APT29/NOBELIUM - EnvyScout

Intrusion activity from APT29/NOBELIUM, shared by Sekoia, has identified the utilization of malicious HTML attachments named EnvyScout. The infection chain involves the distribution of the malicious attachment through phishing emails and when executed, ISO files are downloaded and mounted onto the victim's workstation that setups execution of a CobaltStrike beacon. Based on obtained samples of the phishing emails, targets of the campaign have been foreign embassies including Iran and Turkey.