Fighting Ursa Luring Targets With Car for Sale

Fighting Ursa Luring Targets With Car for Sale Threat Research Center Threat Actor Groups Nation-State Cyberattacks Nation-State Cyberattacks Fighting Ursa Luring Targets With Car for Sale 6 min read Related Products Advanced URL Filtering Advanced WildFire Cloud-Delivered Security Services Cortex Cortex XDR Cortex XSIAM Cortex XSOAR By: Unit 42 Published: August 2, 2024 Categories: Malware Nation-State Cyberattacks Threat Actor Groups Threat Research Tags: Advanced Persistent Threat APT28 Fancy Bear Fighting Ursa HeadLace Phishing Russia Share Executive Summary A Russian threat actor we track as Fighting Ursa advertised a car for sale as a lure to distribute HeadLace backdoor malware. The campaign likely targeted diplomats and began as early as March 2024. Fighting Ursa (aka APT28, Fancy Bear and Sofacy) has been associated with Russian military intelligence and classified as an advanced persistent threat (APT) [PDF] . Diplomatic-car-for-sale phishing lure themes have been used by Russian threat actors for years. These lures tend to resonate with diplomats and get targets to click on the malicious content. Unit 42 has previously observed other threat groups using this tactic. For example, in 2023, a different Russian threat group, Cloaked Ursa , repurposed an advertisement for a BMW for sale to target diplomatic missions within Ukraine. This campaign is not directly connected to the Fighting Ursa campaign described here. However, the similarity in tactics points to known behaviors of Fighting Ursa. The Fighting Ursa group is known for repurposing successful tactics – even continuously exploiting known vulnerabilities for 20 months after their cover was already blown. The details of the March 2024 campaign, which we attribute to Fighting Ursa with a medium to high level of confidence, indicate the group targeted diplomats and relied on public and free services to host various stages of the attack. This article examines the infection chain from the attack. Palo Alto Networks customers are better protected from the threats discussed in this article through our Network Security solutions, such as Advanced WildFire and Advanced URL Filtering , as well as our Cortex line of products. If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team . Related Unit 42 Topics APTs , Fighting Ursa Initial Lure The URL kicking off this infection chain was hosted by a legitimate service named Webhook.site , and it was submitted to VirusTotal on March 14, 2024. Webhook.site is a service for legitimate development projects, and it allows its users to create randomized URLs for various purposes like custom automation based on the characteristics of visitors to the URLs. In this case, Fighting Ursa abused Webhook.site to craft a URL that returned a malicious HTML page . Figure 1 below shows the HTML returned from the webhook[.]site URL. Figure 1. HTML code used in the attack hosted on the Webhook.site service. The HTML shown above in Figure 1 has multiple elements that attempt to automate the attack. First, it checks if the visiting computer is Windows-based. If not, it redirects to a decoy image on a URL hosted by another legitimate provider , which is a free service named ImgBB . As the final payload is Windows based, this operating system check is probably an effort to ensure that further actions taken in the attack are only taken for Windows visitors. The HTML then creates a ZIP archive from Base64 text in the HTML, offers it for download and attempts to open it with the JavaScript click() function. Figure 2 below shows the decoy image advertising a car for sale, specifically an Audi Q7 Quattro SUV. This fake advertisement is titled “Diplomatic Car For Sale.” The image provides different views of the vehicle. The image also contains contact details that are likely fake, as well as a phone number based in Romania. Finally, the image also lists the point of contact as the Southeast European Law Enforcement Center, possibly to lend this fake advertisement more credibility. Figure 2. Diplomatic car for sale lure hosted on ImgBB. Downloaded Malware The downloaded ZIP archive is saved as IMG-387470302099.zip and contains three files listed below in Table 1. File Size Modified Date and Time File Name 918,528 bytes 2009-07-13 18:38 UTC IMG-387470302099.jpg.exe 9,728 bytes 2024-03-13 00:37 UTC WindowsCodecs.dll 922 bytes 2024-03-13 00:37 UTC zqtxmo.bat Table 1. Contents of the downloaded file IMG-387470302099.zip . Table 1 above shows that the first file IMG-387470302099.jpg.exe has a double file extension of .jpg.exe . Windows hosts with a default configuration hide file extensions, so