{ "id": "3a075926-a8f9-4425-991c-c402ca722955", "created_at": "2026-04-06T00:18:17.482783Z", "updated_at": "2026-04-10T13:12:44.519176Z", "deleted_at": null, "sha1_hash": "74d4aaea89a9fbd57c821aed396ac83a7218cba4", "title": "Backchannel Diplomacy: APT29's Rapidly Evolving Diplomatic Phishing Operations | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2581722, "plain_text": "Backchannel Diplomacy: APT29's Rapidly Evolving Diplomatic\r\nPhishing Operations | Mandiant\r\nBy Mandiant\r\nPublished: 2023-09-21 · Archived: 2026-04-05 16:23:18 UTC\r\nWritten by: Luke Jenkins, Josh Atkins, Dan Black\r\nKey Insights\r\nAPT29’s pace of operations and emphasis on Ukraine increased in the first half of 2023 as Kyiv launched its\r\ncounteroffensive, pointing to the SVR’s central role in collecting intelligence concerning the current pivotal\r\nphase of the war.\r\nDuring this period, Mandiant has tracked substantial changes in APT29’s tooling and tradecraft, likely\r\ndesigned to support the increased frequency and scope of operations and hinder forensic analysis.\r\nAPT29 has used various infection chains simultaneously across different operations, indicating that distinct\r\ninitial access operators or subteams are possibly operating in parallel to service different regional targets or\r\nespionage objectives.\r\nThreat Detail\r\nDuring the lead up to Ukraine's counteroffensive, Mandiant and Google’s Threat Analysis Group (TAG) have tracked\r\nan increase in the frequency and scope of APT29 phishing operations. Investigations into the group’s recent activity\r\nhave identified an intensification of operations centered on foreign embassies in Ukraine. Notably, as part of this\r\nactivity, we have seen phishing emails targeting a wide range of diplomatic representations in Kyiv including those of\r\nMoscow’s partners, representing the first time we have observed this cluster of APT29 activity pursuing governments\r\nstrategically aligned with Russia. Based on the timing and focus of APT29’s Ukraine-focused operations, we judge\r\nthey are intended to aid Russia’s Foreign Intelligence Service (SVR) in intelligence collection concerning the current\r\npivotal phase of the war.\r\nAPT29’s increased phishing activity in Ukraine has occurred alongside an uptick in the group’s more routine\r\nespionage operations against global diplomatic entities. Across these malware delivery operations, APT29 continues\r\nto prioritise European Ministries of Foreign Affairs and embassies, but it has also sustained operations that are global\r\nin scope and illustrative of Russia’s far-reaching ambitions and interests in other regions. The current secondary focus\r\nis concentrated in Asia, with governments in Türkiye (formerly known as Turkey), India, and other regions of vital\r\nstrategic importance to Moscow such as Africa factoring into its 2023 priorities. We judge that Russia’s war in\r\nUkraine has almost certainly shaped APT29’s espionage priorities, but it has not supplanted them.\r\nWe track this diplomatic-focused phishing activity as operationally distinct from APT29’s ongoing initial access\r\noperations targeting cloud-based Microsoft products. Although APT29’s cloud-focused exploitation may lead to the\r\ncompromise of diplomatic entities, variance in the scale, quality and targeting patterns of the two lines of effort\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 1 of 24\n\nindicate that they are highly likely distinct initial access clusters operating with different priorities and levels of\r\ncapability. However, we continue to see significant overlap in post-compromise methods across both lines of effort,\r\nindicating that multiple initial access teams may hand-off to a centralized exploitation team once inside a victim\r\nenvironment.\r\nFigure 1: APT29’s distinct initial access clusters\r\nAlongside the increased pace of operations and changes in targeting, we have also seen a major shift in the group’s\r\ntooling and tradecraft. APT29 has rebuilt several of its tools and has made repeated iterative modifications to its\r\nexisting malware delivery chain, likely to ensure its operational longevity despite long-term persistent use. We assess\r\nthat several of these changes are highly likely specifically designed to sidestep research methods and tools commonly\r\nused by the threat intelligence community to track their operations, indicating that operational security priorities\r\ncontinue to factor heavily into APT29’s tooling decisions.\r\nAPT29’s Evolving Approach to Malware Delivery\r\nStarting in 2021, APT29 adopted a tactic called HTML smuggling in its malware delivery operations, hiding its first-stage JavaScript dropper in malicious HTML attachments we call ROOTSAW (also known as EnvyScout). As\r\ndetailed in previous research by Mandiant, CERT-Polska, Palo Alto Networks and others, ROOTSAW has been a\r\nconstant feature of APT29's operations over the past two years and has been the primary vehicle to decode and\r\ndeliver the group’s next stage malware. Upon opening the archive file, victims are presented with either a Windows\r\nshortcut (LNK) file or a legitimate software binary, that when opened, executes an accompanying DLL, leading to\r\ncommodity backdoors such as BEACON or BRC4 (Brute Ratel C4) executing on the system.