Research (Insikt)

BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware

Posted: 27th July 2023
By: Insikt Group
BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware


Recorded Future’s Insikt Group has been monitoring the activities of Russian state actors who are intensifying their efforts to hide command-and-control network traffic using legitimate internet services (LIS) and expanding the range of services misused for this purpose. BlueBravo is a threat group tracked by Insikt Group, whose actions align with those of the Russian advanced persistent threat (APT) groups APT29 and Midnight Blizzard, both attributed to Russia's Foreign Intelligence Service (SVR).

bluebravo-adapts-to-target-diplomatic-entities-with-graphicalproton-malware-body.png (Overview of BlueBravo attack flow (Source: Recorded Future)

In January 2023, Insikt Group reported on BlueBravo's use of a themed lure to deliver malware called GraphicalNeutrino. They identified several consistent tactics employed by the group, including compromised infrastructure, known malware families, third-party services for command-and-control (C2), and reused lure themes. Another malware variant used by BlueBravo, named GraphicalProton, was discovered. Unlike GraphicalNeutrino, which used Notion for C2, GraphicalProton uses Microsoft's OneDrive or Dropbox for communication.

The group's misuse of LIS is an ongoing strategy, as they have used various online services such as Trello, Firebase, and Dropbox to evade detection. BlueBravo appears to prioritize cyber-espionage efforts against European government sector entities, possibly due to the Russian government's interest in strategic data during and after the war in Ukraine.

Based on observed trends, Insikt Group predicts that BlueBravo will continue to adapt and create new malware variants while leveraging third-party services for C2 obfuscation. Defenders are urged to invest additional time and resources to track the evolving group, particularly organizations targeted by Russian state actors in relation to the Russia-Ukraine conflict.

BlueBravo is expected to continue developing infrastructure and compromising vulnerable websites to deploy new strains of malware, targeting diplomatic and foreign policy institutions in Eastern Europe, as these organizations provide valuable insight for the Russian intelligence consumers during the ongoing war in Ukraine.

To read the entire analysis with endnotes, click here to download the report as a PDF.