{"id":41112,"date":"2021-05-28T21:36:17","date_gmt":"2021-05-28T21:36:17","guid":{"rendered":"https:\/\/www.microsoft.com\/security\/blog\/?p=93658"},"modified":"2021-05-28T21:36:17","modified_gmt":"2021-05-28T21:36:17","slug":"breaking-down-nobeliums-latest-early-stage-toolset","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/","title":{"rendered":"Breaking down NOBELIUM\u2019s latest early-stage toolset"},"content":{"rendered":"<p>As we reported in earlier blog posts, the threat actor <a href=\"https:\/\/blogs.microsoft.com\/on-the-issues\/2021\/05\/27\/nobelium-cyberattack-nativezone-solarwinds\/\">NOBELIUM<\/a> recently intensified an <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/05\/27\/new-sophisticated-email-based-attack-from-nobelium\/\">email-based attack<\/a> that it has been operating and evolving since early 2021. We continue to monitor this active attack and intend to post additional details as they become available. In this blog, we highlight four tools representing a unique infection chain utilized by NOBELIUM: EnvyScout, BoomBox, NativeZone, and VaporRage. These tools have been observed being used in the wild as early as February 2021 attempting to gain a foothold on a variety of sensitive diplomatic and government entities.<\/p>\n<p>As part of this blog, Microsoft Threat Intelligence Center (MSTIC) is releasing an appendix of indicators of compromise (IOCs) for the community to better investigate and understand NOBELIUM\u2019s most recent operations. The NOBELIUM IOCs associated with this activity are available in CSV on the <a href=\"https:\/\/raw.githubusercontent.com\/microsoft\/mstic\/master\/Indicators\/May21-NOBELIUM\/May21NOBELIUMIoCs.csv\">MSTIC GitHub<\/a>. This sophisticated NOBELIUM attack requires a comprehensive incident response to identify, investigate, and respond. Get the latest information and guidance from Microsoft at <a href=\"https:\/\/aka.ms\/nobelium\">https:\/\/aka.ms\/nobelium<\/a>. We have also outlined related alerts in Microsoft 365 Defender, so that security teams can check to see if activity has been flagged for investigation.<\/p>\n<p>Each of the NOBELIUM tools discussed in this blog is designed for flexibility, enabling the actor to adapt to operational challenges over time. While its technical specifics are not unprecedented, NOBELIUM\u2019s operational security priorities have likely influenced the design of this toolset, which demonstrate preferable features for an actor operating in potentially high-risk and high-visibility environments. These attacker security priorities are:<\/p>\n<ul>\n<li><strong>Use of t<\/strong><strong>rusted channels: <\/strong>BoomBox is a uniquely developed downloader used to obtain a later-stage payload from an actor-controlled Dropbox account. All initial communications leverage the Dropbox API via HTTPS.<\/li>\n<li><strong>Opportunity for<\/strong><strong> restraint: <\/strong>Consistent with other tools utilized by NOBELIUM, BoomBox, VaporRage, and some variants of NativeZone conduct some level of profiling on an affected system\u2019s environment. MSTIC is currently unaware if these tools benefit from any server-side component. It is plausible that this design may allow NOBELIUM to selectively choose its targets and gain a level of understanding of potential discovery should the implant be run in environments unfamiliar to the actor.<\/li>\n<li><strong>Ambiguity: <\/strong>VaporRage is a unique shellcode loader seen as the third-stage payload. VaporRage can download, decode, and execute an arbitrary payload fully in-memory. Such design and deployment patterns, which also include staging of payloads on a compromised website, hamper traditional artifacts and forensic investigations, allowing for unique payloads to remain undiscovered.<\/li>\n<\/ul>\n<p>NOBELIUM is an actor that operates with rapid operational tempo, often leveraging temporary infrastructure, payloads, and methods to obfuscate their activities. We suspect that NOBELIUM can draw from significant operational resources that are often showcased in their periodic campaigns. Since December, the security community has identified a growing collection of payloads attributed to the actor, including the <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/03\/04\/goldmax-goldfinder-sibot-analyzing-nobelium-malware\/\">GoldMax, GoldFinder, and Sibot malware identified by Microsoft<\/a>, as well as TEARDROP (<a href=\"https:\/\/www.fireeye.com\/blog\/threat-research\/2021\/03\/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html\">FireEye<\/a>), SUNSPOT (<a href=\"https:\/\/www.crowdstrike.com\/blog\/sunspot-malware-technical-analysis\/\">CrowdStrike<\/a>), Raindrop (<a href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/solarwinds-raindrop-malware\">Symantec<\/a>) and, most recently, FLIPFLOP (<a href=\"https:\/\/www.volexity.com\/blog\/2021\/05\/27\/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns\/\">Volexity<\/a>).<\/p>\n<p>Despite growing community visibility since the exposure of the SolarWinds attack in late 2020, NOBELIUM has continued to target government and diplomatic entities across the globe. We anticipate that as these operations progress, NOBELIUM will continue to mature their tools and tactics to target a global audience.<\/p>\n<p>While this post focuses on a single wave of the campaign comprised of the mentioned four malware families, it also highlights variations in the campaign wherein methodologies were altered per wave. The list of indicators in the appendix expands beyond this single wave.<\/p>\n<h2>EnvyScout: <em>NV.html<\/em> (malicious HTML file)<\/h2>\n<p><em>NV.html<\/em>, tracked by Microsoft as EnvyScout, can be best described as a malicious dropper capable of de-obfuscating and writing a malicious ISO file to disk. EnvyScout is chiefly delivered to targets of NOBELIUM by way of an attachment to spear-phishing emails.