\r\nROOTSAW’s central and continued role in APT29 operations has spurred changes to the malware delivery chain\r\nover time. The most visible change has been the move away from HTML attachments as the initial infection vector,\r\nwith APT29 shifting to hosting its first-stage payloads on compromised web services such as WordPress sites.\r\nMigrating the first-stage payload server side has likely provided APT29 a greater degree of control over its malware\r\ndelivery chain and allowed the group to be more judicious about the exposure of its later-stage capabilities. For\r\nexample, to prevent detection of malware in environments not intended for compromise, APT29 has implemented\r\nvarious forms of filtering in its first-stage payloads and has removed staged malware from compromised servers\r\nshortly after operational use. Notably, these efforts have also prevented payloads being acquired by public malware\r\nrepositories and other common security research tools, helping to avoid detection and extend the operational lifespan\r\nof its newer malware variants.\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 2 of 24\n\nFigure 2: APT29’s diverse first-stage delivery methods\r\nAs shown the following campaigns tracked throughout the first half of 2023 detail, APT29 has made continuous,\r\niterative efforts to introduce additional obfuscation and anti-analysis components into its operations. The group has\r\nexperimented with various obfuscation techniques such as the use of JavaScript Obfuscator, delivery and execution\r\nguardrails, hosting decryption keys server side, and delivering decoy documents when victim profiling checks fail. In\r\nthis accelerated period of tooling evolution, the group has also begun to rotate in novel malware delivery tools and\r\ntechniques instead of its mainstay first-stage payload.\r\nMarch 2023: Earthquake-Themed Türkiye Campaign\r\nIn March 2023, Mandiant identified a new APT29 phishing campaign targeting Türkiye. The phishing waves\r\nimpersonated the Turkish Deputy Minister of Foreign Affairs and included a phishing link accompanied by content\r\nrelated to the February 2023 earthquake that struck southern Türkiye.\r\nThe first wave, conducted in early March, used a phishing link generated by a URL shortening service\r\n“https://tinyurl[.]com/mrxcjsbs” to redirect victims to a ROOTSAW dropper hosted on an actor-controlled\r\ncompromised website “https://www.willyminiatures[.]com/e-yazi.htm/?v=bc78a8d162c6”.\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 3 of 24\n\nWhen visited, the URL downloaded the ROOTSAW dropper \"e-yazi.htm\" (MD5:\r\na3067a0262e651e94329869f43a51722) to drop additional files onto the victim machine, including a\r\nmalicious ISO, \"e-yazi.iso\" (MD5: eeded26943a7b2fdef7608fb21bbfd66).\r\nThis is the first time Mandiant has seen APT29 introduce an additional layer of obfuscation to its\r\nphishing links using a URL shortening service.\r\nThe second wave, victims were directed to an actor-controlled compromised website\r\n“https://simplesalsamix[.]com/e-yazi.html” to download the ROOTSAW dropper \"e-yazi.html\" (MD5:\r\nb051e8efb40c2c435d77f3be77c59488).\r\nThe second ROOTSAW sample dropped similar decoy content and a malicious ZIP file, e-yazi.zip\r\n(MD5: 854e5c592e93b69b8ab08dbc8a0b673f), that contained second-stage downloaders and an\r\nadditional ROOTSAW dropper file.\r\nIn both waves, APT29 incorporated a new version of ROOTSAW with added user-agent based anti-analysis\r\nguardrails. This variant checks the user-agent of the device, looking for Windows operating systems that do not\r\ncontain “.NET” and contain the value “Windows NT”. As a result, if the victim is running a non-Windows based\r\noperating system or the request is made through .NET, the server will deliver a decoy PDF file. In the second wave,\r\nthis PDF file was identical to the version contained in the malicious ZIP payload. This filtering tactic is likely used to\r\nidentify automated downloaders and non-compatible victim devices, further reducing the odds of exposing malware\r\nin non-compromise contexts. Each payload within the new ROOTSAW variant is obfuscated using a unique key,\r\nalthough the deobfuscation routine remains the same.\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 4 of 24\n\nFigure 3: ROOTSAW user-agent and operating system check to determine which file to deploy\r\nMarch 2023: European Diplomatic-Focused Phishing Campaigns\r\nIn an additional phishing campaign in March 2023, APT29 targeted various diplomatic missions in Europe. Notably,\r\nin the two weeks that lapsed between the Turkey campaign, further changes were identified resulting in two new\r\nvariants of ROOTSAW that shifted the newly added anti-analysis guardrails server side.\r\nIn the first wave, emails contained a PDF attachment (MD5: 1485b591e654327c1d032a901940b149) inviting\r\nvictims to a drink reception following an event on the “Future of International Economic Relations” from the\r\nEmbassy of Spain. The PDF contains a link to an actor-hosted ROOTSAW variant hosted at\r\n“https://parquesanrafael[.]cl/note.html”, ultimately leading to the deployment of MUSKYBEAT (also known\r\npublicly as QUARTERRIG).