The Russian state-sponsored hacking group ‘APT29’ (aka Nobelium, Cloaked Ursa) has been using unconventional lures like car listings to entice diplomats in Ukraine to click on malicious links that deliver malware.

APT29 is linked to the Russian government’s Foreign Intelligence Service (SVR) and has been responsible for numerous cyberespionage campaigns targeting high-interest individuals across the globe.

In the past two years, Russian hackers focused on NATO, EU, and Ukrainian targets, using phishing emails and documents with foreign policy topics, along with phony websites to infect their targets with stealthy backdoors.

A report published today by Palo Alto Network’s Unit 42 team explains that APT29 has evolved its phishing tactics, using lures that are more personal to the phishing email recipient.

Luxury cars in Kyiv

In one of the most recent APT29 operations spotted by Unit 42, which started in May 2023, the threat actors use a BMW car advertisement to target diplomats in Ukraine’s capital, Kyiv.

The sale flier was sent to diplomat’s email addresses, mimicking a legitimate car sale circulated two weeks prior by a Polish diplomat preparing to leave Ukraine.

When the recipients click on the “more high-quality photos” link embedded in the malicious document, they are redi