Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 17:42:52 UTC
Home > List all groups > List all tools > List all groups using tool WellMail
 Tool: WellMail
Names WellMail
Category Malware
Type Backdoor
Description
(NCSC-UK) WellMail is a lightweight tool designed to run commands or scripts with
the results being sent to a hardcoded Command and Control (C2) server.
The NCSC has named this malware ‘WellMail’ due to file paths containing the word
‘mail’ and the use of server port 25 present in the sample analysed. Similar to WellMess,
WellMail uses hard-coded client and certificate authority TLS certificates to
communicate with C2 servers.
The binary is an ELF utility written in Golang which receives a command or script to be
run through the Linux shell. To our knowledge, WellMail has not been previously
named in the public domain.
Information
MITRE ATT&CK Malpedia https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=011052ce-7891-4761-88ca-b493dcf2f15d
Page 1 of 2

AlienVault OTX <https://otx.alienvault.com/browse/pulses?q=tag:WellMail>
Last change to this tool card: 30 December 2022
Download this tool card in JSON format
All groups using tool WellMail
Changed Name Country Observed
APT groups
  APT 29, Cozy Bear, The Dukes 2008-Feb 2025
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=011052ce-7891-4761-88ca-b493dcf2f15d
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=011052ce-7891-4761-88ca-b493dcf2f15d
Page 2 of 2