<\/p>\n<p>The HTML &lt;body&gt; section of <em>NV.html<\/em> contains four notable components:<\/p>\n<p><strong>Component #1: Tracking and credential-harvesting URLs<\/strong><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93659\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/Fig1.png\" alt width=\"378\" height=\"103\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/Fig1.png 378w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/Fig1-300x82.png 300w\" sizes=\"auto, (max-width: 378px) 100vw, 378px\"><\/p>\n<p>In one variant of EnvyScout, the &lt;body&gt; section contains two URLs, as shown above.<\/p>\n<p>The first, prefixed with a <em>file:\/\/<\/em> protocol handler, is indicative of an attempt to coax the operating system to send sensitive NTLMv2 material to the specified actor-controlled IP address over port 445. It is likely that the attacker is running a credential capturing service, such as Responder, at the other end of these transactions. Later, brute-forcing of these credentials may result in their exposure.<\/p>\n<p>The second URL, which resolves to the same IP address as the former at the time of analysis, remotely sources an image that is part of the HTML lure. This technique, sometimes referred to as a \u201cweb bug\u201d, serves as a read receipt of sorts to NOBELIUM, validating that the prospective target followed through with opening the malicious attachment.<\/p>\n<p><strong>Component #2: FileSaver JavaScript helper code<\/strong><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93700\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig2.png\" alt width=\"799\" height=\"227\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig2.png 799w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig2-300x85.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig2-768x218.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\"><\/p>\n<p>The second portion of EnvyScout is a modified version of the open-source tool <a href=\"https:\/\/github.com\/eligrey\/FileSaver.js\">FileSaver<\/a>, which is intended to assist in the writing of files to disk via JavaScript. The code is borrowed directly from the publicly available variants with minor alterations, including whitespace removal, conversion of hex parameters to decimal, and renamed variables. By combining this code with components #3 and #4 detailed below, NOBELIUM effectively implements a methodology known as <a href=\"https:\/\/outflank.nl\/blog\/2018\/08\/14\/html-smuggling-explained\/\">HTML smuggling<\/a>. This methodology may circumvent static analysis of known malicious file types by obscuring them within dynamically altered content upon execution. When combined with dynamic analysis guardrails, this can be an effective way to subvert detections of both types.<\/p>\n<p><strong>Component #3: Obfuscated ISO file<\/strong><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93701\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig3.png\" alt width=\"799\" height=\"191\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig3.png 799w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig3-300x72.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig3-768x184.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\"><\/p>\n<p>The third section of EnvyScout contains a payload stored as an encoded blob. This payload is decoded by XOR\u2019ng each character with a single-byte key, which then leads to a Base64 payload that is then decoded and written to disk via components #2 and #4.<\/p>\n<p><strong>Component #4: De-obfuscator and dropper script<\/strong><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93702\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig4.png\" alt width=\"799\" height=\"51\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig4.png 799w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig4-300x19.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig4-768x49.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\"><\/p>\n<p>The final component of EnvyScout is a short code snippet responsible for decoding the ISO in the Base64 encoded\/XOR\u2019d blob, and saving it to disk as <em>NV.img<\/em> with a mime type of \u201capplication\/octet-stream\u201d. At this stage of infection, the user is expected to open the downloaded ISO, <em>NV.img<\/em>, by double clicking it.<\/p>\n<p>As Microsoft has been tracking waves of this campaign for months, we have identified various modifications to the actor\u2019s toolkit that were not present in every instance of EnvyScount but are nonetheless notable for defenders:<\/p>\n<p><strong>EnvyScout variation #1:<\/strong><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93703\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig5.png\" alt width=\"704\" height=\"329\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig5.png 704w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig5-300x140.png 300w\" sizes=\"auto, (max-width: 704px) 100vw, 704px\"><\/p>\n<p>In some iterations of the actor\u2019s phishing campaigns, EnvyScout contained execution guardrails wherein <em>window.location.pathname<\/em> was called, and its values were leveraged to ensure that the first two entries in the array of characters returned were \u201cC\u201d and \u201c:\u201d. If this condition was not met\u2014indicating the sample was not being executed from the <em>C:<\/em> drive\u2014the embedded ISO was not written to disk.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93704\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig6.png\" alt width=\"709\" height=\"268\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig6.png 709w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig6-300x113.png 300w\" sizes=\"auto, (max-width: 709px) 100vw, 709px\"><\/p>\n<p>As the attacker had gathered qualities from detonations of previous entries in the campaign via the Firebase fingerprinting JavaScript detailed in a prior <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/05\/27\/new-sophisticated-email-based-attack-from-nobelium\/\">blog post<\/a>, this was assessed to be an execution guardrail to deter analysis and dynamic execution of the samples bearing these guardrails. Having witnessed both iterations of EnvyScout in the wild allows us to infer the intent of some of the information gathered from earlier instances.