the .jpg.exe file extension only shows as .jpg in the file name. This is a common tactic used by threat actors to trick potential victims into double-clicking the file, in this case believing it will open a car for sale advertisement. The file named IMG-387470302099.jpg.exe is a copy of the legitimate Windows calculator file calc.exe . This file is used to sideload the included DLL file WindowsCodecs.dll , which is a component of the HeadLace backdoor. HeadLace is modular malware that executes in stages. This stage-based loading is probably designed to prevent detection and minimize the malware's exposure to analysts. The DLL file contains a function shown below in Figure 3. Figure 3. Code in WindowsCodecs.dll file to run a file named zqtxmo.bat . This function is solely meant to execute the last file within the ZIP archive, zqtxmo.bat . Figure 4 below shows the content of zqtxmo.bat . Figure 4. Contents of the zqtxmo.bat batch file. This batch file starts a process for Microsoft Edge ( start msedge ) to run content passed as Base64-encoded text. As shown above in Figure 4, the decoded text is a hidden iframe that retrieves content from a different Webhook.site URL . The batch file saves content from this second Webhook.site URL as IMG387470302099.jpg in the user's downloads directory. It then moves the downloaded file into the %programdata% directory and changes the file extension from .jpg to .cmd . Finally, the batch file executes IMG387470302099.cmd , then deletes itself as a way to remove any obvious trace of malicious activity. Attribution We attribute this activity with a medium to high level of confidence to Fighting Ursa based on the tactics, techniques and procedures (TTPs), characteristics of the attack infrastructure and the malware family attackers used. This attack relies heavily on public and free services to host lures and various stages of the attack. Documentation by IBM , Proofpoint , Recorded Future and others reveal that while the infrastructure used by Fighting Ursa varies for different attack campaigns, the group frequently relies on these freely available services. Furthermore, the tactics from this campaign fit with previously documented Fighting Ursa campaigns, and the HeadLace backdoor is exclusive to this threat actor . Conclusion Fighting Ursa is a motivated threat actor. The infrastructure the group uses has constantly changed and evolved, as noted in a recent report from Recorded Future. Other industry reports have also shown various lures this actor uses in attempts to drop HeadLace malware. We assess that Fighting Ursa will continue to use legitimate web services in its attack infrastructure. To defend against these attacks, defenders should limit access to these or similar hosting services as necessary. If possible, organizations should scrutinize the use of these free services to identify possible attack vectors. Palo Alto Networks Protection and Mitigation Palo Alto Networks customers are better protected from the threats discussed above through the following products: Cortex XDR detects the attack chain described above, among other protections in the Cortex XDR platform. Cortex XSIAM and XSOAR have released a response pack and playbook for automatically detecting the Fighting Ursa threat actor. This playbook downloads the APT28 detection rules and performs extraction, enrichment, and tagging of indicators. It executes our generic Threat Hunting sub-playbook and subsequently provides analysts with recommended workarounds, empowering them to decide the best course of action with the enriched indicators. Advanced URL Filtering identifies known URLs associated with this activity as malicious. The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research. If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call: North America Toll-Free: 866.486.4842 (866.4.UNIT42) EMEA: +31.20.299.3130 APAC: +65.6983.8730 Japan: +81.50.1790.0200 Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance . Indicators of Compromise HTML page hosted on webhook site with decoy image and payload zip file: cda936ecae566ab871e5c0303d8ff98796b1e3661885afd9d4690fc1e945640e Car for sale image lure: 7c85ff89b535a39d47756dfce4597c239ee16df88badefe8f76051b836a7cbfb ZIP file containing calc.exe , malicious DLL and BAT file: dad1a8869c950c2d1d322c8aed3757d3988ef4f06ba230b329c8d510d8d9a027 Legitimate calc.exe abused to sideload the malicious DLL: c6a91cba00bf87cdb064c49adaac82255cbec6fdd48fd21f9b3b96abf019916b Malicious file named WindowsCodecs.dll sideloaded by calc.exe : 6b96b991e33240e5c2091d092079a440fa1bef9b5aecbf3039bf7c47223bdf96 Batch file named zqtxmo.bat executed by the above malicious DLL: