Hackers Use Weaponized PDFs and Chat Apps for C2 to Evade Detection

A malware campaign targeting the Ministries of Foreign Affairs of NATO-aligned countries was recently discovered, which used PDF files masquerading as a German Embassy email. One of the PDF files consists of Duke malware which was previously linked with a Russian-state-sponsored cyber espionage group, APT29.

APT29 was attributed to Russia’s Foreign Intelligence Service (SVR) and uses Zulip, an open-source chat application for command and control. This evades and hides the malicious network traffic behind legitimate traffic.

PDF with HTML Smuggling

Further investigations revealed that these two PDF files that are received through email consist of an invitation lure that targets diplomatic entities. The themes used for these documents have contents related to “Farewell to Ambassador of Germany” and “Day of German Unity”.

The first PDF document also contains an embedded JavaScript code for delivering the multi-staged payloads in HTML file format. When the victim opens the file after the warning from Adobe Acrobat, the code launches the malicious HTML file called “Invitation_Farewell_DE_EMB”.

Embedded HTML Smuggler (Source: EclecticIQ)

Through HTML Smuggling, a malicious HTML application file (HTA) is received, which is a widely used LOLBIN (Living Off the Land BINary). This HTA file acts as a standalone malware application that gets executed by the Windows HTA engine mshta.exe. This execution delivers the Duke malware variant.

Malware Delivery Stages (Source: EclecticIQ)

The other PDF document does not contain any malicious contents; instead, it sends a notification to the threat actor whether the attachment was opened.

DLL Sideloading Abused to Execute Duke Variant Malware

The HTA file drops three executables on the directory C:\Windows\Tasks for DLL sideloading. The three files include 

  • AppVIsvSubsystems64.dll – This is a library loaded into msoev.exe for performing the execution without any failure.
  • Mso.dll – This is the Duke malware variant that is loaded into the msoev.exe through DLL Sideloading.
  • Msoev.exe – This is a signed Windows binary that automatically loads mso.dll and AppVIsvSubsystems64.dll when executed.

A complete report has been published, which provides detailed information on the malware campaign and the activities carried out.

Indicators of Compromise

PDF Lure:

Fc53c75289309ffb7f65a3513e7519eb
50f57a4a4bf2c4b504954a36d48c99e7

C2 Servers:

toyy[.]zulipchat[.]com
sgrhf[.]org[.]pk
edenparkweddings[.]com

Duke Malware Variant:

0be11b4f34ede748892ea49e473d82db
5e1389b494edc86e17ff1783ed6b9d37
d817f36361f7ac80aba95f98fe5d337d

MITRE ATT&CK Techniques

Spearphishing Attachment - T1566.001
DLL Side-Loading - T1574.002
HTML Smuggling - T1027.006
Embedded Payloads - T1027.009
Dynamic API Resolution - T1027.007
System Binary Proxy Execution: Mshta - T1218.005
Application Layer Protocol: Web Protocols - T1071.001
User Execution: Malicious File - T1204.002
Compromise Infrastructure: Web Services - T1584.006

Keep informed about the latest Cyber Security News by following us on GoogleNewsLinkedinTwitter, and Facebook.

Eswar

Eswar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Recent Posts

Gunra Ransomware’s Double‑Extortion Playbook and Global Impact

Gunra Ransomware, has surfaced as a formidable threat in April 2025, targeting Windows systems across…

43 minutes ago

Hackers Exploit 21 Apps to Take Full Control of E-Commerce Servers

Cybersecurity firm Sansec has uncovered a sophisticated supply chain attack that has compromised 21 popular…

52 minutes ago

Hackers Target HR Departments With Fake Resumes to Spread More_eggs Malware

The financially motivated threat group Venom Spider, also tracked as TA4557, has shifted its focus…

1 hour ago

RomCom RAT Targets UK Organizations Through Compromised Customer Feedback Portals

The Russian-based threat group RomCom, also known as Storm-0978, Tropical Scorpius, and Void Rabisu, has…

1 hour ago

Hackers Use Pahalgam Attack-Themed Decoys to Target Indian Government Officials

The Seqrite Labs APT team has uncovered a sophisticated cyber campaign by the Pakistan-linked Transparent…

1 hour ago

LUMMAC.V2 Stealer Uses ClickFix Technique to Deceive Users into Executing Malicious Commands

The LUMMAC.V2 infostealer malware, also known as Lumma or Lummastealer, has emerged as a significant…

1 hour ago