<\/p>\n<p><strong>EnvyScout variation #2:<\/strong><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93718\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig7.png\" alt width=\"531\" height=\"116\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig7.png 531w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig7-300x66.png 300w\" sizes=\"auto, (max-width: 531px) 100vw, 531px\"><\/p>\n<p>In at least one instance of EnvyScout delivery, we observed further enumeration of the executing browser\u2019s environment, wherein the user-agent was used to determine whether a Windows machine received an ISO payload. If the visitor arrived via iOS, they were redirected to external infrastructure.<\/p>\n<h3><em>NV.img<\/em> (malicious ISO file)<\/h3>\n<p>When a target user opens <em>NV.img<\/em> (dropped by EnvyScout) by double-clicking it, the default behavior on Windows 10 is to mount the ISO image at the next available drive letter. Windows Explorer subsequently displays the contents of the mounted ISO in a window, similar to what users see when they open folders or compressed archives.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93705\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig8.png\" alt width=\"799\" height=\"220\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig8.png 799w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig8-300x83.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig8-768x211.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\"><\/p>\n<p>As shown above, the mounted ISO contains a single visible file, a shortcut file named <em>NV<\/em>. However, adjusting the file and folder settings in Windows to show hidden files and folders exposes a hidden folder named <em>NV<\/em> and a hidden executable named <em>BOOM.exe<\/em>:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93706\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig9.png\" alt width=\"799\" height=\"128\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig9.png 799w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig9-300x48.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig9-768x123.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\"><\/p>\n<p>The user is likely expected to interact with <em>NV.lnk<\/em>, but manual execution of the hidden file <em>BOOM.exe<\/em> also results in the infection of the system. The individual contents of each file are detailed below.<\/p>\n<p>The use of ISO as a vessel for malicious payloads is further notable due to the lack of mark of the web propagation on the contents, which may impact both host-based detections and reduce friction to user interaction with the contents.<\/p>\n<h3><em>NV.pdf<\/em> (decoy document)<\/h3>\n<p>The hidden NV directory in the mounted ISO contains a decoy PDF file named <em>NV.pdf <\/em>which contains a decoy advisory:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93707\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig10.png\" alt width=\"799\" height=\"149\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig10.png 799w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig10-300x56.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig10-768x143.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\"><\/p>\n<p>As described later in this analysis, the contents of the <em>NV<\/em> directory are displayed to the user by <em>BOOM.exe<\/em>.<\/p>\n<h3><em>NV.lnk<\/em> (malicious shortcut)<\/h3>\n<p><em>NV.lnk<\/em> is a shortcut\/launcher for the hidden file <em>BOOM.exe<\/em>. As shown below, the shortcut leverages a living-off-the-land binary (LOLBin) and technique to proxy the execution of <em>BOOM.exe<\/em> using the following hardcoded shortcut target value: <em>C:\\Windows\\System32\\rundll32.exe c:\\windows\\system32\\advpack.dll,RegisterOCX BOOM.exe<\/em>.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93719\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig11.png\" alt width=\"411\" height=\"577\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig11.png 411w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig11-214x300.png 214w\" sizes=\"auto, (max-width: 411px) 100vw, 411px\"><\/p>\n<p>Note that Microsoft also saw a variation of this LNK file containing the following shortcut target value: <em>C:\\Windows\\System32\\cmd.exe \/c start BOOM.exe<\/em>.<\/p>\n<p>Numerous other LNKs were identified and are referenced in the appendix linked in this post. Methodologies varied, as did metadata in the LNKs themselves. For instance, the sample with the SHA-256: 48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0 contained a target of <em>\u201c%windir%\/system32\/explorer.exe Documents.dll,Open\u201d<\/em>, while the absolute path in the sample was <em>\u201cC:\\Windows\\system32\\rundll32.exe\u201d<\/em>.<\/p>\n<p>As referenced in Volexity\u2019s <a href=\"https:\/\/www.volexity.com\/blog\/2021\/05\/27\/suspected-apt29-operation-launches-election-fraud-themed-phishing-campaigns\/\">blog post<\/a> on the latest campaign, the LNK metadata was widely removed, and what remained varied between waves. Icons were often folders, meant to trick targets into thinking they were opening a shortcut to a folder.