Russia-linked Nobelium APT Group Uses Custom Backdoor to Target Windows Domains
It uses FoggyWeb to remotely exfiltrate the configuration database of compromised AD FS servers, decrypted token-signing certificate, and token-decryption certificate, and execute more components.