Nobelium, the threat group behind the SolarWinds breach, is currently conducting a phishing campaign. In this attack campaign, the Russia-backed group took control of the account used by USAID on Constant Contact, an email marketing platform. According to Microsoft, the campaign was discovered in February.

What has happened?

The phishing campaign targeted 3,000 accounts connected to 150 think tanks, consultants, government agencies, and non-governmental entities. It targeted 24 countries, among which the U.S. is the most affected one.
  • The attacks were launched by gaining access to the Constant Contact account of USAID. From there, the actors were able to distribute phishing emails that were seemingly authentic.
  • The phishing emails carried a link that inserted a malicious file, when clicked, distributing the NativeZone backdoor. This backdoor can perform a wide range of activities.
  • In one instance, when a Nobelium-controlled server detected an Apple iOS device, it served a WebKit UXSS vulnerability. Apple confirmed that it was aware of the vulnerability being actively exploited.
  • In the May 25 campaign, there were some variations used. In one case, the emails looked to have originated from USAID while a genuine sender email address matched the standard Constant Contact service.

Nobelium’s infection chain 

The authentic sender email address, which varies for every recipient, was observed in the phishing emails.
  • The emails ended with @in[.]constantcontact[.]com and a Reply-To address of <mhillary@usaid[.]gov>.
  • If the link inside the email is clicked, a malicious ISO is dropped with a shortcut, decoy document, and a malicious DLL, along with a Cobalt Strike Beacon loader tracked as NativeZone by Microsoft. 
  • If the shortcut is executed, the DLL is run. The successful deployment of these payloads allows the group to achieve persistent access to targeted machines.
  • Execution of these malicious payloads could allow the group to carry out action-on objectives, such as data exfiltration, lateral movement, and delivery of other malware.


Nobelium is now gaining access to the infrastructure of genuine technology providers and targeting their customers. Besides, by taking advantage of software updates and mass email providers, the group has increased its chances of collateral damage in espionage attacks.

Cyware Publisher