<\/p>\n<p>Microsoft also observed the following targets for known LNK files:<\/p>\n<ul>\n<li><em>C:\\Windows\\System32\\rundll32.exe IMGMountingService.dll MountImgHelper<\/em><\/li>\n<li><em>C:\\Windows\\System32\\rundll32.exe diassvcs.dll InitializeComponent<\/em><\/li>\n<li><em>C:\\Windows\\System32\\rundll32.exe MsDiskMountService.dll DiskDriveIni<\/em><\/li>\n<li><em>C:\\Windows\\system32\\rundll32.exe data\/mstu.dll,MicrosoftUpdateService<\/em><\/li>\n<\/ul>\n<h2>BoomBox: <em>BOOM.exe<\/em> (malicious downloader)<\/h2>\n<p><em>BOOM.exe<\/em>, tracked by Microsoft as \u201cBoomBox\u201d, can be best described as a malicious downloader. The downloader is responsible for downloading and executing the next-stage components of the infection. These components are downloaded from Dropbox (using a hardcoded Dropbox Bearer\/Access token).<\/p>\n<p>When executed, BoomBox ensures that a directory named <em>NV<\/em> is present in its current working directory; otherwise it terminates. If the directory is present, BoomBox displays the contents of the <em>NV<\/em> directory in a new Windows Explorer window (leaving it up to the user to open the PDF file).<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93708\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig12.png\" alt width=\"799\" height=\"149\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig12.png 799w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig12-300x56.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig12-768x143.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\"><\/p>\n<p>Next, BoomBox ensures that the following file is <em>not<\/em> present on the system (if so, it terminates): <em>%AppData%\\Microsoft\\NativeCache\\NativeCacheSvc.dll<\/em> (this file is covered later in this analysis). BoomBox performs enumeration of various victim host qualities, such as hostname, domain name, IP address, and username of the victim system to compile the following string (using example values):<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93709\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig13.png\" alt width=\"799\" height=\"98\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig13.png 799w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig13-300x37.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig13-768x94.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\"><\/p>\n<p>Next, BoomBox AES-encrypts the host information string above using the hardcoded encryption key \u201c123do3y4r378o5t34onf7t3o573tfo73\u201d and initialization vector (IV) value \u201c1233t04p7jn3n4rg\u201d. To masquerade the data as contents of a PDF file, BoomBox prepends and appends the magic markers for PDF to the AES-encrypted host information string above:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93710\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig14.png\" alt width=\"799\" height=\"193\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig14.png 799w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig14-300x72.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig14-768x186.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\"><\/p>\n<p>BoomBox proceeds to upload the data above (masquerading as a PDF file) to a dedicated-per-victim-system folder in Dropbox. For demonstration purposes, an example HTTP(s) POST request used to upload the file\/data to Dropbox is included below.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93711\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig15.png\" alt width=\"799\" height=\"400\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig15.png 799w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig15-300x150.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig15-768x384.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\"><\/p>\n<p>To ensure the file has been successfully uploaded to Dropbox, BoomBox utilizes a set of regular expression values to check the HTTP response from Dropbox. As shown below, the regular expressions are used to check the presence of the <em>is_downloadable<\/em>, <em>path_lower<\/em>, <em>content_hash<\/em>, and <em>size<\/em> fields (not their values) in the HTTP response received from Dropbox. Notably, BoomBox disregards the outcome of this check and proceeds, even if the upload operation is unsuccessful.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93712\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig16.png\" alt width=\"798\" height=\"541\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig16.png 798w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig16-300x203.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig16-768x521.png 768w\" sizes=\"auto, (max-width: 798px) 100vw, 798px\"><\/p>\n<p>Next, BoomBox downloads an encrypted file from Dropbox. For demonstration purposes, an example HTTP(s) POST request used to download the encrypted file from Dropbox is shown below.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93713\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig17.png\" alt width=\"799\" height=\"166\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig17.png 799w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig17-300x62.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig17-768x160.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\"><\/p>\n<p>After successfully downloading the encrypted file from Dropbox, BoomBox discards the first 10 bytes from the header and 7 bytes from the footer of the encrypted file, and then AES-decrypts the rest of the file using the hardcoded encryption key \u201c123do3y4r378o5t34onf7t3o573tfo73\u201d and IV value \u201c1233t04p7jn3n4rg\u201d. BoomBox writes the decrypted file to the file system at <em>%AppData%\\Microsoft\\NativeCache\\NativeCacheSvc.dll<\/em>. It then establishes persistence for <em>NativeCacheSvc.dll<\/em> by creating a Run registry value named <em>MicroNativeCacheSvc<\/em>:<\/p>\n<p><em>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\MicroNativeCacheSvc <\/em><\/p>\n<p>The Run registry value is populated with the following command, which is used to execute <em>NativeCacheSvc.dll<\/em> using <em>rundll32.exe<\/em> and by calling its export function named \u201c<em>_configNativeCache<\/em>\u201d:<\/p>\n<p><em>rundll32.exe %AppData%\\Microsoft\\NativeCache\\NativeCacheSvc.dll _configNativeCache<\/em><\/p>\n<p>Next, BoomBox downloads a second encrypted file from the Dropbox path <em>\/tmp\/readme.pdf<\/em>, discards the first 10 bytes from the header and 7 bytes from the footer of the encrypted file, and then AES-decrypts the rest of the file (using the same AES IV and key as above). It writes the decrypted file at <em>%AppData%\\SystemCertificates\\CertPKIProvider.dll<\/em> and proceeds to execute the previously dropped file <em>NativeCacheSvc.dll<\/em> using the same <em>rundll32.exe<\/em> command as above.<\/p>\n<p>As the final reconnaissance step, if the system is domain-joined, BoomBox executes an LDAP query to gather data such as distinguished name, SAM account name, email, and display name of all domain users via the filter <em>(&amp;(objectClass=user)(objectCategory=person))<\/em>.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93714\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig18.png\" alt width=\"799\" height=\"492\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig18.png 799w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig18-300x185.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig18-768x473.png 768w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig18-392x240.png 392w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\"><\/p>\n<p>The enumerated data is AES-encrypted (using the same IV and key as before), encapsulated in a fake PDF file (as previously described), and uploaded to the Dropbox path <em>\/new\/&lt;Victim_ID&gt;<\/em>, where <em>&lt;Victim_ID&gt;<\/em> is the MD5 hash of the victim\u2019s system name, for example: <em>\/new\/432B65EF29F84E6043A80C15EBA12FD2<\/em>.<\/p>\n<h2>NativeZone: <em>NativeCacheSvc.dll<\/em> (malicious loader)<\/h2>\n<p><em>NativeCacheSvc.dll<\/em>, tracked by Microsoft as \u201cNativeZone\u201d can best be described as a malicious loader responsible for utilizing <em>rundll32.exe<\/em> to load the malicious downloader component <em>CertPKIProvider.dll<\/em>.<\/p>\n<p>The malicious functionality of <em>NativeCacheSvc.dll<\/em> is located inside a DLL export named <em>configNativeCache<\/em>.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93720\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig22.png\" alt width=\"756\" height=\"391\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig22.png 756w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig22-300x155.png 300w\" sizes=\"auto, (max-width: 756px) 100vw, 756px\"><\/p>\n<p>As shown above, the export function executes <em>rundll32.exe<\/em> to load <em>%AppData%\\SystemCertificates\\Lib\\CertPKIProvider.dll<\/em> by calling its export function named <em>eglGetConfigs<\/em>.<\/p>\n<h2>VaporRage: <em>CertPKIProvider.dll<\/em> (malicious downloader)<\/h2>\n<p><em>CertPKIProvider.dll<\/em>, tracked by Microsoft as \u201cVaporRage\u201d can best be described as a shellcode downloader. This version of VaporRage contains 11 export functions including <em>eglGetConfigs<\/em>, which houses the malicious functionality of the DLL.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93721\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig20.png\" alt width=\"602\" height=\"282\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig20.png 602w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig20-300x141.png 300w\" sizes=\"auto, (max-width: 602px) 100vw, 602px\"><\/p>\n<p>As mentioned in the previous section, NativeZone utilizes <em>rundll32.exe<\/em> to execute the <em>eglGetConfigs<\/em> export function of <em>CertPKIProvider.dll<\/em>. Upon execution, the export function first ensures the NativeZone DLL <em>%AppData%\\Microsoft\\NativeCache\\NativeCacheSvc.dll<\/em> is present on the system (else it terminates). Next, the export function issues an HTTP(s) GET request to a legitimate but compromised WordPress site <em>holescontracting[.]com<\/em>. The GET request is comprised of the dynamically generated and hardcoded values, for example:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93715\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig21.png\" alt width=\"799\" height=\"181\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig21.png 799w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig21-300x68.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig21-768x174.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\"><\/p>\n<p>The purpose of the GET request is to first register the system as compromised and then to download an XOR-encoded shellcode blob from the WordPress site (only if the system is of interest to the actor). Once successfully downloaded, the export function XOR decodes the shellcode blob (using a hardcoded multi-byte XOR key \u201c346hrfyfsvvu235632542834\u201d).<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93716\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig22.png\" alt width=\"653\" height=\"270\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig22.png 653w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig22-300x124.png 300w\" sizes=\"auto, (max-width: 653px) 100vw, 653px\"><\/p>\n<p>It then proceeds to execute the decoded shellcode in memory by jumping to the beginning of the shellcode blob in an executable memory region. The download-decode-execute process is repeated indefinitely, approximately every hour, until the DLL is unloaded from memory. VaporRage can execute any compatible shellcode provided by its C2 server, including a Cobalt Strike stage shellcode.<\/p>\n<p><strong>Additional Custom Cobalt Strike loader from NOBELIUM<\/strong><\/p>\n<p>As described in a <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/01\/20\/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop\/\">previous blog<\/a>, NOBELIUM has used multiple custom Cobalt Strike Beacon loaders (likely generated using custom Artifact Kit templates) to enable their malicious activities. These include TEARDROP, Raindrop, and other custom loaders.