\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 5 of 24\n\nThis version of ROOTSAW sends the victim’s user-agent to the compromised server using an HTTP\r\nGET request “https://parquesanrafael[.]cl/note.php?ua=”. The server then performs filtering based on\r\nan actor-defined denylist, finally returning a decryption key for the payload if the tests are successfully\r\npassed.\r\nIf these tests fail, ROOTSAW drops a corrupt file, rather than exposing the embedded decoy file like in\r\nprevious versions.\r\nIn the second wave, APT29 delivered an additional new variant of ROOTSAW (MD5:\r\n0d5b12c50173a176b0a8ba5a97a831d8), containing both user-agent and IP filtering, but ultimately leading to\r\nthe same MUSKYBEAT downloader.\r\nThis version conducts an additional check by obtaining the victim’s IP address through a request to a\r\npublic API service “https://api.ipify[.]org/?format=json”.\r\nFigure 4: ROOTSAW payload decryption routine\r\nApril 2023: Old Wine in a New Bottle\r\nIn April 2023, APT29 continued to modify its standard malware delivery chain, introducing a new technique for\r\nmalware delivery. In this operation, APT29 re-used one its frequent diplomatic event-themed lure documents\r\nspoofing the Czechia Embassy (more commonly known as the Czech Republic) that invited targets to a wine tasting\r\nevent on April 13, 2023. The document contained a link to the phishing website “https://sylvio[.]com[.]br/form.php”,\r\nwhich delivered either an ISO or a ZIP archive to the victim.\r\nRather than using ROOTSAW, victims were delivered a malicious ISO or ZIP file directly from the\r\ncompromised web server if they successfully passed the server-side filtering checks.\r\nThe decision to remove the HTML smuggling stage of the infection chain was likely intended to further\r\nreduce the number of forensic artifacts left on the host that are prone to detection or later analysis.\r\nMay 2023: Ukraine Foreign Embassy-Focused Campaigns\r\nIn May, in the lead up to Ukraine’s counteroffensive, APT29 conducted two distinct phishing waves targeting a wide\r\nrange of diplomatic representations in Kyiv, including those of Moscow’s partners. Each campaign adopted separate\r\nintrusion chains similar to those seen in March and April 2023.\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 6 of 24\n\nIn the first wave in early May, an repurposed advert for a BMW sale in Kyiv was circulated, directing victims\r\nto an actor-controlled server at “https://resetlocations[.]com/bmw.htm”, which delivered a weaponized ISO\r\nfile, \"bmw.iso\" (MD5: e306333093eaf198f4d416d25a40784a).\r\nThe version of ROOTSAW used in this campaign shares similarities to variants used in March against\r\nTürkiye. Depending on user-agent filtering, the ISO or a decoy image of the BMW would be displayed.\r\nIn the second wave mid-May, an invite for a charity concert in Kyiv with a mistyped filename\r\n“Invintation.zip” (MD5: 38719acc6254b7ff70dc8a7723bd8e92) was sent to targets, likely also using a copy of\r\na legitimate document.\r\nSimilar to the April wine-themed campaign, payloads were hosted directly on actor-controlled\r\ninfrastructure that used user-agent filtering to deliver either a ZIP file with decoy PDF documents\r\n(MD5:38719acc6254b7ff70dc8a7723bd8e92), or a ZIP file containing a second-stage payloads\r\n(MD5:1aee5bf23edb7732fd0e6b2c61a959ce) to victims.\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 7 of 24\n\nFigure 5: Likely repurposed legitimate invite to a charity concert in Ukraine\r\nJune 2023: Split ROOTSAW Campaign\r\nIn late June, Mandiant identified an additional APT29 phishing campaign with a new variant of ROOTSAW to target\r\na European government. Phishing emails were sent from a compromised North American government email address\r\nand crafted to appear as an invitation to a public holiday celebration from Norwegian embassy personnel. Two\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 8 of 24\n\ndifferent delivery mechanisms were used in this campaign, a PDF (MD5: b4141aa8d234137f0b9549a448158a95)\r\ncontaining a link to an actor-hosted ROOTSAW variant, and emails with an attached Scalable Vector Graphic (SVG)\r\nfile (MD5: 295527e2e38da97167979ade004de880) rather than the typical HTML payload.\r\nNotably, although APT29 used a compromised WordPress server to host the ROOTSAW payload, non-valid\r\ntargets received a generic HTTP 404 error rather than the traditional WordPress 404.\r\nMandiant has identified that once APT29 removes the server side functionality, the compromised WordPress\r\nsite will start displaying the correct WordPress 404 error indicating that the file was not found. We therefore\r\nsuspect that organisations compromised by APT29 to deliver malware will likely not find logs for this activity\r\nwithin WordPress, although they may exist within other services such as the underlying web server.\r\nThe ROOTSAW variant contained in the SVG file is similar to those first identified in 2021, indicating that\r\nthe threat actor may have only recently adopted SVG files for its HTML smuggling technique. Consistent with\r\nother cases where APT29 has introduced new delivery methods for ROOTSAW, the group reverted to a\r\nprimitive ROOTSAW payload without anti-analysis techniques or other forms of hardening.