Microsoft announces new threat campaign from NOBELIUM

Microsoft Threat Intelligence Center (MSTIC) has uncovered a wide-scale malicious email campaign operated by NOBELIUM, the threat actor behind the attacks against SolarWinds, the SUNBURST backdoorTEARDROP malwareGoldMax malware, and other related components. The campaign, initially observed and tracked by Microsoft since January 2021, evolved over a series of waves demonstrating significant experimentation. On May 25, 2021, the campaign escalated as NOBELIUM leveraged the legitimate mass-mailing service, Constant Contact, to masquerade as a US-based development organization and distribute malicious URLs to a wide variety of organizations and industry verticals.

Microsoft is issuing this alert and new security research regarding this sophisticated email-based campaign that NOBELIUM has been operating to help the industry understand and protect from this latest activity. Below, we have outlined attacker motives, malicious behavior, and best practices to protect against this attack. You can also find more information on the Microsoft On The Issues blog.

NOBELIUM has historically targeted government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers. With this latest attack, NOBELIUM attempted to target approximately 3,000 individual accounts across more than 150 organizations, employing an established pattern of using unique infrastructure and tooling for each target, increasing their ability to remain undetected for a longer period of time.

Microsoft security researchers assess that the NOBELIUM’s spear-phishing operations are recurring and have increased in frequency and scope. It is anticipated that additional activity may be carried out by the group using an evolving set of tactics.

Further details on this is available at –

Indicators of compromise (IOC)

This attack is still active, so these indicators should not be considered exhaustive for this observed activity.

These indicators of compromise are from the large-scale campaign launched on May 25, 2021.

[email protected]EmailSpoofed email account
[email protected]EmailSpoofed email account
2523f94bd4fba4af76f4411fe61084a7e7d80dec163c9ccba9226c80b8b31252SHA-256Malicious ISO file (container)
d035d394a82ae1e44b25e273f99eae8e2369da828d6b6fdb95076fd3eb5de142SHA-256Malicious ISO file (container)
94786066a64c0eb260a28a2959fcd31d63d175ade8b05ae682d3f6f9b2a5a916SHA-256Malicious ISO file (container)
48b5fb3fa3ea67c2bc0086c41ec755c39d748a7100d71b81f618e82bf1c479f0SHA-256Malicious shortcut (LNK)
ee44c0692fd2ab2f01d17ca4b58ca6c7f79388cbc681f885bb17ec946514088cSHA-256Cobalt Strike Beacon malware
ee42ddacbd202008bcc1312e548e1d9ac670dd3d86c999606a3a01d464a2a330SHA-256Cobalt Strike Beacon malware
usaid.theyardservice[.]comDomainSubdomain used to distribute ISO file
worldhomeoutlet[.]comDomainSubdomain in Cobalt Strike C2
dataplane.theyardservice[.]comDomainSubdomain in Cobalt Strike C2
cdn.theyardservice[.]comDomainSubdomain in Cobalt Strike C2
static.theyardservice[.]comDomainSubdomain in Cobalt Strike C2
192[.]99[.]221[.]77IP addressIP resolved to by worldhomeoutlet[.]com
83[.]171[.]237[.]173IP addressIP resolved to by *theyardservice[.]com
theyardservice[.]comDomainActor controlled domain

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: