Poland's national cybersecurity agency, CERT Polska, published details about a recent cyber espionage campaign by the Kremlin-backed hacker group APT28 (aka Fancy Bear) targeting Polish government institutions. The attack marks the latest in a string of Russian cyberattacks aimed at NATO-allied nations supporting Ukraine.

The campaign involved phishing emails. designed to pique recipients' curiosity and lure them into clicking on embedded links. These links redirected to seemingly innocuous domains like run[.[mocky[.]io, commonly employed by developers to test APIs, before leading to webhook[.]site.

Unsuspecting users were prompted to download a ZIP archive purportedly containing photos. This archive contained Headlace, a custom backdoor seen in the past attacks by APT28. This malware, previously deployed in a December campaign targeting Poland and other nations, masqueraded as legitimate photo files, employing DLL Side-Loading techniques to infiltrate systems undetected.

Upon execution, the malware initiated a series of actions, including the opening of a Microsoft Edge browser displaying benign content designed to quell any suspicions. This ultimately leads to the execution of malicious scripts and setting up a connection with the threat actor’s command-and-control (C&C) servers, granting the attackers direct access to the victim’s systems.

Earlier this month, Czechia, Germany and allies accused Russia of orchestrating cyberattacks against democratic institutions and political parties across Europe and other countries. Germany said that the APT28 was behind the 2023 breach of the Social Democratic Party.

The intruders exploited a then zero-day vulnerability (CVE-2023-23397) in Microsoft’s Outlook email software. According to German officials, APT28 was behind widespread attacks on German companies in the fields of logistics, armaments, aerospace, IT services, and foundations and associations.