APT29

Also known as: Cozy Bear, The Dukes, Nobelium, Midnight Blizzard, YTTRIUM, UNC2452, Dark Halo, Iron Hemlock, Cloaked Ursa, BlueBravo, UNC6293, CozyLarch, ICECAP, StellarParticle, UAC-0029

ActiveNation-StateRussiaMITRE G0016

0Campaigns

30Techniques

17IOCs

23Tools

0Matches

8Infrastructure

Overview

APT29 (Midnight Blizzard) is a Russian Foreign Intelligence Service (SVR) threat actor active since 2008, conducting sophisticated cyber espionage primarily against government, diplomatic, and technology sectors. The group has significantly evolved toward cloud-native tradecraft, leveraging identity abuse, OAuth exploitation, residential proxy networks, and advanced social engineering. Recent operations demonstrate patience and operational discipline with multi-month rapport-building campaigns, alongside large-scale attacks targeting hundreds of organizations simultaneously.

Motivations

EspionageIntelligence CollectionStrategic Advantage

Target Sectors

GovernmentDiplomatic EntitiesTechnologyHealthcareThink TanksDefenseEnergyTelecommunicationsFinancial ServicesEducationNGOs

Activity Timeline

First Seen

Jan 2008

Last Seen

Jan 2024

Quick Facts

OriginRussia

Sophisticationnation-state

StatusActive

MITRE GroupG0016

MITRE ATT&CK Techniques

(30)

Other

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

Exfiltration

T1048

Exfiltration Over Alternative Protocol

Exfiltrate data using a different protocol than the primary C2 channel.

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Credential Access

T1003

OS Credential Dumping

Dump credentials from the operating system or security software.

T1110

Brute Force

Systematically guess passwords or credentials to gain access.

Initial Access

T1566.002

Spearphishing Link

Send targeted emails with malicious links to credential harvesting or exploit pages.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

Discovery

T1087

Account Discovery

Enumerate local, domain, or cloud accounts on a system or environment.

Tools & Malware

(23)

SUNBURST

malwareMalicious

Sophisticated backdoor inserted into SolarWinds Orion software updates (supply chain attack). Used passive DNS-based C2 and multiple evasion techniques to remain undetected for months.

TEARDROP

malwareMalicious

Memory-only dropper deployed via SUNBURST to load Cobalt Strike beacons. Never touched disk, making forensic recovery extremely difficult.

FoggyWeb

malwareMalicious

Post-compromise backdoor targeting AD FS servers. Extracts configuration databases and intercepts/modifies SAML tokens for persistent access to cloud resources.

MagicWeb

malwareMalicious

Evolved version of FoggyWeb that manipulates AD FS authentication claims, allowing the actor to authenticate as any user without their credentials.

EnvyScout

malwareMalicious

HTML smuggling tool delivered via spear-phishing emails. Deobfuscates and drops ISO/IMG files containing malicious payloads, bypassing email security gateways.

WellMess

malwareMalicious

Cross-platform backdoor (Go/.NET) used to target COVID-19 vaccine research organizations. Supports encrypted C2 communication via HTTP/TLS.

GoldMax

malwareMalicious

Go-based C2 backdoor deployed as second-stage after SUNBURST. Uses decoy traffic generators and time-based execution guards to evade sandbox analysis.

GraphicalNeutrino

malwareMalicious

Backdoor that uses the Microsoft Notion API as C2 channel, blending command traffic with legitimate cloud service usage.

Cobalt Strike

frameworkLegitimate

Primary post-exploitation framework used after initial access. Memory-resident beacons provide persistent C2, lateral movement, and credential harvesting capabilities.

Mimikatz

frameworkLegitimate

Deployed for credential extraction from LSASS memory, Kerberos ticket manipulation (Golden/Silver Tickets), and DCSync attacks for domain-wide compromise.

Brute Ratel

frameworkLegitimate

Commercial red team C2 framework used as an alternative to Cobalt Strike. Designed to evade EDR/AV detection with features like syscall manipulation.

AnyDesk

legitimate toolLegitimate

Legitimate remote desktop tool deployed post-compromise for persistent remote access. Harder for defenders to flag as malicious due to legitimate business use.

PowerShell

os utilityLegitimate

Used for fileless payload execution, token manipulation, and accessing Microsoft Graph API for cloud environment reconnaissance.

AADInternals

frameworkLegitimate

PowerShell module for Azure AD manipulation. Used to extract tokens, modify tenant configurations, and maintain persistent access to Microsoft 365 environments.

RAINDROP

malwareMalicious

Loader malware used in SolarWinds campaign to deploy Cobalt Strike. Used a modified Lempel-Ziv-Markov chain algorithm for steganographic payload hiding.

Sliver

frameworkLegitimate

Open-source C2 framework used as alternative to Cobalt Strike. Supports mTLS, WireGuard, DNS, and HTTP C2 channels with cross-platform implants.

