Suspected APT29 Operation Launches Election Fraud Themed Phishing Campaigns

Volexity observed a USAID-themed spear-phishing campaign (May 2021) targeting NGOs, research institutions, government and international agencies in the US and Europe; recipients who clicked embedded Constant Contact links were redirected to download an ISO (ICA-declass.iso) containing a decoy PDF, a malicious LNK and Document.dll that deobfuscates and runs a Cobalt Strike HTTPS Beacon and later fetches a second-stage FRESHFIRE DLL via Firebase. The report includes detailed IOC lists (domains, IPs, Firebase paths), file hashes, YARA rules, analysis of anti-VM/sandbox checks, Cobalt Strike configuration and attribution to APT29 with moderate confidence, and recommends blocking identified indicators and deploying the provided detections.