Russian Hackers Make The Rounds With Ceeloader Malware

Russian hacking group is using new stealthy type of malware called Ceeloader. The Nobelium hacking group has continued to breach gov’t and enterprise networks worldwide by targeting their cloud and managed service providers:

Ceeloader communicates via HTTP, while the C2 response is decrypted using AES-256 in CBC mode.

The custom Ceeloader downloader is installed and executed by a Cobalt Strike beacon as needed and does not include persistence to allow it to automatically run when Window is started.

Nobelium has used numerous custom malware strains in the past, specifically during the Solarwinds attacks and in a phishing attack against the United States Agency for International Development (USAID).


To hamper attempts at tracing the attacks, Nobelium uses residential IP addresses (proxies), TOR, VPS (Virtual Private Services), and VPN (Virtual Private Networks) to access the victim’s environment.

In some cases, Mandiant identified compromised WordPress sites used to host second-stage payloads that are fetched and launched into memory by Ceeloader.

Finally, the actors used legitimate Microsoft Azure-hosted systems with IP addresses that had proximity to the victim’s network. 

This approach helps blend external activity and internal traffic, making detecting the malicious activity unlikely and the analysis harder.

Eddy Bobritsky, CEO, Minerva Labs ( had this commentary:

“The Ceeloader looks to be another evolution step in the ever increasing malware sophistication, using more improved evasion techniques and very specific low level attack methods such as file-less downloading and memory injection.

Most traditional antiviruses and protection services base their detection on known signatures and threat actor behaviors. This makes attacks like these very difficult to mitigate for zero-day and unknown malware variants, especially those designed to evade detection, and require specialized approaches like implementation of Hostile Environment Simulation Models along with other anti-evasion protection techniques.”

This seems pretty scary for admins and those who are charged with protecting networks from being hacked and pwned. I guess it’s time for everyone to bring their “A” game to keep this threat at bay.

Leave a Reply

%d bloggers like this: