Cozy Bear

and were dubbed "Cozyduke", "Cosmicduke", "SeaDuke" and "OnionDuke"[1][19] Cozy Bear has been observed using an initial exploit or phishing email with malicious attachments to load a dropper which installs a Duke variant as a persistent trojan onto the target computer.

Cozy Bear has been observed updating and refining its malware to improve cryptography, interactive functionality, and anti-analysis (including virtual machine detection).

[24] Cozy Bear has been observed targeting and compromising organizations and foreign governments worldwide (including Russian opposition countries such as NATO and Five Eyes) and the commercial sector (notably financial, manufacturing, energy and telecom).

Using compromised accounts at that organization, they sent phishing emails to other US government targets leveraging a malicious Flash file purporting to show "funny office monkeys".

[6][26] In August 2015 Cozy Bear was linked to a spear phishing campaign against the Pentagon, which the resulting investigation shut down the entire Joint Chiefs of Staff unclassified email system.

[30] After the 2016 United States presidential election, Cozy Bear was linked to spear phishing campaigns against multiple U.S.-based think tanks and non-governmental organizations (NGOs) related to national security, defense, international affairs, public policy, and European and Asian studies.

Then-head of the Dutch intelligence service AIVD Rob Bertholee, stated on EenVandaag television that the Russian intrusion had targeted government documents.

[36] in July 2020 Five Eyes intelligence agencies NSA, NCSC and CSE reported that Cozy Bear had attempted to obtain COVID-19 vaccine data via intrusion campaigns.

[47][4] According to Microsoft,[48] the hackers compromised Solarwinds code signing certificates and deployed a backdoor that allowed impersonation of a target's user account via a malicious Security Assertion Markup Language definition.

[53] On 24 August 2022, Microsoft reported the group has deployed a similar tool "MagicWeb" to bypass user authentication on affected Active Directory Federated Services servers.

[54] In January 2024, Microsoft reported having recently discovered and ended a breach beginning the previous November of the email accounts of their senior leadership and other employees in the legal and cybersecurity teams using a "password spray", a form of brute-force attack.

Diagram outlining Cozy Bear and Fancy Bear 's process of using of malware to penetrate targets