated final-stage payloads. The activity showed a shift toward broadly appealing but individually relevant lures designed to spread more easily within diplomatic circles and improve espionage success.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Unit 42 publishes analysis linking campaigns to Cloaked Ursa
On 2023-07-12, Unit 42 published research attributing the diplomatic phishing campaigns in Ukraine and Turkey to Cloaked Ursa and documenting overlaps with previously reported tooling such as QUARTERRIG and APPVISVSUBSYSTEMS64.dll. The report highlighted the actor's shift toward broadly appealing but individually relevant lures for espionage targeting.
Phishing chain delivers malware via compromised site and sideloading
In the Kyiv campaign, victims were redirected through URL shorteners to a compromised website that delivered malware using HTA, ISO, LNK files disguised as PNGs, and DLL sideloading. The resulting payload used Microsoft Graph API and Dropbox for command-and-control.
Cloaked Ursa sends malicious BMW lure to Kyiv diplomatic missions
On 2023-05-04, Cloaked Ursa sent malicious versions of the BMW-for-sale flyer to diplomatic missions in Kyiv, targeting at least 22 of more than 80 foreign missions. The campaign used diplomat-relevant social engineering to increase the likelihood of compromise and onward sharing.
Polish MFA diplomat sends legitimate BMW-for-sale flyer
In April 2023, a Polish Ministry of Foreign Affairs diplomat circulated a legitimate BMW-for-sale flyer. Cloaked Ursa later repurposed this authentic document as the basis for a phishing lure aimed at diplomats in Kyiv.
Turkey earthquake creates context for humanitarian-assistance lure
After the February 2023 earthquakes in Turkey, Cloaked Ursa likely used a phishing lure themed around humanitarian assistance guidance to target the Turkish Ministry of Foreign Affairs. Unit 42 assessed this as a separate but related campaign sharing malware code and tradecraft with the Ukraine-focused activity.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
APT28-Linked Phishing Campaign Deploys BadPaw Loader and MeowMeow Backdoor Against Ukraine
ClearSky reported a suspected Russian espionage campaign targeting Ukrainian entities using phishing emails that deliver two previously undocumented malware families: the **BadPaw** loader and the **MeowMeow** backdoor. The infection chain begins with a lure email (sent from `ukr[.]net` to appear credible) containing a link that first loads an unusually small image functioning as a tracking pixel to confirm user interaction, then redirects victims to download a ZIP archive. When opened, the archive launches an HTA that displays a Ukrainian-language decoy document about border-crossing appeals while executing background stages that deploy the .NET-based BadPaw loader, which then retrieves and installs the MeowMeow backdoor from a remote server; the HTA also performs sandbox/analysis-evasion checks. The activity was attributed with **moderate confidence** to **APT28** based on targeting, geopolitical lures, and technique overlaps with prior Russian operations. Separate reporting also noted CERT-UA warnings about other phishing-driven malware activity against Ukrainian government institutions (including **SHADOWSNIFF**, **SALATSTEALER**, and a Go backdoor **DEAFTICKK** attributed to **UAC-0252**), but that campaign is distinct from the BadPaw/MeowMeow intrusion chain and should not be conflated with the APT28-linked activity.
Mar 21, 2026
Void Blizzard (Laundry Bear) Charity-Themed Lures Deliver PluggyApe Backdoor to Ukraine’s Defense Forces
Ukraine’s CERT (CERT-UA) reported a cyber-espionage campaign targeting representatives of **Ukraine’s Defense Forces** between October and December 2025, using social-engineering lures themed around charitable foundations. Victims were contacted via **Signal** and **WhatsApp** and directed to charity-impersonation websites or sent password-protected archives that purported to contain documents but instead delivered executable payloads (including `*.docx.pif`), sometimes sent directly through the messaging apps. The activity was attributed with **medium confidence** to the Russia-aligned threat actor **Void Blizzard** (also tracked as **Laundry Bear** and **UAC-0190**). The campaign deployed a previously undocumented backdoor dubbed **PluggyApe**, built as a Python executable packaged with **PyInstaller**, which profiles infected hosts, establishes persistence via **Windows Registry** modification, and enables remote command execution. CERT-UA noted an evolution in late 2025 from earlier loader naming patterns (e.g., `*.pdf.exe`) to **PIF-based delivery** and an updated **PluggyApe v2** featuring stronger obfuscation, **MQTT-based** command-and-control, and additional anti-analysis checks.
Mar 21, 2026
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
Mar 21, 2026