My colleagues identified staging infrastructure from #BlueBravo (activity overlapping with #APT29 and NOBELIUM) hosting #GraphicalNeutrino malware within a malicious ZIP file. Besides using a compromised website as part of the lure operation, the use of #Notion for C2 is particularly interesting: https://www.recordedfuture.com/bluebravo-uses-ambassador-lure-deploy-graphicalneutrino-malware