<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone wp-image-93681\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/Picture23.png\" alt width=\"600\" height=\"275\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/Picture23.png 1235w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/Picture23-300x138.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/Picture23-1024x470.png 1024w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/Picture23-768x353.png 768w\" sizes=\"auto, (max-width: 600px) 100vw, 600px\"><\/p>\n<p>Since our last publication, we have identified additional variants of NOBELIUM\u2019s custom Cobalt Strike loaders. Instead of assigning a name to each short-lived and disposable variant, Microsoft will be tracking NOBELIUM\u2019s custom Cobalt Strike loaders and downloaders for the loaders under the name NativeZone. As seen in previous custom NOBELIUM Cobalt Strike loaders, the new loader DLLs also contain decoy export names and function, as well as code and strings borrowed from legitimate applications.<\/p>\n<p>The new NativeZone loaders can be grouped into two variants:<\/p>\n<ul>\n<li>Variant #1: These loaders embed an encoded\/encrypted Cobalt Strike Beacon stage shellcode<\/li>\n<li>Variant #2: These loaders load an encoded\/encrypted Cobalt Strike Beacon stage shellcode from another accompanying file (e.g., an RTF file).<\/li>\n<\/ul>\n<p>In the succeeding sections, we discuss some of the new NativeZone Cobalt Strike Beacon variants we have observed in our investigation.<\/p>\n<p><strong>NativeZone variant #1<\/strong><\/p>\n<p>Similar to the previous NOBELIUM custom Cobalt Strike loaders, such as TEARDROP and Raindrop, these NativeZone loaders are responsible for decoding\/decrypting an embedded Cobalt Strike Beacon stage shellcode and executing it in memory. Some of the NativeZone loaders feature anti-analysis guardrails to thwart analysis of the samples.<\/p>\n<p>In these versions of NativeZone, the actor has used a variety of encoding and encryption methodologies to obfuscate the embedded shellcode. For example, in the example below, the NativeZone variant uses a simple byte-swap decoding algorithm to decode the embedded shellcode:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93722\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig24.png\" alt width=\"582\" height=\"174\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig24.png 582w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig24-300x90.png 300w\" sizes=\"auto, (max-width: 582px) 100vw, 582px\"><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93723\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig25.png\" alt width=\"739\" height=\"221\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig25.png 739w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig25-300x90.png 300w\" sizes=\"auto, (max-width: 739px) 100vw, 739px\"><\/p>\n<p>Another sample featuring a different decoding methodology to decode the embedded shellcode is shown below:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93724\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig26.png\" alt width=\"900\" height=\"449\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig26.png 900w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig26-300x150.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig26-768x383.png 768w\" sizes=\"auto, (max-width: 900px) 100vw, 900px\"><\/p>\n<p>Another sample, featuring a de-obfuscation methodology leveraging AES encryption algorithm to decrypt the embedded shellcode, is shown below:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93725\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig27.png\" alt width=\"845\" height=\"230\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig27.png 845w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig27-300x82.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig27-768x209.png 768w\" sizes=\"auto, (max-width: 845px) 100vw, 845px\"><\/p>\n<p>Yet another NativeZone sample leveraging AES for decrypting an embedded Cobalt Strike shellcode blob is shown below (note the syntax differences compared to the sample above):<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93726\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig28.png\" alt width=\"553\" height=\"614\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig28.png 553w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig28-270x300.png 270w\" sizes=\"auto, (max-width: 553px) 100vw, 553px\"><\/p>\n<p>Another sample featuring a different decoding methodology along with leveraging <em>CreateThreadpoolWait()<\/em> to execute the decoded shellcode blob is below:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93727\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig29.png\" alt width=\"814\" height=\"231\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig29.png 814w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig29-300x85.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig29-768x218.png 768w\" sizes=\"auto, (max-width: 814px) 100vw, 814px\"><\/p>\n<p>Below is an example of anti-analysis technique showing the loader checking if the victim system is a Vmware or VirtualBox VM:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93728\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig30.png\" alt width=\"537\" height=\"295\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig30.png 537w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig30-300x165.png 300w\" sizes=\"auto, (max-width: 537px) 100vw, 537px\"><\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93729\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig31.png\" alt width=\"537\" height=\"198\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig31.png 537w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig31-300x111.png 300w\" sizes=\"auto, (max-width: 537px) 100vw, 537px\"><\/p>\n<p><strong>NativeZone variant #2<\/strong><\/p>\n<p>Unlike variant #1, the NativeZone variant #2 samples do not contain the encoded\/encrypted Cobalt Strike Beacon stage shellcode. Instead, these samples read the shellcode from an accompanying file that is shipped with the sample. For example, one NativeZone variant #2 sample was observed alongside an RTF file. The RTF file doubles as both a decoy document and a shellcode carrier file. The RTF file contains the proper RTF file structure and data followed by an encoded shellcode blob (starting at offset <em>0x658<\/em>):<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93717\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig32.png\" alt width=\"799\" height=\"265\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig32.png 799w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig32-300x99.