Skip to content

Cybercriminals deploy GraphicalProton malware to target diplomats

  • by
  • 3 min read

BlueBravo, a cybercriminal group supported by the Russian government, has targeted diplomatic entities across Eastern Europe.

Cybersecurity researchers from Recorded Future have unveiled the nefarious activities of the group. The group employs sophisticated tactics, including themed lures and misusing legitimate internet services (LIS), to deliver malware and carry out cyber-espionage operations.

BlueBravo’s latest campaign involves delivering a new backdoor called GraphicalProton, marking a significant evolution in its threat tactics.

BlueBravo, known as APT29, Cloaked Ursa, and Midnight Blizzard (formerly Nobelium), is attributed to Russia’s Foreign Intelligence Service (SVR). The group has a history of using platforms like Dropbox, Firebase, Google Drive, Notion, and Trello to establish covert communications with infected hosts and evade detection.

BlueBravo attack flow. | Source: Recorded Future

GraphicalProton is the latest addition to BlueBravo’s arsenal of malware targeting diplomatic organisations. In the past, BlueBravo has deployed GraphicalNeutrino (aka SNOWYAMBER), HALFRIG, and QUARTERRIG malware loaders. GraphicalProton differed from GraphicalNeutrino in its choice of communication platforms, using Microsoft’s OneDrive or Dropbox for command-and-control (C2) obfuscation.

The use of OneDrive and Dropbox as communication channels represents an effort by BlueBravo to diversify its tooling and broaden the range of services misused for targeting strategic entities. BlueBravo seems to prioritise cyber espionage against European government sector entities, possibly driven by the Russian government’s interest in obtaining strategic data during and after the war in Ukraine.

A sample of the lure by BlueBravo. | Source: Recorded Future

GraphicalProton functions as a loader and is staged within an ISO or ZIP file, delivered via phishing emails with vehicle-themed lures. The ISO files contain .LNK files posing as .PNG images of a BMW car for sale. Once clicked, these .LNK files deploy GraphicalProton for follow-on exploitation. The malware then utilises Microsoft OneDrive as C2, periodically polling a folder in the storage service to fetch additional payloads.

Interestingly, BlueBravo’s activities coincide with warnings from the Computer Emergency Response Team of Ukraine (CERT-UA) about ongoing phishing attacks perpetrated by a group identified as UAC-0006. The group intensifies its efforts to entice users into installing a backdoor known as SmokeLoader.

In the News: Agencies warn of IDOR web app flaws leading to data breaches

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: