CTI Roundup: UNC6032, APT41, Void Blizzard

This week, Tanium’s Cyber Threat Intelligence (CTI) team explores how cybercriminals are creating fake websites that mimic legitimate AI services to distribute malware. The roundup also includes updates on APT41, which is a highly sophisticated Chinese state-sponsored threat actor. Finally, our CTI team investigates a new Russia-affiliated threat actor called Void Blizzard.

UNC6032 creates fake AI-themed websites

According to Mandiant, cybercriminals are now creating fake AI websites and using them to distribute malware through deceptive ads.

This campaign, attributed to the group UNC6032, targets users globally and highlights the growing trend of threat actors weaponizing emerging technologies for large-scale credential theft and surveillance.

How are threat actors using AI and social media to spread malware?

As Mandiant explains, threat actors have been quick to exploit the surging popularity of AI. This has resulted in campaigns originating from sites masquerading as popular AI tools, which are advertised through Facebook and LinkedIn ads.

[Read also: Ban or no ban, you need a TikTok (or any app) exit plan]

Mandiant identified over 30 websites across thousands of ads that display similar content. The actor seems to be continuously rotating the domains mentioned in the ads to avoid detection, with most being short-lived and new ones created daily.

What happens when you click a fake AI ad?

In this campaign, the Facebook ad masqueraded as a known text-to-video AI tool called Luma AI. The advertisement leads victims to a website created by the attacker where they can click on a “Start Free Now” button and select various functions they would like.

• When the victim clicks to generate the content, they receive a loading bar that looks like the AI model is working on the request.
• After a few seconds, they receive a video to download. This will download a .zip file to the device.
• The downloaded .zip file comes with a double extension executable to masquerade as a .mp4 file but is actually an .exe file.

[Read also: What is agentic AI? What to know about this new AI type]

What is STARKVEIL dropper?

he executable, which is tracked by Mandiant as STARKVEIL, is a dropper malware written in Rust. It will extract the embedded archive and its malware components to be used later in the infection to inject malicious code into legitimate processes.

Mandiant found that the executable must run twice for a successful compromise. To achieve this, the malware displays an error window on first execution, potentially tricking them into attempting to launch it again.

During the second execution, it will spawn a Python Launcher that contains a Python command. This was found to be the COILHATCH dropper. More details on COILHATCH along with more technical details of the STARKVEIL malware can be found in Mandiant’s report.

Executables to know

The campaign contains three executables including GRIMPULL, XWORM, and FROSTRIFT:

1. GRIMPULL is a downloader that uses anti-VM capabilities and Tor for its C2 communications.
2. XWORM runs second and gets injected into a legitimate Windows process. This is a backdoor that expands its capabilities with plugins.
3. FROSTRIFT gets injected into a legitimate Windows process and will gather information about the system. It receives modules from the C2 that are stored to be loaded in memory.

Analyst comments from Tanium’s Cyber Threat Intelligence team

This campaign is a textbook example of how threat actors rapidly adapt to exploit trending technologies. In this case, AI hype serves as the perfect lure for social engineering.

Additionally, the abuse of ad platforms like Facebook and LinkedIn highlights a growing blind spot in threat detection. Malicious infrastructure is now being built on top of legitimate ecosystems.

This is a reminder that monitoring malware payloads is not enough. Equal attention must be given to identifying and monitoring delivery vectors.

APT41 uses Google Calendar for command and control

Google Threat Intelligence Group’s latest report covers APT41, a Chinese state-sponsored threat actor that recently used a compromised government website to deliver a sophisticated three-stage malware called TOUGHPROGRESS.

The attack leveraged deceptive file structures and Google Calendar for command and control. Google successfully disrupted the campaign by deploying custom detections and disabling attacker infrastructure.

How did APT41 use fake PDFs to deliver malware?

APT41 started the attack by sending spear phishing emails to the intended victims. The emails contained a link to a .zip archive that was hosted on an exploited government website.

The archive included seven .jpg images and an .lnk file disguised as a .pdf. The payload was executed via the .lnk, and then the .lnk was deleted and replaced with a decoy .pdf.

Understanding the malware infection chain

The malware contains three modules, which each have their own function and are deployed in a series:

1. PLUSDROP is a DLL designed to decrypt and execute the next stage of the attack.
2. PLUSINJECT performs process hollowing and injects the final payload.
3. TOUGHPROGRESS executes the actual actions on the compromised device and abuses Google Calendar for command and control (C2).

How APT41 turned Google Calendar into a C2 channel

As noted, TOUGHPROGRESS abuses Google Calendar. It can read and write events with the help of an attacker-controlled Google Calendar. When executed, it will create a calendar event that is set to a hardcoded date of May 30, 2023, with a time of zero minutes.

The event includes data that was collected from the compromised device in the event description. The attacker also places encrypted commands in additional calendar events at dates hardcoded in the malware.

Analyst comments from Tanium’s Cyber Threat Intelligence team

APT41’s use of Google Calendar for command and control is a stark reminder that adversaries are increasingly leveraging legitimate cloud services to mask malicious activity.

This tactic complicates detection and underscores the need for behavioral analytics that go beyond traditional IOC-based (short for indicators of compromise, which refers to identifying threats using known artifacts such as malicious IP addresses, file hashes, or domain names associated with previous attacks) detection.

The three-stage architecture of TOUGHPROGRESS reflects a growing trend in modular malware design, allowing attackers to adapt payloads dynamically and evade static defenses. This modularity also facilitates reuse across campaigns, making attribution and mitigation more complex.

Void Blizzard: a new threat to critical sectors

Microsoft identified a new Russia-affiliated threat actor called Void Blizzard, which is actively conducting cyberespionage campaigns against critical sectors. The group uses stolen credentials and spear phishing tactics to infiltrate networks and exfiltrate large volumes of sensitive data.

[Read also: What is access control in security? An in-depth guide to types and best practices]

Who is Void Blizzard targeting?

Void Blizzard was observed targeting organizations across multiple sectors, including communications/telecommunications, defense, healthcare, education, government agencies and services, information technology, intergovernmental organizations, media, NGOs, and transportation.

Most commonly, the group is targeting government organizations and law enforcement agencies, especially those in NATO member states.

How does Void Blizzard gain initial access?

The group primarily uses unsophisticated techniques for initial access, including password spraying and credential theft. Microsoft believes the group obtains cookies and credentials via the cybercriminal ecosystem and then uses these to access services like Exchange and SharePoint Online.

Unlock enhanced conditional access and Zero Trust at scale powered by the integration of Tanium’s real-time data
with Microsoft Entra ID

In April 2025, Microsoft identified a Void Blizzard spear phishing campaign that used the adversary-in-the-middle (AiTM) technique. This campaign targeted 20+ NGO organizations in the United States and Europe.

The phishing emails pretended to come from the European Defense and Security Summit and contained PDFs of a fake invitation to the event. The PDF contained a QR code that led to a typosquatted domain that spoofed Microsoft Online. The phishing page closely mimicked the Microsoft Entra authentication portal. Microsoft also believes that Void Blizzard is likely using the Evilginx framework to carry out campaigns like this.

What happens after initial access?

Once the group obtains initial access to an environment, they will abuse legitimate cloud APIs including Exchange Online and Microsoft Graph. This enables them to enumerate the mailboxes of targets along with various cloud hosted files.

In some campaigns, the actors also accessed Microsoft Teams conversations, specifically in the web client.

Analyst comments from Tanium’s Cyber Threat Intelligence team

It’s not often that we hear about a new threat actor/group. Void Blizzard may be using less sophisticated techniques, but their ability to successfully compromise organizations is a reminder as to how the more “basic” strategies can still be real threats. That said, having detections and awareness of some of the more basic Tactics, Techniques, and Procedures (TTPs) can prove critical.

As usual, Microsoft has provided mitigation and protection guidance related to identity and authentication, email security, and post compromise activity. Microsoft also included various Defender detections and hunting queries to help find related Void Blizzard activity.

Do you have insight into these stories that you want to share? Head over to Tanium’s discussion forum to start a conversation.

For further reading, catch up on our recent cyber threat intelligence roundups.