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-Fig32-768x255.png 768w\" sizes=\"auto, (max-width: 799px) 100vw, 799px\"><\/p>\n<p>When the NativeZone DLL is loaded\/executed, it first displays the RTF document to the user.<\/p>\n<p>As mentioned above, the same RTF also contains the encoded Cobalt Strike stage shellcode. As shown below, the NativeZone DLL proceeds to extract the shellcode from the RTF file (starting at file offset 0x658 as shown above), decode the shellcode and execute it on the victim system:<\/p>\n<p><img decoding=\"async\" loading=\"lazy\" class=\"alignnone size-full wp-image-93730\" src=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig33.png\" alt width=\"777\" height=\"491\" srcset=\"https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig33.png 777w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig33-300x190.png 300w, https:\/\/www.microsoft.com\/security\/blog\/wp-content\/uploads\/2021\/05\/NOBELIUM-aFig33-768x485.png 768w\" sizes=\"auto, (max-width: 777px) 100vw, 777px\"><\/p>\n<p><strong>Notes on new and old NOBELIUM PDB paths<\/strong><\/p>\n<p>The following example PDB paths were observed in the samples analyzed in this blog:<\/p>\n<ul>\n<li>BoomBox: <em>C:\\Users\\dev10vs\\Desktop\\Prog\\Obj\\BOOM\\BOOM\\BOOM\\obj\\Release\\BOOM.pdb<\/em><\/li>\n<li>NativeZone: <em>c:\\users\\devuser\\documents\\visual studio 2013\\Projects\\DLL_stageless\\Release\\DLL_stageless.pdb<\/em><\/li>\n<li>NativeZone: <em>C:\\Users\\DevUser\\Documents\\Visual Studio 2013\\Projects\\DLL_stageless\\Release\\DLL_stageless.pdb<\/em><\/li>\n<li>NativeZone: <em>C:\\Users\\dev\\Desktop\\\ub098\ud0c0\ub098\uac8c \ud558\ub2e4\\Dll6\\x64\\Release\\Dll6.pdb<\/em><\/li>\n<\/ul>\n<p>Note the presence of \u2018dev\u2019 user in the PDB paths above. A \u2018dev\u2019 username was previously observed in the PDB path of a NOBELIUM Cobalt Strike loader mentioned in our <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/01\/20\/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop\/\">previous blog<\/a>: <em>c:\\build\\workspace\\cobalt_cryptor_far (dev071)\\farmanager\\far\\platform.concurrency.hpp<\/em>.<\/p>\n<h2>Comprehensive protections for persistence techniques<\/h2>\n<p>The sophisticated NOBELIUM attack requires a comprehensive incident response to identify, investigate, and respond. Get the latest information and guidance from Microsoft at <a href=\"https:\/\/aka.ms\/nobelium\">https:\/\/aka.ms\/nobelium<\/a>.<\/p>\n<p><strong>Microsoft Defender Antivirus<\/strong><\/p>\n<p>Microsoft Defender Antivirus detects the new NOBELIUM components discussed in this blog as the following malware:<\/p>\n<ul>\n<li>TrojanDropper:JS\/EnvyScout.A!dha<\/li>\n<li>TrojanDownloader:Win32\/BoomBox.A!dha<\/li>\n<li>Trojan:Win32\/NativeZone.A!dha<\/li>\n<li>Trojan:Win32\/NativeZone.B!dha<\/li>\n<li>Trojan:Win32\/NativeZone.C!dha<\/li>\n<li>Trojan:Win32\/NativeZone.D!dha<\/li>\n<li>TrojanDownloader:Win32\/VaporRage.A!dha<\/li>\n<\/ul>\n<p><strong>Microsoft Defender for Endpoint (EDR)<\/strong><\/p>\n<p>Alerts with the following titles in the Security Center can indicate threat activity on your network:<\/p>\n<ul>\n<li>Malicious ISO File used by NOBELIUM<\/li>\n<li>Cobalt Strike Beacon used by NOBELIUM<\/li>\n<li>Cobalt Strike network infrastructure used by NOBELIUM<\/li>\n<li>EnvyScout malware<\/li>\n<li>BoomBox malware<\/li>\n<li>NativeZone malware<\/li>\n<li>VaporRage malware<\/li>\n<\/ul>\n<p>The following alerts might also indicate threat activity associated with this threat. The below alerts, however, can be triggered by unrelated threat activity and are not monitored in the status cards provided with this report.<\/p>\n<ul>\n<li>An uncommon file was created and added to startup folder<\/li>\n<li>A link file (LNK) with unusual characteristics was opened<\/li>\n<\/ul>\n<p><strong>Azure Sentinel<\/strong><\/p>\n<p>We have updated the related Azure Sentinel query to include these additional indicators. Azure Sentinel customers can access this query in this&nbsp;<a href=\"https:\/\/github.com\/Azure\/Azure-Sentinel\/blob\/master\/Detections\/MultipleDataSources\/NOBELIUM_IOCsMay2021.yaml\">GitHub repository<\/a>.<\/p>\n<h2><strong>Indicators of compromise (IOCs)<\/strong><\/h2>\n<p>The NOBELIUM IOCs associated with this activity are available in CSV on the <a href=\"https:\/\/raw.githubusercontent.com\/microsoft\/mstic\/master\/Indicators\/May21-NOBELIUM\/May21NOBELIUMIoCs.csv\">MSTIC GitHub<\/a>.<\/p>\n<p> READ MORE <a href=\"https:\/\/www.microsoft.com\/security\/blog\/2021\/05\/28\/breaking-down-nobeliums-latest-early-stage-toolset\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>In this blog, we highlight four tools representing a unique infection chain utilized by NOBELIUM: EnvyScout, BoomBox, NativeZone, and VaporRage. These tools have been observed being used in the wild as early as February 2021 attempting to gain a foothold on a variety of sensitive diplomatic and government entities.