\r\nFigure 6: Traditional 404 error from compromised APT29 infrastructure\r\nFigure 7: 404 error from IP filtered by APT29\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 9 of 24\n\nJuly 2023: ICEBEAT Campaign\r\nIn July, APT29 continued to experiment with new ROOTSAW delivery mechanisms and victim filtering capabilities\r\nin an operation deploying a new downloader ICEBEAT to target European diplomatic entities. Emails were sent\r\npurporting to be an invite from a non-specified German embassy for an Ambassador’s farewell reception. Of note,\r\nICEBEAT’s use of the open source Zulip messaging platform for command and control (C2) follows a pattern of past\r\nAPT29 downloaders using legitimate services for command and control including Dropbox, Firebase, OneDrive and\r\nTrello.\r\nFor the first time in this campaign, ROOTSAW was contained within a PDF document. When opened, the\r\nPDF document writes an HTML file to disk, that when launched, writes a follow-on ZIP file to disk and\r\nbeacons to an actor controlled domain “https://sgrfh[.]org.pk/wp-content/idx.php?n=ks\u0026q=” to profile victim\r\ninformation.\r\nVictims who met filtering requirements were delivered a Save the date decoy PDF document (MD5:\r\n50f57a4a4bf2c4b504954a36d48c99e7) and delivered the next-stage downloader ICEBEAT that is responsible\r\nfor downloading follow-on capabilities from the Zulip messaging service.\r\nIn instances where the victim did not meet filtering requirements, a separate benign decoy document\r\nreferencing German Unity Day (MD5: ffce57940b0257a72db4969565cbcebc) was delivered in place of\r\nICEBEAT.\r\nFigure 8: Decoy lure used by APT29 for filtered victims\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 10 of 24\n\nFigure 9: PDF decoy document used during successful malware delivery\r\nMalware Choices Possibly Reflect Distinct APT29 Subteams\r\nBeyond the continued adaptation of APT29’s malware delivery chain, Mandiant has also observed dedicated efforts\r\nto update and evolve the group’s later-stage malware into multiple variations, increasing the quantity and quality of\r\ntooling used across its campaigns. At least six distinct downloaders have been identified during the first half of 2023:\r\nBURNTBATTER is an in-memory loader responsible for decrypting and executing a payload from disk into a\r\nrunning process. BURNTBATTER has been witnessed loading the SPICYBEAT downloader via a position-independent shellcode dropper called DONUT.\r\nDONUT is a publicly available tool that creates position-independent shellcode that loads .NET assemblies,\r\nPE files, and other Windows payloads from memory and runs them with parameters.\r\nSPICYBEAT is a downloader written in C++ responsible for downloading a next-stage payload from either\r\nDropBox or Microsoft's OneDrive.\r\nMUSKYBEAT is an in-memory dropper that decodes the next-stage payload and strings using RC4 and\r\nexecutes in the current process.\r\nSTATICNOISE is a downloader written in C responsible for downloading and executing the final-stage\r\npayload in memory.\r\nDAVESHELL is shellcode that functions as an in-memory dropper relying on reflective injection. Its embedded\r\npayload is mapped into memory and executed. DAVESHELL is based in the public available repository.\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 11 of 24\n\nFigure 10: APT29’s Second-Stage Downloaders Used in 2023\r\nAs noted in the June 2023 campaign, we have also witnessed APT29 operating various infection chains\r\nsimultaneously within a single campaign, suggesting that distinct initial access operators or subteams may be\r\noperating in parallel to service different regional targets or espionage objectives. Although we have been unable to\r\nascertain the specific logic behind decisions about which malware delivery approach to use or when to introduce new\r\nlater-stage malware variants, we judge with low confidence that they are likely driven by mission-specific parameters\r\nsuch as targets or operational objectives.\r\nThe first use of new capabilities are typically reserved for targets inside Ukraine or diplomatic entities\r\nassociated with North Atlantic Treaty Organization (NATO) or European Union (EU) member states, areas of\r\nlikely heightened strategic importance given Moscow’s need to understand political and military dynamics\r\nsurrounding its war in Ukraine.\r\nUpon first use of new tactics or tools in higher risk environments, we have observed APT29 incorporate these\r\nnew tools into its broader operations with minimal changes, pointing to the group’s possible changing risk\r\ncalculus after first exposure.\r\nPatterns of controlled first-use possibly extend back to the emergence of APT29’s diplomatic-focused\r\nphishing cluster in 2021. In May 2021, during Russia’s initial troop-build up around Ukraine, Mandiant\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 12 of 24\n\nidentified an APT29 operation using ICEBREAKER, a modified variant of BOOMMIC (also known as\r\nVaporRage) embedded in software mimicking an installer for a legitimate Ukrainian government application.\r\nAs detailed by SentinelOne, multiple aspects of the malware delivery chain were likely tailored for a highly-targeted operation against Ukrainian government entities.