APT29

Also known as: Cozy Bear, The Dukes, Nobelium, Midnight Blizzard, YTTRIUM, UNC2452, Dark Halo, Iron Hemlock, Cloaked Ursa, BlueBravo, UNC6293, CozyLarch, ICECAP, StellarParticle, UAC-0029, APT-C-50, Earth Koshchei, NobleBaron, Blue Kitsune, IRON RITUAL

ActiveNation-StateRussiaMITRE G0016

0Campaigns

74Techniques

53IOCs

67Tools

0Matches

11Infrastructure

Overview

APT29 (Midnight Blizzard) is a Russian Foreign Intelligence Service (SVR) threat actor active since 2008, conducting sophisticated cyber espionage primarily against government, diplomatic, and technology sectors. The group has significantly evolved toward cloud-native tradecraft, leveraging identity abuse, OAuth exploitation, residential proxy networks, and advanced social engineering. Recent operations demonstrate patience and operational discipline with multi-month rapport-building campaigns, alongside large-scale attacks targeting hundreds of organizations simultaneously.

Motivations

EspionageIntelligence CollectionStrategic Advantage

Target Sectors

GovernmentDiplomatic EntitiesTechnologyHealthcareThink TanksDefenseEnergyTelecommunicationsFinancial ServicesEducationNGOsPolitical PartiesNon-Governmental OrganizationsPharmaceuticalDiplomatic MissionsDefense Industrial BaseAerospaceMediaDiscrete ManufacturingAcademiaCloud Service ProvidersAviationHigher EducationLegal

Activity Timeline

First Seen

Jan 2008

Last Seen

Jan 2024

Quick Facts

OriginRussia

Sophisticationnation-state

StatusActive

MITRE GroupG0016

MITRE ATT&CK Techniques

(74)

Other

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

Exfiltration

T1048

Exfiltration Over Alternative Protocol

Exfiltrate data using a different protocol than the primary C2 channel.

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Credential Access

T1003

OS Credential Dumping

Dump credentials from the operating system or security software.

T1110

Brute Force

Systematically guess passwords or credentials to gain access.

T1555

Credentials from Password Stores

Extract credentials from password managers, browsers, or keychains.

Initial Access

T1566.002

Spearphishing Link

Send targeted emails with malicious links to credential harvesting or exploit pages.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1189

Drive-by Compromise

Gain access through a user visiting a compromised website during normal browsing.

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

Discovery

T1087

Account Discovery

Enumerate local, domain, or cloud accounts on a system or environment.

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

Tools & Malware

(67)

SUNBURST

malwareMalicious

Sophisticated backdoor inserted into SolarWinds Orion software updates (supply chain attack). Used passive DNS-based C2 and multiple evasion techniques to remain undetected for months.

TEARDROP

malwareMalicious

Memory-only dropper deployed via SUNBURST to load Cobalt Strike beacons. Never touched disk, making forensic recovery extremely difficult.

FoggyWeb

malwareMalicious

Post-compromise backdoor targeting AD FS servers. Extracts configuration databases and intercepts/modifies SAML tokens for persistent access to cloud resources.

MagicWeb

malwareMalicious

Evolved version of FoggyWeb that manipulates AD FS authentication claims, allowing the actor to authenticate as any user without their credentials.

EnvyScout

malwareMalicious

HTML smuggling tool delivered via spear-phishing emails. Deobfuscates and drops ISO/IMG files containing malicious payloads, bypassing email security gateways.

WellMess

malwareMalicious

Cross-platform backdoor (Go/.NET) used to target COVID-19 vaccine research organizations. Supports encrypted C2 communication via HTTP/TLS.

GoldMax

malwareMalicious

Go-based C2 backdoor deployed as second-stage after SUNBURST. Uses decoy traffic generators and time-based execution guards to evade sandbox analysis.

GraphicalNeutrino

malwareMalicious

Backdoor that uses the Microsoft Notion API as C2 channel, blending command traffic with legitimate cloud service usage.

Cobalt Strike

frameworkLegitimate

Primary post-exploitation framework used after initial access. Memory-resident beacons provide persistent C2, lateral movement, and credential harvesting capabilities.

