RiskIQ this morning reported having identified more than thirty active APT29 command-and-control servers delivering WellMess and WellMail malware, espionage tools CISA identified last year as particularly active against COVID-19 vaccine development efforts in the UK, Canada, and the US. APT29, also commonly known as Cozy Bear, is generally associated with Russia's SVR. Bloomberg sees the discovery as evidence that Russia isn't taking seriously US complaints of cyber activity targeting critical sectors.
Recorded Future's Insikt Group has evaluated Beijing One Pass, an employee benefits application the Chinese government provides companies doing business in that country. The app appears to be spyware:
"[T[he installed application exhibits characteristics consistent with potentially unwanted applications (PUA) and spyware.... Some notable suspicious behaviors relate to several dropped files and subsequent processes initiated from the primary application. These behaviors include a persistence mechanism, the collection of user data such as screenshots and keystrokes, a backdoor functionality, and other behaviors commonly associated with malicious tools, such as disabling security and backup-related services."
Malwarebytes describes a phishing campaign baited with a "Crimean Manifesto" whose hook is a VBA RAT. The document, appearing in both Russian and English, represents itself as opposed to Russia's occupation of Crimea, but this isn't grounds for even circumstantial attribution.
Menlo Security is tracking an HTML smuggling attack it calls ISOMorph. The attack bypasses network security solutions like legacy proxies and sandboxes to gain access to targeted devices. Subsequent stages install AsyncRAT/NJRAT. HTML smuggling is currently enjoying a resurgence in popularity among criminals and nation-states.