<br \/>\nThe post Breaking down NOBELIUM\u2019s latest early-stage toolset appeared first on Microsoft Security. READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":41113,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[276],"tags":[347,7221,9237,9246],"class_list":["post-41112","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-secure","tag-cybersecurity","tag-microsoft-security-intelligence","tag-microsoft-threat-intelligence-center-mstic","tag-nobelium"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Breaking down NOBELIUM\u2019s latest early-stage toolset 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Breaking down NOBELIUM\u2019s latest early-stage toolset 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-05-28T21:36:17+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/05\/breaking-down-nobeliums-latest-early-stage-toolset.png\" \/>\n\t<meta property=\"og:image:width\" content=\"378\" \/>\n\t<meta property=\"og:image:height\" content=\"103\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"18 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/breaking-down-nobeliums-latest-early-stage-toolset\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/breaking-down-nobeliums-latest-early-stage-toolset\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Breaking down NOBELIUM\u2019s latest early-stage toolset\",\"datePublished\":\"2021-05-28T21:36:17+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/breaking-down-nobeliums-latest-early-stage-toolset\\\/\"},\"wordCount\":3515,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/breaking-down-nobeliums-latest-early-stage-toolset\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/05\\\/breaking-down-nobeliums-latest-early-stage-toolset.png\",\"keywords\":[\"Cybersecurity\",\"Microsoft security intelligence\",\"Microsoft Threat Intelligence Center (MSTIC)\",\"NOBELIUM\"],\"articleSection\":[\"Microsoft Secure\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/breaking-down-nobeliums-latest-early-stage-toolset\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/breaking-down-nobeliums-latest-early-stage-toolset\\\/\",\"name\":\"Breaking down NOBELIUM\u2019s latest early-stage toolset 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/breaking-down-nobeliums-latest-early-stage-toolset\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/breaking-down-nobeliums-latest-early-stage-toolset\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/05\\\/breaking-down-nobeliums-latest-early-stage-toolset.png\",\"datePublished\":\"2021-05-28T21:36:17+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/breaking-down-nobeliums-latest-early-stage-toolset\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/breaking-down-nobeliums-latest-early-stage-toolset\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/breaking-down-nobeliums-latest-early-stage-toolset\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/05\\\/breaking-down-nobeliums-latest-early-stage-toolset.png\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2021\\\/05\\\/breaking-down-nobeliums-latest-early-stage-toolset.png\",\"width\":378,\"height\":103},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/breaking-down-nobeliums-latest-early-stage-toolset\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Cybersecurity\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/cybersecurity\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Breaking down NOBELIUM\u2019s latest early-stage toolset\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Breaking down NOBELIUM\u2019s latest early-stage toolset 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/","og_locale":"en_US","og_type":"article","og_title":"Breaking down NOBELIUM\u2019s latest early-stage toolset 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-05-28T21:36:17+00:00","og_image":[{"width":378,"height":103,"url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/05\/breaking-down-nobeliums-latest-early-stage-toolset.png","type":"image\/png"}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"18 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Breaking down NOBELIUM\u2019s latest early-stage toolset","datePublished":"2021-05-28T21:36:17+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/"},"wordCount":3515,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/05\/breaking-down-nobeliums-latest-early-stage-toolset.png","keywords":["Cybersecurity","Microsoft security intelligence","Microsoft Threat Intelligence Center (MSTIC)","NOBELIUM"],"articleSection":["Microsoft Secure"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/","url":"https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/","name":"Breaking down NOBELIUM\u2019s latest early-stage toolset 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/#primaryimage"},"thumbnailUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/05\/breaking-down-nobeliums-latest-early-stage-toolset.png","datePublished":"2021-05-28T21:36:17+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/#primaryimage","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/05\/breaking-down-nobeliums-latest-early-stage-toolset.png","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2021\/05\/breaking-down-nobeliums-latest-early-stage-toolset.png","width":378,"height":103},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/breaking-down-nobeliums-latest-early-stage-toolset\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Cybersecurity","item":"https:\/\/www.threatshub.org\/blog\/tag\/cybersecurity\/"},{"@type":"ListItem","position":3,"name":"Breaking down NOBELIUM\u2019s latest early-stage toolset"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/41112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=41112"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/41112\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media\/41113"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=41112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=41112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=41112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}