a06d74322a8761ec8e6f28d134f2a89c7ba611d920d080a3ccbfac7c3b61e2e7 URLs that hosted content for this campaign: hxxps[:]//webhook[.]site/66d5b9f9-a5eb-48e6-9476-9b6142b0c3ae hxxps[:]//webhook[.]site/d290377c-82b5-4765-acb8-454edf6425dd hxxps[:]//i.ibb[.]co/vVSCr2Z/car-for-sale.jpg Additional Resources GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns [PDF] – Recorded Future ITG05 operations leverage Israel-Hamas conflict lures to deliver Headlace malware – IBM TA422’s Dedicated Exploitation Loop—the Same Week After Week – Proofpoint Updated August 2, 2024, at 7:35 a.m. PT to add Cortex XSOAR and XSIAM product protections and playbook link. Updated August 5, 2024, at 8:37 a.m. PT to update Cortex XSOAR and XSIAM playbook link. Updated 6 August, 2024 at 7:58 AM PDT --> Back to top Tags Advanced Persistent Threat APT28 Fancy Bear Fighting Ursa HeadLace Phishing Russia Threat Research Center Next: Identifying a BOLA Vulnerability in Harbor, a Cloud-Native Container Registry Table of Contents Related Articles Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran (Updated March 26) Threat Brief: Recruiting Scheme Impersonating Palo Alto Networks Talent Acquisition Team Boggy Serpens Threat Assessment Related Resources Threat Research April 8, 2026 Cracks in the Bedrock: Agent God Mode Agentcore AI agents AWS Read now Threat Research April 7, 2026 Cracks in the Bedrock: Escaping the AWS AgentCore Sandbox Agentcore Agentcore runtime AWS Read now Threat Research April 6, 2026 Understanding Current Threats to Kubernetes Environments Audit logs Cloud Containers Read now Threat Research April 3, 2026 When an Attacker Meets a Group of Agents: Navigating Amazon Bedrock's Multi-Agent Applications AI Amazon Bedrock Read now High Profile Threats April 1, 2026 Threat Brief: Widespread Impact of the Axios Supply Chain Attack API attacks JavaScript Supply chain Read now High Profile Threats March 31, 2026 Weaponizing the Protectors: TeamPCP’s Multi-Stage Supply Chain Attack on Security Infrastructure CVE-2025-55182 GitHub Infostealer Read now Threat Research March 31, 2026 Double Agents: Exposing Security Blind Spots in GCP Vertex AI Agentic AI Data exfiltration GCP Read now High Profile Threats March 26, 2026 Threat Brief: March 2026 Escalation of Cyber Risk Related to Iran (Updated March 26) APK DDoS attacks GenAI Read now Threat Actor Groups March 26, 2026 Converging Interests: Analysis of Threat Clusters Targeting a Southeast Asian Government CL-STA-1048 CL-STA-1049 Stately Taurus Read now Threat Research March 24, 2026 Threat Brief: Recruiting Scheme Impersonating Palo Alto Networks Talent Acquisition Team Email scam Lure Phishing Read now Get updates from Unit 42 Peace of mind comes from staying ahead of threats. Subscribe today. Your Email Subscribe for email updates to all Unit 42 threat research. By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply. --> Invalid captcha! Subscribe Get the latest news, invites to events, and threat alerts Enter your email now to subscribe! Sign up By submitting this form, I understand my personal data will be processed in accordance with Palo Alto Networks Privacy Statement and Terms of Use. Sign up Products and Services AI-Powered Network Security Platform Secure AI by Design Prisma AIRS AI Access Security Cloud Delivered Security Services Advanced Threat Prevention Advanced URL Filtering Advanced WildFire Advanced DNS Security Enterprise Data Loss Prevention Enterprise IoT Security Medical IoT Security Industrial OT Security SaaS Security Next-Generation Firewalls Hardware Firewalls Software Firewalls Strata Cloud Manager SD-WAN for NGFW PAN-OS Panorama Secure Access Service Edge Prisma SASE Application Acceleration Autonomous Digital Experience Management Enterprise DLP Prisma Access Prisma Browser Prisma SD-WAN Remote Browser Isolation SaaS Security AI-Driven Security Operations Platform Cloud Security Cortex Cloud Application Security Cloud Posture Security Cloud Runtime Security Prisma Cloud AI-Driven SOC Cortex XSIAM Cortex XDR Cortex XSOAR Cortex Xpanse Unit 42 Managed Detection & Response Managed XSIAM Threat Intel and Incident Response Services Proactive Assessments Incident Response Transform Your Security Strategy Discover Threat Intelligence Company About Us Careers Contact Us Corporate Responsibility Customers Investor Relations Location Newsroom Popular Links Blog Communities Content Library Cyberpedia Event Center Manage Email Preferences Products A-Z Product Certifications Report a Vulnerability Sitemap Tech Docs Unit 42 Do Not Sell or Share My Personal Information Your browser does not support the video tag. Default Heading Read the article Seekbar Volume