Based on technical indicators and similarity to attacks described in the past (e.g. on Ukrainian entities), the campaign can be associated with the APT28 activity set, which is associated with Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). The BAT script opens the Microsoft Edge browser, which loads the base64-encoded page content to download another batch script (also using the website ).
Disclaimer: This article is part of X-Force OSINT Advisories automated collection to enable faster integration of open-source articles to client environments. All credit and copyright goes to the original authors.
Reference:
https://cert.pl/en/posts/2024/05/apt28-campaign/
Sample Indicators of Compromise:
https://webhook.site/9a9cdaf8-120c-4de9-b17a-d6d8e2796a3bc968f9dd1f16a435901d2b93a028a0ae2508e943c8f480935a529826deb3dbebe826dc4f5c16a1802517881f32f26061a4cbc508c3f7944540a209217078aa11https://webhook.site/f97bcee0-0d91-4503-a30c-027f1b34820fhttps://webhook.site/bec23763-b8d9-4191-99ba-04a4a163b4de