\r\nConclusions\r\nThe increased scope and frequency of APT29's diplomatic-focused spear phishing campaigns in the first half of 2023\r\nhas compelled the initial access team to make repeated modifications to its long-standing malware delivery chain.\r\nEfforts to move capabilities server side, introduce anti-analysis components, and deliver decoy documents in non-compromise contexts have likely helped the group extend the shelf-life of its ROOTSAW-centred concept of\r\noperations. Even with this unprecedented pace of change, the group has remained highly operational security\r\nconscious, and has taken repeated steps to circumvent the methods that security researchers use to track and respond\r\nto its activity.\r\nAPT29's increased operational tempo has also exposed patterns of operations that likely reflect different initial access\r\noperators or subteams supported by a centralized development team. More generally, these patterns likely reflect a\r\ngrowing mission and pool of resources dedicated to collecting political intelligence and that group will almost\r\ncertainly continue to pose a high severity threat to governments and diplomatic entities globally.\r\nProtecting The Community\r\nAs part of our efforts to combat serious threat actors, TAG uses the results of our research to improve the safety and\r\nsecurity of Google’s products. Upon discovery, all identified websites and domains are added to Safe Browsing to\r\nprotect users from further exploitation. TAG also sends all targeted Gmail and Workspace users government-backed\r\nattacker alerts notifying them of the activity and encourages potential targets to enable Enhanced Safe Browsing for\r\nChrome and ensure that all devices are updated. Where possible, Mandiant sends victim notifications via the Victim\r\nNotification Program. We are committed to sharing our findings with the security community to raise awareness, and\r\nwith companies and individuals that might have been targeted by these activities. We hope that improved\r\nunderstanding of tactics and techniques will enhance threat hunting capabilities and lead to stronger user protections\r\nacross the industry.\r\nAppendix\r\nATT\u0026CK Matrix\r\nATT\u0026CK Tactic Category Techniques\r\nResource Development\r\nAcquire Infrastructure (T1583)\r\nVirtual Private Server (T1583.003)\r\nCompromise Infrastructure (T1584)\r\nStage Capabilities (T1608)\r\nLink Target (T1608.005)\r\nObtain Capabilities (T1588)\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 13 of 24\n\nDigital Certificates (T1588.004)\r\nInitial Access\r\nPhishing (T1566)\r\nSpearphishing Attachment (T1566.001)\r\nSpearphishing Link (T1566.002)\r\nExternal Remote Services (T1133)\r\nExecution\r\nUser Execution (T1204)\r\nMalicious Link (T1204.001)\r\nMalicious File (T1204.002)\r\nCommand and Scripting Interpreter (T1059)\r\nPowerShell (T1059.001)\r\nWindows Command Shell (T1059.003)\r\nJavaScript (T1059.007)\r\nScheduled Task/Job (T1053)\r\nScheduled task (T1053.005)\r\nPersistence\r\nScheduled Task/Job (T1053)\r\nScheduled task (T1053.005)\r\nPrivilege Escalation\r\nProcess Injection (T1055)\r\nScheduled Task (T1053)\r\nScheduled task (T1053.005)\r\nDefence Evasion\r\nProcess Injection (T1055)\r\nObfuscated Files or information (T1027)\r\nIndicator Removal from Tools (T1027.005)\r\nHTML Smuggling (T1027.006)\r\nEmbedded Payloads (T1027.009)\r\nVirtualization/Sandbox Evasion (T1497)\r\nSystem Checks (T1497.004)\r\nModify Registry (T1112)\r\nDeobfuscate/Decode Files or Information (T1140)\r\nReflective Code Loading (T1620)\r\nIndicator Removal (T1070)\r\nFile deletion (T1070.004)\r\nTimestomp (T1070.006)\r\nMasquerading (T1036)\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 14 of 24\n\nDiscovery\r\nProcess Discovery (T1057)\r\nSoftware Discovery (T1518)\r\nQuery Registry (T1012)\r\nAccount Discovery (T1087)\r\nLocal Account (T1087.001)\r\nDomain Account (T1087.002)\r\nSystem Information Discovery (T1082)\r\nFile and Directory Discovery (T1083)\r\nCommand and Control\r\nWeb Service (T1102)\r\nApplication Layer Protocol (T1071)\r\nWeb Protocols (T1071.001)\r\nDNS (T1071.004)\r\nEncrypted Channel (T1573)\r\nAsymmetric Cryptography (T1573.002)\r\nNon-Application layer Protocol (T1095)\r\nNon-Standard Port (T1571)\r\nIngress Tool Transfer (T1105)\r\nExfiltration Data Transfer Size Limits (T1030)\r\nDetection Rules\r\nrule M_Dropper_BURNTBATTER_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2023/04/26\"\r\n description = \"Searches for the custom chaskey implementation\"\r\n version = \"1\"\r\n weight = \"100\"\r\n disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment.\"\r\n strings:\r\n $chaskey_imp = {41 81 C8 20 20 20 20 41 81 F8 6B 65 72 6E}\r\n condition:\r\n any of them\r\n}\r\nrule M_Dropper_Donut_1\r\n{\r\n meta:\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 15 of 24\n\nauthor = \"Mandiant\"\r\n date_created = \"2023-04-12\"\r\n description = \"Detects the structure of the Donut loader\"\r\n version = \"1\"\r\n weight = \"100\"\r\n condition:\r\n uint8(0) == 0xE8 and uint32(1) == uint32(5) and uint8(uint32(1)+5) == 0x59\r\n}\r\nrule M_Downloader_STATICNOISE_1\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2023-04-14\"\r\n description = \"Detects the deobfuscation algorithm and rc4 from STATICNOISE\"\r\n version = \"1\"\r\n weight = \"100\"\r\n strings:\r\n $ = {41 8A C8 48 B8 [8] 80 E1 07 C0 E1 03 48 D3 E8 41 30 04 10 49 FF C0}\r\n $ = {80 E1 07 C0 E1 03 48 b8 [8] 48 D3 E8 30 04 17 48 FF C7 48 83 FF}\r\n $ = {40 88 2C 3A 49 8B 02 88 0C 06 45 89 0B 44 89 03 4D 8B 0A}\r\n $ = {4D 8B 0A 46 0F BE 04 0A 44 03 C1 41 81 E0 FF 00 00 80}\r\n condition:\r\n all of them\r\n}\r\nrule M_Dropper_MUSKYBEAT_1 {\r\n meta:\r\n author = \"Mandiant\"\r\n date_created = \"2023-04-06\"\r\n description = \"Detects the RC4 encryption algorithm used in MUSKYBEAT\"\r\n version = \"1\"\r\n weight = \"100\"\r\n disclaimer = \"This rule is meant for hunting and is not tested to run in a production environment.