Cozy Bear targets NGOs and Think Tanks in post-election attacks

Pierluigi Paganini November 12, 2016

Cozy Bear launched new spear-phishing attacks against US policy think-tanks aiming to infect their systems with a malware.

Trump is the new US President, a few hours after he won the election, a hacking crew powered several spear-phishing attacks against US policy think-tanks aiming to infect their systems with a malware.

The security experts believe the attacks were powered by the notorious ATP Cozy Bear, also known as APT29 and CozyDuke. The CozyDuke is one of the groups involved in the Democratic National Committee (DNC) is considered by several security experts a group of Russian state-sponsored hackers.

According to the security firm Volexity, a few hours after the election people associated with non-governmental organizations (NGOs), policy think tanks in the US and even inside the US Government were targeted by malicious messages sent by the Cozy Bear hackers.

“Three of the five attack waves contained links to download files from domains that the attackers appear to have control over,” reads a blog post published by Volexity. “The other two attacks contained documents with malicious macros embedded within them. Each of these different attack waves was slightly different from one another.”

cozy bear spear-phishing-attack-examples

The researchers spotted at least five different waves of phishing attacks targeting people who work for organizations, including the RAND Corporation, Radio Free Europe/Radio Liberty, the Atlantic Council, and the State Department, among others.

The attackers used Gmail accounts that were specifically created for the phishing campaign and other compromised email accounts at Harvard University’s Faculty of Arts and Sciences (FAS).

They attackers used malicious attachments or emails embedding a malicious link to deliver on the victim’s machine a backdoor dubbed PowerDuke. PowerDuke is a high-sophisticated backdoor that could allow gaining full control of the infected machine implementing complex evasion techniques.

“The PowerDuke backdoor boasts a pretty extensive list of features that allow the Dukes to examine and control a system. Volexity suspects the feature set that has been built into PowerDuke is an extension of their anti-VM capabilities in the initial dropper files. Several commands supported by PowerDuke facilitate getting information about the system.” continues the post.

PowerDuke leverages on steganography to hide the components of the backdoor in PNG files. The backdoor code would exist only in memory after being loaded into rundll32.exe.

Clearly, the attackers tried to exploit the media attention of the Presidential election and its results. In particular, the attackers were interested in targeting people working for the US government that were concerned about Trump’s victory.

The experts noticed that attackers sent messages that pretend to be originated from organizations like the Clinton Foundation that were providing further details on the reason for the defeat.

The experts revealed the emails were sent from an email address of a professor at Harvard that was likely compromised by Cozy Bear hackers.

The emails observed the spear phishing messages embedding malicious links to .ZIP files or malicious Windows shortcut files linked to a “clean” Rich Text Format document and a PowerShell script.

“The group’s anti-VM macros and PowerShell scripts appear to have drastically reduced the number of sandboxes and bots that the group has to deal with on their command and control infrastructure.”

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Cozy Bear, Donald Trump)

backdoor COZY BEAR Donald Trump Hacking PowerDuke spear phishing

Pierluigi Paganini June 27, 2025

OneClik APT campaign targets energy sector with stealthy backdoors

Pierluigi Paganini June 27, 2025