Skip Navigation
BlackBerry Blog

BlackBerry Protects Against Nobelium Malware Attacks

Late last week Microsoft identified that NOBELIUM, the group behind the attacks against SolarWinds, had initiated a new spear-phishing campaign. These threat actors were able to gain access to an email marketing account for the U.S. government development agency USAID, which they used to send messages intended to trick users into clicking malicious URLs.

As these messages were mass-mailed, it’s likely that many of these emails were intercepted automatically by spam filters. It is still important to be vigilant against spear-phishing campaigns such as these, as a threat actor’s tactics can change rapidly.

BlackBerry authored a custom rule to identify and mitigate against the techniques utilized by the NOBELIUM group. The new rule is available for customers to download through MyAccount by accessing the Nobelium email-based attack Optics Rules Knowledge Base (KB) article (000079873)

BlackBerry’s Threat Research Team has analyzed the cyber-attack chain for this threat and in addition to basic cyber hygiene steps, strongly urges customers to ensure your systems have BlackBerry® Protect enabled with a blocking policy and BlackBerry® Optics enabled to block threats that trigger the rules noted below.

The good news? BlackBerry Protect, BlackBerry Optics and BlackBerry® Guard stop these attacks.

Our customers can feel confident that our AI-driven security products, as well as our Managed Detection & Response (MDR) solution, are all well-equipped to mitigate the risks posed by threat actors leveraging patch vulnerabilities.

  • BlackBerry® Protect, our endpoint protection solution, can help shield customers from the NOBELIUM attack. BlackBerry Protect stops the attack during the reported first stage of malware execution, protecting customers from further impact.
  • BlackBerry® Optics, our endpoint detection and response (EDR) solution, can also help mitigate against the attack. BlackBerry recommends the following Optics rules be activated:
    • Win Rundll32 Usage Mitre T1218
    • Win Explorer.exe calling Rundll32 Mitre T1218
  • BlackBerry® Guard customers are proactively protected, and our 24/7 MDR solution customers receive:
    • Alerts monitored in real time
    • Corrective policies applied while discovering gaps in policy implementation
    • Prioritized threat hunting
    • The latest threat intelligence for fast moving threats

Finally, any customers who are concerned that they have been compromised should refer to the Indicators of Compromise section of the Microsoft document, Breaking down NOBELIUM’s latest early-stage toolset.

The BlackBerry Incident Response team can work with organizations of any size and across any vertical, to evaluate and enhance their endpoint security posture and proactively maintain the security, integrity, and resilience of their network infrastructure. For emergency assistance, please email us at, or use our handraiser form.

Learn more about the latest cybersecurity threats and threat actors in the BlackBerry 2021 Annual Threat Report.

Eric Milam

About Eric Milam

 VP of Research Operations, BlackBerry

Eric Milam is the VP of Research Operations at BlackBerry, where he and his team track malware threats and threat actors. During his time at BlackBerry, Eric discovered and published the details of numerous emerging threats and malware variants actively being exploited in the wild.

Prior to joining BlackBerry, Eric was a highly regarded Penetration Tester and frequent conference speaker, widely known for his red-teaming exploits.