\"\r\n strings:\r\n $ = {42 8A 14 04 48 8D ?? ?? ?? ?? ?? 8A C2 41 02 04 08 44 02 D0 41 0F B6 CA}\r\n $ = {41 B9 04 00 00 00 41 B8 00 30 00 00 48 8B D3 33 C9}\r\n condition:\r\n all of them\r\n}\r\nrule M_Hunting_DaveShell_Dropper_1_2\r\n{\r\n meta:\r\n author = \"Mandiant\"\r\n description = \"Detects Shellcode RDI projects from https://github.com/monoxgas/sRDI/blob/master/ShellcodeR\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 16 of 24\n\ndisclaimer = \"This rule is meant for hunting and is not tested to run in a production environment.\"\r\n strings:\r\n $ep = {E8 00 00 00 00 59 49 89 C8 BA [4] 49 81 c0 [4] 41 b9 [4] 56 48 89 e6 48 83 ?? f0 48 83 ec 30 48 89 4\r\n condition:\r\n $ep at 0\r\n}\r\nMandiant Security Validation Actions\r\nMandiant Advantage Security Validation can automate the following process to give you real data on how your\r\nsecurity controls are performing against these threats.\r\nThe following table is a subset of MSV actions for one of the malware variants. Find out more about Mandiant\r\nSecurity Validation.\r\nVID Name\r\nS100-\r\n192\r\nMalicious Activity Scenario - APT29 Continues to Leverage Meeting Agenda Themes, ROOTSAW,\r\nSALTSHAKER to Target European Diplomatic Entities\r\nS100-\r\n199\r\nMalicious Activity Scenario - APT29 Uses BEATDROP and BOOMMIC to Deploy BEACON\r\nS100-\r\n262\r\nMalicious Activity Scenario - APT29 Targets with ROOTSAW, FANCYBEAT Downloaders, Variant\r\n#1\r\nA106-\r\n551\r\nPhishing Email - Malicious Link, APT29, MUSKYBEAT, Variant #1\r\nA106-\r\n542\r\nCommand and Control - APT29, MUSKYBEAT , DNS Query\r\nA106-\r\n544\r\nMalicious File Transfer - APT29, MUSKYBEAT Dropper, Download, Variant #1\r\nA106-\r\n545\r\nMalicious File Transfer - APT29, MUSKYBEAT, Download, Variant #1\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 17 of 24\n\nIndicators of Compromise\r\nMarch 2023: Earthquake-Themed Türkiye Campaign\r\ne-yazi.htm (MD5: a3067a0262e651e94329869f43a51722)\r\nROOTSAW dropper\r\nRedirected from https://tinyurl[.]com/mrxcjsbs\r\nDownloaded from https://www.willyminiatures[.]com/e-yazi.htm/?v=bc78a8d162c6\r\nDrops eeded26943a7b2fdef7608fb21bbfd66\r\nDrops 4a13138e1f38b2817a63417d67038429\r\ne-yazi.pdf (MD5: 4a13138e1f38b2817a63417d67038429)\r\nDecoy PDF\r\ne-yazi.iso (MD5: eeded26943a7b2fdef7608fb21bbfd66)\r\nISO file containing next stages\r\nDrops 4b0921979d3054d9f0dad48e9560b9ca (BURNTBATTER)\r\nDrops 84b078d4a9e6e2a03e8ae1eca072dc83 (DONUT)\r\ne-yazi.html (MD5: b051e8efb40c2c435d77f3be77c59488)\r\nROOTSAW dropper\r\nDownloaded from https://simplesalsamix[.]com/e-yazi.html\r\nDrops 854e5c592e93b69b8ab08dbc8a0b673f\r\nDrops f4ef5672af889429d95f111ea65ff490\r\ne-yazi.pdf (MD5: f4ef5672af889429d95f111ea65ff490)\r\nDecoy PDF\r\nDropped by 854e5c592e93b69b8ab08dbc8a0b673f\r\nDropped by b051e8efb40c2c435d77f3be77c59488 (ROOTSAW)\r\ne-yazi.zip (MD5: 854e5c592e93b69b8ab08dbc8a0b673f)\r\nZip file containing next stages\r\nDropped by b051e8efb40c2c435d77f3be77c59488 (ROOTSAW)\r\nDrops 129da1e7c8613fd8c2843d9ec191e30e (BURNTBATTER)\r\nDrops aec65c1e6a6f9b3782174c192780f5b4 (DONUT)\r\nMarch 2023: European Diplomatic-Focused Phishing Campaigns\r\nNote.pdf (MD5: 1485b591e654327c1d032a901940b149)\r\nLure PDF \r\nContains link to https://parquesanrafael[.]cl/note.html\r\nnote.html (MD5: 0d5b12c50173a176b0a8ba5a97a831d8)\r\nROOTSAW dropper\r\nDownloaded from https://inovaoftalmologia[.]com[.]br/note.php?ip=\u003cIP\u003e\u0026ua=\u003cUA\u003e\r\nDrops 22adbffd1dbf3e13d036f936049a2e98\r\nnote.html (MD5: 9e42b22d66f0fe0fae24af219773ac87)\r\nROOTSAW dropper\r\nDownloaded from https://parquesanrafael[.]cl/note.html\r\nDrops 22adbffd1dbf3e13d036f936049a2e98\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 18 of 24\n\nNote.iso (MD5: 22adbffd1dbf3e13d036f936049a2e98)\r\nMalicious ISO\r\nDropped by 0d5b12c50173a176b0a8ba5a97a831d8 (ROOTSAW)\r\nDropped by 9e42b22d66f0fe0fae24af219773ac87 (ROOTSAW)\r\nDrops db2d9d2704d320ecbd606a8720c22559 (MUSKYBEAT encrypted payload)\r\nDrops 166f7269c2a69d8d1294a753f9e53214 (MUSKYBEAT)\r\nApril 2023: Old Wine in a New Bottle\r\nwine event.pdf (MD5: 62b2031f8988105efdf473bdfedd07f5)\r\nMalicious lure PDF file\r\nDownloads from https://sylvio[.]com[.]br/form.php\r\nnote.zip (MD5: efe86302838ad2ab091540f4e0f7b75a)\r\nZip file containing next stages\r\nNOTE____.EXE (MD5: b1820abc3a1ce2d32af04c18f9d2bfc3)\r\nLegitimate Windows Word software used for side loading\r\nOriginal name: winword.exe\r\nCompiled on: 2022/12/22 19:27:25\r\nnote/appvisvsubsystems64.dll (MD5: 9159d3c58c5d970ed25c2db9c9487d7a)\r\nMUSKYBEAT dropper\r\nOriginal name: hijacker.dll\r\nCompiled on: 2023/04/06 08:49:45\r\nDropped by