VERY IMPORTANT

Nobelium is suspected to be the new face of APT29 (aka The Dukes). We track this activity under the name ‘NobleBaron’. This campaign employs a convoluted multi-stage infection chain, five to six layers deep. Most custom downloaders leverage Cobalt Strike Beacon in-memory as a mechanism to drop more elusive payloads on select victims. This report focuses on NobleBaron’s ‘DLL_stageless’ downloaders (aka NativeZone). SentinelLabs has discovered the use of one of these DLL_stageless downloaders as part of a poisoned update installer for electronic keys used by the Ukrainian government.