Russian state-sponsored threat operation APT28 launched a far-reaching malware campaign against government organizations across Poland, according to The Hacker News.
Attacks involved the distribution of emails that included links redirecting to the "run.mocky[.]io" domain before redirecting to the "webhook[.]site" domain, where a ZIP archive file with a JPG-spoofing Windows Calculator binary and concealed batch script and DLL file, reported CERT Polska in an advisory. Executing the app would trigger the sideloading of the malicious DLL while the batch script downloads a JPG image that would eventually fetch an information-stealing payload, said the advisory, which also noted the campaign's similarity with the HeadLace backdoor campaign.
Such a development comes after APT28 was accused by NATO of targeting German and Czech critical infrastructure entities as part of a long-term cyberespionage operation. Meanwhile, intrusions conducted by APT28 across Western Europe were noted by Symantec to have involved the use of the XAgent spyware to compromise iOS devices.
