Hacking News News Platforms Trading Tools

Blue Bravo Deploys Graphical Proton Backdoor Against European Diplomatic Entities

Vikash Kumawat2545 views
European countries

Phishing campaigns are characterized by the use of legitimate Internet services (LIS) for command-and-control (C2) obscurity, Recorded Future said in a new report published on Thursday. This activity was observed between March and May 2023.

Bluebravo, also known as APT29, Cloaked Ursa, and Midnight Blizzard (formerly Nobelium), is attributed to Russia’s Foreign Intelligence Service (SVR), and has in the past attacked Dropbox, Firebase, Google Drive, Notion And have used Trello. Locates infected hosts and communicates covertly with them.

To that end, GraphicalProton is the latest addition to a long list of malware targeting diplomatic organizations, following Graphical Neutrino (aka Snowyember), Hafrig, and Quarterrigg.

“Unlike GraphQL Neutrino, which uses Notion for C2, GraphQLProton uses Microsoft’s OneDrive or Dropbox for communication,” the cybersecurity firm said.

This is an attempt on the part of Bluebravo operators not only to diversify their tooling but also to expand the portfolio of services to be misused to target organizations of strategic interest to the nation.

European Commission

“BlueBravo appears to prioritize cyber espionage efforts against entities in the European public sector, possibly due to the Russian government’s interest in strategic data during and after the war in Ukraine.”

The new malware strain, like GraphicalNeutrino, acts as a loader and is staged within an ISO or ZIP file distributed via vehicle-themed lure phishing emails, the Palo Alto Networks unit reported earlier this month. There is overlap with the intrusion set reported by 42.

The ISO files contained .LNK files allegedly disguised as .PNG images of a BMW car for sale, which when clicked deployed GraphicalProton for a follow-on exploit. This is achieved by using Microsoft OneDrive as C2 and periodically polling a folder in the storage service to fetch additional payloads.

“It is important for network defenders to be aware of the potential for abuse of these services within their enterprise and to recognize instances in which they may be used in similar attempts to exfiltrate information,” the researchers said.

The development comes as Ukraine’s Computer Emergency Response Team (CERT-UA) warned of ongoing phishing attacks being carried out by a group known as the UAC-0006 group, which the agency said is a smokeloader. There is a back door. Efforts are being intensified to entice users to install

Related posts

HMPV Outbreak in China: Causes, Effects, and Precautions

China’s 6th Generation Fighter Jet: The Ambitious Leap into Future Air Dominance

BrahMos-II Missile: Redefining Hypersonic Warfare

2 comments

Aditya March 30, 2025 - 2:07 am
It means the world to us to hear such positive feedback on our blog posts. We strive to create valuable content for our readers and it's always encouraging to hear that it's making an impact.
Airport Shuttle Service April 13, 2025 - 8:00 pm
This blog is a great resource for anyone looking to live a more mindful and intentional life Thank you for providing valuable advice and tips
Add Comment