Microsoft security researchers discovered a post-compromise malware, tracked as MagicWeb, which is used by the Russia-linked NOBELIUM APT group to maintain persistent access to compromised environments.
The NOBELIUM APT (APT29, Cozy Bear, and The Dukes) is the threat actor that conducted the supply chain attack against SolarWinds, which involved multiple families of implants, including the SUNBURST backdoor, TEARDROP malware, GoldMax malware, Sibot, and GoldFinder backdoors.
NOBELIUM focuses on government organizations, non-government organizations (NGOs), think tanks, military, IT service providers, health technology and research, and telecommunications providers.
The Microsoft Threat Intelligence Center (MSTIC) researchers believe that MagicWeb was likely deployed during an ongoing compromise by NOBELIUM.
