Mandiant: Nobelium exploits a new custom malware, Ceeloader. The APT (aka UNC2452) also shows two distinct clusters of activity, UNC3004 and UNC2652

Nobelium (aka UNC2452) is using a new custom malware to hit target: Ceeloader. It’s a downloader supportig the execution of shellcode payloads directly in memory. It has been discovered by Mandiant cybersecurity experts. The malicious code is heavily obfuscated, and mixes calls to the Windows API with large blocks of junk code to evade detection by security software. Ceeloader communicates via HTTP, while the C2 response is decrypted using AES-256 in CBC mode. The custom malware is installed and executed by a Cobalt Strike beacon as needed and does not include persistence to allow it to automatically run when Window is started. Furthermore, researchers identified two distinct clusters of activity, UNC3004 and UNC2652, related to the same APT. This could means that the threat actor has two branches or subgroups. However, Nobelium continues to breach cloud providers and MSPs as a way to gain initial access to their target.