Privacy Ninja



        • Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Russian Hacking Group Uses New Stealthy Ceeloader Malware

Russian Hacking Group Uses New Stealthy Ceeloader Malware

The Nobelium hacking group continues to breach government and enterprise networks worldwide by targeting their cloud and managed service providers and using a new custom “Ceeloader” malware.

Nobelium is Microsoft’s name for the threat actor behind last year’s SolarWinds supply-chain attack that led to the compromise of several US federal agencies. This group is believed to be the hacking division of the Russian Foreign Intelligence Service (SVR), commonly known as APT29, The Dukes, or Cozy Bear.

While Nobelium is an advanced hacking group using custom malware and tools, they still leave traces of activity that researchers can use to analyze their attacks.

In a new report from Mandiant, researchers used this activity to uncover tactics, techniques, and procedures (TTP) used by the hacking group, as well as a new custom downloader called “Ceeloader.”

Furthermore, the researchers break Nobelium into two distinct clusters of activity attributed to UNC3004 and UNC2652, which could mean that Nobelium is two cooperating hacking groups.

Also Read: What You Need to Know About Singapore’s Data Sharing Arrangements

Supply chain attack

Based on the activity seen by Mandiant, the Nobelium actors continue to breach cloud providers and MSPs as a way to gain initial access to their downstream customer’s network environment.

“In at least one instance, the threat actor identified and compromised a local VPN account and made use of this VPN account to perform reconnaissance and gain further access to internal resources within the victim CSP’s environment, which ultimately led to the compromise of internal domain accounts,” explained Mandiant.

In at least one other breach, the hacking group used the CRYPTBOT password-stealing malware to steal valid session tokens used to authenticate to the victim’s Microsoft 365 environment.

It is noteworthy that Nobelium compromises multiple accounts within a single environment, using each of them for separate functions, thus not risking the entire operation in the case of exposure.

“The threat actors leveraged compromised privileged accounts and used SMB, remote WMI, remote scheduled tasks registration, and PowerShell to execute commands within victim environments.” – Mandiant

“The threat actor used the protocols mainly to perform reconnaissance, distribute beacons (Cobalt Strike) around the network, as well as run native Windows commands for credential harvesting.”

A new custom “Ceeloader” malware

Nobelium is known for its development and use of custom malware that allows backdoor access to networks, the downloading of further malware, network tracing, NTLM credential theft, and other malicious behavior.

Mandiant has discovered a new custom downloader called “Ceeloader” written in C and supports the execution of shellcode payloads directly in memory.

The malware is heavily obfuscated, and mixes calls to the Windows API with large blocks of junk code to evade detection by security software.

Ceeloader communicates via HTTP, while the C2 response is decrypted using AES-256 in CBC mode.

The custom Ceeloader downloader is installed and executed by a Cobalt Strike beacon as needed and does not include persistence to allow it to automatically run when Window is started.

Nobelium has used numerous custom malware strains in the past, specifically during the Solarwinds attacks and in a phishing attack against the United States Agency for International Development (USAID).

Also Read: PDPA Compliance for HR Managers in Singapore: A Must

Multiple hiding tricks

To hamper attempts at tracing the attacks, Nobelium uses residential IP addresses (proxies), TOR, VPS (Virtual Private Services), and VPN (Virtual Private Networks) to access the victim’s environment.

In some cases, Mandiant identified compromised WordPress sites used to host second-stage payloads that are fetched and launched into memory by Ceeloader.

Finally, the actors used legitimate Microsoft Azure-hosted systems with IP addresses that had proximity to the victim’s network. 

This approach helps blend external activity and internal traffic, making detecting the malicious activity unlikely and the analysis harder.

Nobelium still active

Mandiant warns that the activity of Nobelium is heavily focused on the collection of intelligence, as the researchers saw evidence of the hackers exfiltrating documents that are of political interest to Russia.

Microsoft has previously linked UNC2652 and UNC3004 to UNC2452, the group responsible for the SolarWinds supply chain attack, so it’s plausible that they are all under the same “Nobelium” umbrella.

However, Mandiant underlines that there is insufficient evidence to attribute this with high confidence.

What matters for defenders is that hackers are still leveraging third parties and trusted vendors like CSPs to infiltrate valuable target networks, so organizations must remain vigilant, constantly consider new IOCs, and keep their systems up to date.

Mandiant has updated the UNC2452 whitepaper on that front with all new TTPs observed in the 2021 campaigns.



Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection


We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.


Click one of our contacts below to chat on WhatsApp

× Chat with us