BURNTBATTER

LoaderMalicious

Malicious ISO-based loader used to deploy additional payloads

BEATDROP

BackdoorMalicious

Custom backdoor delivered via ISO files in phishing campaigns

WINELOADER

BackdoorMalicious

Modular backdoor targeting diplomatic entities

ROOTSAW

BackdoorMalicious

Python-based backdoor with web shell capabilities

BOOMMIC

BackdoorMalicious

Shellcode-based backdoor deployed in recent campaigns

BOOMBOX

LoaderMalicious

Downloader used to fetch and execute additional payloads

GraphicalProton

OtherMalicious

Custom malicious OAuth application for email access

Indicators of Compromise

(17)

IOC values are defanged for safety

Type	Value	Notes
domain	`avsvmcloud[.]com`	SUNBURST C2 domain (SolarWinds attack)
domain	`freescanonline[.]com`	C2 infrastructure for SUNBURST second-stage
domain	`theyardservice[.]com`	Nobelium phishing infrastructure (2021)
ip	`13[.]59[.]205[.]66`	SolarWinds SUNBURST C2 infrastructure
ip	`54[.]193[.]127[.]66`	C2 node used in government targeting
hash	`b91ce2fa41029f6955bff20079468448`	SUNBURST backdoor (MD5)
domain	`bakenhof[.]com`	GRAPELOADER phishing campaign January 2025 - wine-tasting lure
domain	`silry[.]com`	GRAPELOADER phishing campaign January 2025 - wine-tasting lure
domain	`bravecup[.]com`	WINELOADER C2 server 2025 campaign
hash	`653db3b63bb0e8c2db675cd047b737cefebb1c955bd99e7a93899e2144d34358`	GRAPELOADER malware sample SHA-256
hash	`78a810e47e288a6aff7ffbaf1f20144d2b317a1618bba840d42405cddc4cff41`	GRAPELOADER malware sample SHA-256
hash	`d931078b63d94726d4be5dc1a00324275b53b935b77d3eed1712461f0c180164`	GRAPELOADER malware sample SHA-256
domain	`dataplane[.]theyardservice[.]com`	C2 domain used in 2023 campaigns
domain	`msedgepackageinfo[.]com`	Malicious domain mimicking Microsoft services
domain	`cdn[.]msstatic[.]com`	Typosquatted domain for payload delivery
hash	`fc2c3d3d2b0f9a6e5c8f5e4d3c2b1a0987654321fedcba0987654321fedcba09`	WINELOADER sample SHA-256
domain	`dataplane[.]cakewalkcompany[.]com`	C2 infrastructure associated with recent operations

Infrastructure

(8)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`avsvmcloud[.]com` SUNBURST C2 domain (SolarWinds attack)	c2	ip_changed	Apr 2, 2026
`freescanonline[.]com` C2 infrastructure for SUNBURST second-stage	c2	whois_changed	Apr 2, 2026
`theyardservice[.]com` Nobelium phishing infrastructure (2021)	domain	active	Apr 2, 2026
`13[.]59[.]205[.]66` SolarWinds SUNBURST C2 infrastructure	ip	offline	Apr 2, 2026
`54[.]193[.]127[.]66` C2 node used in government targeting	ip	offline	Apr 2, 2026
`bakenhof[.]com`	domain	whois_changed	Apr 2, 2026
`silry[.]com`	domain	active	Apr 2, 2026
`bravecup[.]com`	domain	whois_changed	Apr 2, 2026

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(13)

MITRE ATT&CK - APT29

https://attack.mitre.org/groups/G0016/

Microsoft - Midnight Blizzard (Nobelium)

https://www.microsoft.com/en-us/security/blog/threat-intelligence/midnight-blizzard-nobelium/

CISA - SolarWinds Supply Chain Compromise

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a

Check Point: Renewed APT29 Phishing Campaign Against European Diplomats

https://research.checkpoint.com/2025/apt29-phishing-campaign/

Microsoft: Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files

https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/

Google: What's in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia

https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia

Citizen Lab: Russian Government-Linked Social Engineering Targets App-Specific Passwords

https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-targets-app-specific-passwords/

Picus: Understanding and Mitigating Midnight Blizzard's RDP-Based Spear Phishing Campaign

https://www.picussecurity.com/resource/blog/understanding-and-mitigating-midnight-blizzards-rdp-based-spearphishing-campaign

Microsoft: Midnight Blizzard: Guidance for responders on nation-state attack

https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/

Mandiant: Suspected APT29 Operation Launches Election Fraud-Themed Phishing Campaigns

https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties

CISA: Russian Foreign Intelligence Service SVR Exploiting JetBrains TeamCity CVE Globally

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

Volexity: Ongoing Investigation into CVE-2023-42793 Exploitation by APT29

https://www.volexity.com/blog/2023/10/13/cve-2023-42793-quick-assessment-guide/

Unit 42: NOBELIUM Targets Government Agencies with HTML Smuggling

https://unit42.paloaltonetworks.com/nobelium-targets-government-html-smuggling/