Nobelium uses FoggyWeb as a backdoor. Microsoft cybersecurity experts: The cyber espionage APT exploits it to remotely exfiltrate sensitive information from a compromised AD FS server

FoggyWeb is a new malware used by Nobelium cyber espionage group as a backdoor. It has been discovered by Microsoft cybersecurity experts. Once the APT obtains credentials and successfully compromises a server, it relies on that access to maintain persistence and deepen its infiltration using sophisticated malware and tools. NOBELIUM uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, as well as to download and execute additional components. Use of the malware has been observed in the wild as early as April 2021. FoggyWeb can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.