efe86302838ad2ab091540f4e0f7b75a\r\nDrops bc4b0bd5da76b683cc28849b1eed504d (MUSKYBEAT)\r\nnote/bdcmetadataresource.xsd (MD5: bc4b0bd5da76b683cc28849b1eed504d)\r\nEncrypted next stage\r\nDropped by efe86302838ad2ab091540f4e0f7b75a\r\nDropped by 9159d3c58c5d970ed25c2db9c9487d7a (MUSKYBEAT)\r\nDrops 0065cffe5a1c6a33900b781835aa9693 (DAVESHELL)\r\nUnknown (MD5: 0065cffe5a1c6a33900b781835aa9693)\r\nDAVESHELL dropper\r\nDropped by bc4b0bd5da76b683cc28849b1eed504d (MUSKYBEAT)\r\nDrops 16d489cc5a91e7dbe74d1c9399534eac (MUSKYBEAT)\r\nrunner.dll (MD5: 16d489cc5a91e7dbe74d1c9399534eac)\r\nMUSKYBEAT dropper\r\nOriginal name: runner.dll\r\nCompiled on: 2023/04/06 08:50:03\r\nDropped by 0065cffe5a1c6a33900b781835aa9693 (DAVESHELL)\r\nDrops c60aa80e0e58c2758f0bac037ec16dca (DONUT)\r\nUnknown (MD5: c60aa80e0e58c2758f0bac037ec16dca)\r\nDONUT in-memory dropper\r\nDropped by 16d489cc5a91e7dbe74d1c9399534eac (MUSKYBEAT)\r\nLoads 1f21f9948b412f0198f928ed3266786b (STATICNOISE)\r\nUnknown (MD5: 1f21f9948b412f0198f928ed3266786b)\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 19 of 24\n\nSTATICNOISE downloader\r\nCompiled on: 2023/04/04 12:04:49\r\nDropped by c60aa80e0e58c2758f0bac037ec16dca\r\nCommunicates with https://sharpledge[.]com/login.php\r\nMay 2023: Ukraine Foreign Embassy-Focused Campaigns\r\nBMW 5 for sale in Kyiv - 2023.docx (MD5: 556857ccb27b527e05415eb6d443aee1)\r\nHyperlink: https://t[.]ly/1IFg\r\nRedirects to: https://resetlocations[.]com/bmw.htm\r\nUnknown Document\r\nHyperlink: https://tinyurl[.]com/ysvxa66c\r\nRedirects to https://resetlocations[.]com/bmw.htm\r\nbmw.htm (MD5: 880120da2f075155524430ceab7c058e)\r\nROOTSAW dropper\r\nDrops e306333093eaf198f4d416d25a40784a\r\nbmw.iso (MD5: e306333093eaf198f4d416d25a40784a)\r\nMalicious ISO containing next stage payloads\r\nDropped by 880120da2f075155524430ceab7c058e (ROOTSAW)\r\nDrops 0032b8eabdc41e01923fabca5fe8a06b (DONUT)\r\nbmw1.png (MD5: 4355851b6fcf2d44e3fd47f47a5e9502)\r\nDecoy image\r\nbmw1.png (MD5: 4355851b6fcf2d44e3fd47f47a5e9502)\r\nDecoy image\r\nbmw2.png (MD5: 5ff4831ee70c07e33c1bbe091840d5ee)\r\nDecoy image\r\nbmw3.png (MD5: 1ec49b2cb9d4ba265678359e117809b8)\r\nDecoy image\r\nbmw4.png (MD5: f089fd7204552aec41f64b1eb6b03eda)\r\nDecoy image\r\nbmw5.png (MD5: 0b0707ce90548f0c8b952138fff62742)\r\nDecoy image\r\nbmw6.png (MD5: 33312f16fd5b88470a0e7560954ae459)\r\nDecoy image\r\nbmw7.png (MD5: b382d0f8b130cd1804782d400a4d4f55)\r\nDecoy image\r\nbmw8.png (MD5: fc47284181f2bb6785e91c9b92710d78)\r\nDecoy image\r\nbmw9.png (MD5: b12a4b8ec485ad9f9c4cae1e25a35db8)\r\nDecoy image\r\nbmw1.png.lnk (MD5: 4c00d883444c78f19c3a1af191614491)\r\nMalicious LNK used to trigger next stage and load image\r\nbmw2.png.lnk (MD5: 68cc826c2c58cb74abe3e5ef2123102c)\r\nMalicious LNK used to trigger next stage and load image\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 20 of 24\n\nbmw3.png.lnk (MD5: 9685dae9ed8d2bf13b66593c1d7cd2eb)\r\nMalicious LNK used to trigger next stage and load image\r\nbmw4.png.lnk (MD5: dd2e5debb0ae8b8bccac5c1fbef6bb5a)\r\nMalicious LNK used to trigger next stage and load image\r\nbmw5.png.lnk (MD5: 5bcf04c0fb0f62fc5f4b83789477a699)\r\nMalicious LNK used to trigger next stage and load image\r\nbmw6.png.lnk (MD5: 3f57258dce31ba0c80002130b8657b2b)\r\nMalicious LNK used to trigger next stage and load image\r\nbmw7.png.lnk (MD5: eccf100bc3d6e901f17a0eced5752ca7)\r\nMalicious LNK used to trigger next stage and load image\r\nbmw8.png.lnk (MD5: dbc9223af733d0140be136cf32a990d9)\r\nMalicious LNK used to trigger next stage and load image\r\nbmw9.png.lnk (MD5: ac78497929569682133e02dec9b67870)\r\nMalicious LNK used to trigger next stage and load image\r\nNOTE____.EXE (MD5: b1820abc3a1ce2d32af04c18f9d2bfc3)\r\nLegitimate Word application used for DLL side loading\r\nOriginal name: winword.exe\r\nCompiled on: 2022/12/22 19:27:25\r\nDropped by e306333093eaf198f4d416d25a40784a\r\nPDB path: D:\\dbs\\el\\na1\\Target\\x64\\ship\\postc2r\\x-none\\winword.pdb\r\nAppvIsvSubsystems64.dll (MD5: 53270b3968004cb48dac1a1b239ed23d)\r\nBURNTBATTER in memory dropper\r\nCompiled on: 2023/05/03 13:27:37\r\nDropped by e306333093eaf198f4d416d25a40784a\r\nLoads 0032b8eabdc41e01923fabca5fe8a06b (DONUT)\r\nojg2.px (MD5: 0032b8eabdc41e01923fabca5fe8a06b)\r\nEncrypted DONUT payload\r\nLoaded by 53270b3968004cb48dac1a1b239ed23d (BURNTBATTER)\r\nDropped by e306333093eaf198f4d416d25a40784a\r\nDrops 6b41c60c24916e3c32acd90bbd7b92f9 (DONUT)\r\nUnknown (MD5: 6b41c60c24916e3c32acd90bbd7b92f9)\r\nDONUT dropper\r\nDropped by 0032b8eabdc41e01923fabca5fe8a06b (DONUT)\r\nDrops 036ab9f19b63d44aaccf0f965df9434c (SPICYBEAT)\r\nUnknown (MD5: 036ab9f19b63d44aaccf0f965df9434c)\r\nSPICYBEAT downloader\r\nClient_id: 840aae0d-cd89-4869-bce1-94222c33035e\r\nApplication Name: Teams_test\r\nAuthentication URL: https://graph.microsoft[.]com/v1.0/me/drive/root:/Apps/Teams_test\r\nInvintation.zip (MD5:1aee5bf23edb7732fd0e6b2c61a959ce)\r\nMalicious ZIP containing next stage\r\nDownloaded from https://gavice[.]ng/event_program.php\r\nDrops 2d794d1544f933aacbd8da2dad78b381\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 21 of 24\n\nDrops 5569fb4e9140974a80b4b7587b026913 (BURNTBATTER)\r\nDrops 1c0059d976795ceded7c1dd706e74bd1\r\nDrops 595d8ea258ef8d8ec70b0e8a740e903c (DONUT)\r\ninvitation_letter_and_programme_17.05.2023_en.pdf[spaces].exe/\r\ninvitation_letter_and_programme_17.05.2023_ua.pdf[spaces].exe\r\n(MD5:2d794d1544f933aacbd8da2dad78b381)\r\nLegitimate Adobe plugin\r\nCompiled on: 2022/04/07 05:19:03\r\nDropped by 1aee5bf23edb7732fd0e6b2c61a959ce\r\nDrops 1ed822cc08ba08413c4a60023e0d590c\r\nicucnv22.dll (MD5:5569fb4e9140974a80b4b7587b026913)\r\nBURNTBATTER dropper\r\nCompiled on: 2023/05/13 10:04:14\r\nDropped by 1aee5bf23edb7732fd0e6b2c61a959ce\r\nDrops 595d8ea258ef8d8ec70b0e8a740e903c (DONUT)\r\nly.ed (MD5:595d8ea258ef8d8ec70b0e8a740e903c)\r\nEncrypted DONUT\r\nDropped by 5569fb4e9140974a80b4b7587b026913 (BURNTBATTER)\r\nDropped by 1aee5bf23edb7732fd0e6b2c61a959ce\r\nDrops 1d54c487e6c8a08517fdb8efedfcd459 (DONUT)\r\nlu.ed.bin (MD5:1d54c487e6c8a08517fdb8efedfcd459)\r\nDONUT dropper\r\nDropped by 595d8ea258ef8d8ec70b0e8a740e903c (DONUT)\r\nDrops 7a5988423f731d8b36d01926e715dd11 (SPICYBEAT)\r\nSPICYBEAT downloader (7a5988423f731d8b36d01926e715dd11)\r\nCompiled on: 2023/05/11 14:51:55\r\nDropped by 1d54c487e6c8a08517fdb8efedfcd459 (DONUT)\r\nConnects to\r\nhttps://graph.microsoft[.]com/v1.0/me/drives/442834D38635845C/root:/Apps/legron_application:/children\r\nDrops 41944bb155ecf70193245d8c3485dd2e (BEACON)\r\nClient_id: 5470384d-91c9-40f3-8891-8fb375c7df62\r\nApplication Name: legron_application\r\nAuthentication URL: https://graph.microsoft[.]com/v1.0/me/drive/root:/Apps/ legron_application\r\nUnknown (MD5:41944bb155ecf70193245d8c3485dd2e)\r\nBEACON backdoor\r\nDownloaded from OneDrive\r\nDropped by 7a5988423f731d8b36d01926e715dd11 (SPICYBEAT)\r\nResolves zone kitaeri[.]com\r\nConnects to https://kitaeri[.]com/images\r\nConnects to https://kitaeri[.]com/gen_204\r\nJune 2023: Split ROOTSAW Campaign\r\ninvitation.svg (MD5: 295527e2e38da97167979ade004de880)\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 22 of 24\n\nROOTSAW dropper\r\nAttached to emails referencing “santa lucia celebration”\r\nDrops 800f766f728a4418b0c682a867673341\r\ninvitation.iso (MD5: 800f766f728a4418b0c682a867673341)\r\nISO containing next stages\r\nDropped by 295527e2e38da97167979ade004de880\r\nDrops 5e1389b494edc86e17ff1783ed6b9d37 (STATICNOISE)\r\nDrops 9e51506816ad620c9e6474c52a9004a6\r\nDrops 301a7273418bceaa3fb15b15f69dd32a\r\nDrops b48a16fdf890283cac7484ef0911a1f2\r\nCCLEANER.dll (MD5: 5e1389b494edc86e17ff1783ed6b9d37)\r\nSTATICNOISE downloader\r\nSide loaded by 301a7273418bceaa3fb15b15f69dd32a\r\nDownloads from https://kegas[.]id/search/s=1\u0026id=APOX8NWOV4\u003cuserid\u003e\r\nINVITATI.LNK (MD5: 9e51506816ad620c9e6474c52a9004a6)\r\nLNK launcher\r\nCopies content of ISO to c:\\Windows\\Tasks and executes CCLeanerReactivator\r\n(301a7273418bceaa3fb15b15f69dd32a)\r\nCCleanerReactivator.EXE (MD5: 301a7273418bceaa3fb15b15f69dd32a)\r\nLegitimate CCleaner executable\r\nSide loads 5e1389b494edc86e17ff1783ed6b9d37 (STATICNOISE)\r\nJuly 2023: ICEBEAT Campaign\r\nInvitation_Farewell_DE_EMB.pdf (MD5: fc53c75289309ffb7f65a3513e7519eb)\r\nMalicious PDF document\r\nDrops 78062da99751c0a520ca4ac9fa59af73 (ROOTSAW)\r\nInvitation_Farewell_DE_EMB.html (MD5: 78062da99751c0a520ca4ac9fa59af73)\r\nROOTSAW dropper\r\nDropped by fc53c75289309ffb7f65a3513e7519eb (ROOTSAW)\r\nConnects to https://sgrhf[.]org.pk/wp-content/idx.php?n=ks\u0026q=\r\nDrops d6986d991c41afcc2e71fc30bde851d1\r\ninvitation_farewell_de_emb.zip (MD5: d6986d991c41afcc2e71fc30bde851d1)\r\nMalicious ZIP containing HTA smuggler\r\nDropped by 78062da99751c0a520ca4ac9fa59af73 (ROOTSAW)\r\nDrops d67f83dcda6d01bedf08a51df7415d14\r\ninvitation_farewell_de_emb.hta (MD5: d67f83dcda6d01bedf08a51df7415d14)\r\nMalicious HTML smuggler\r\nDropped by d6986d991c41afcc2e71fc30bde851d1\r\nDrops 0be11b4f34ede748892ea49e473d82db (ICEBEAT)\r\nDrops dfbdd308e22898f680b6c2c8eb052fb5\r\nDrops 4f744666d2a2dc95419208c61e42f163\r\nPosted in\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 23 of 24\n\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nhttps://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing\r\nPage 24 of 24\n\n https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing \nFigure 5: Likely repurposed legitimate invite to a charity concert in Ukraine \nJune 2023: Split ROOTSAW Campaign \nIn late June, Mandiant identified an additional APT29 phishing campaign with a new variant of ROOTSAW to target\na European government. Phishing emails were sent from a compromised North American government email address\nand crafted to appear as an invitation to a public holiday celebration from Norwegian embassy personnel. Two\n Page 8 of 24 \n\nother cases primitive where APT29 ROOTSAW has introduced payload without new delivery anti-analysis methods techniques for ROOTSAW, or other forms of the group reverted hardening. to a\nFigure 6: Traditional 404 error from compromised APT29 infrastructure\nFigure 7: 404 error from IP filtered by APT29 \n Page 9 of 24", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing" ], "report_names": [ "apt29-evolving-diplomatic-phishing" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434697, "ts_updated_at": 1775826764, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/74d4aaea89a9fbd57c821aed396ac83a7218cba4.pdf", "text": "https://archive.orkl.eu/74d4aaea89a9fbd57c821aed396ac83a7218cba4.txt", "img": "https://archive.orkl.eu/74d4aaea89a9fbd57c821aed396ac83a7218cba4.jpg" } }