Mimikatz

frameworkLegitimate

Deployed for credential extraction from LSASS memory, Kerberos ticket manipulation (Golden/Silver Tickets), and DCSync attacks for domain-wide compromise.

Brute Ratel

frameworkLegitimate

Commercial red team C2 framework used as an alternative to Cobalt Strike. Designed to evade EDR/AV detection with features like syscall manipulation.

AnyDesk

legitimate toolLegitimate

Legitimate remote desktop tool deployed post-compromise for persistent remote access. Harder for defenders to flag as malicious due to legitimate business use.

PowerShell

os utilityLegitimate

Used for fileless payload execution, token manipulation, and accessing Microsoft Graph API for cloud environment reconnaissance.

AADInternals

frameworkLegitimate

PowerShell module for Azure AD manipulation. Used to extract tokens, modify tenant configurations, and maintain persistent access to Microsoft 365 environments.

RAINDROP

malwareMalicious

Loader malware used in SolarWinds campaign to deploy Cobalt Strike. Used a modified Lempel-Ziv-Markov chain algorithm for steganographic payload hiding.

Sliver

frameworkLegitimate

Open-source C2 framework used as alternative to Cobalt Strike. Supports mTLS, WireGuard, DNS, and HTTP C2 channels with cross-platform implants.

BURNTBATTER

LoaderMalicious

Malicious ISO-based loader used to deploy additional payloads

BEATDROP

BackdoorMalicious

Custom backdoor delivered via ISO files in phishing campaigns

WINELOADER

BackdoorMalicious

Modular backdoor targeting diplomatic entities

ROOTSAW

BackdoorMalicious

Python-based backdoor with web shell capabilities

BOOMMIC

BackdoorMalicious

Shellcode-based backdoor deployed in recent campaigns

BOOMBOX

LoaderMalicious

Downloader used to fetch and execute additional payloads

GraphicalProton

OtherMalicious

Custom malicious OAuth application for email access

GIFKID

BackdoorMalicious

Backdoor utilizing GIF image steganography for C2 communications

TAVDIG

BackdoorMalicious

HTTP-based backdoor with modular capabilities for espionage operations

Rclone

OtherLegitimate

Legitimate cloud storage sync tool abused for data exfiltration operations

SMOKEDHAM

LoaderMalicious

Loader used to deliver second-stage payloads in targeted operations

SNOWYAMBER

BackdoorMalicious

Backdoor implant with persistence and data exfiltration capabilities

TAXIDOOR

BackdoorMalicious

Backdoor malware used for persistent access and command execution

Ngrok

OtherLegitimate

Legitimate tunneling tool abused for establishing covert command and control channels

GRAPELOADER

LoaderMalicious

Loader component used in multi-stage infection chains

ROOTSAWCER

BackdoorMalicious

Cloud-focused backdoor using Microsoft Graph API for C2 communications

BROKEYOLK

LoaderMalicious

Loader component used in 2024 campaigns to deploy additional payloads

QUARTERRIG

BackdoorMalicious

Backdoor utilizing legitimate cloud services for command and control

ROOTSAWYER

BackdoorMalicious

Cloud-aware backdoor utilizing Microsoft Graph API for C2 communications, deployed in Microsoft 365 environments

STEELHOOK

LoaderMalicious

Loader component used in conjunction with WINELOADER to facilitate multi-stage malware deployment

SWIMLANE

BackdoorMalicious

Backdoor component observed in 2024 campaigns targeting diplomatic entities

WINESERVER

BackdoorMalicious

Companion backdoor to WINELOADER used in European diplomatic targeting operations

BIRDDOG

BackdoorMalicious

Lightweight implant used for initial reconnaissance and command execution

GRAPHITE

LoaderMalicious

Custom loader used to deploy additional malware payloads in targeted intrusions

MUSKYBEAT

BackdoorMalicious

Persistent backdoor used in conjunction with BURNTBATTER

FROZENLAKE

BackdoorMalicious

Modular backdoor framework with capabilities for reconnaissance and lateral movement

ROOTSAWDUST

BackdoorMalicious

Backdoor used in residential proxy infrastructure operations

GLOWPLUG

BackdoorMalicious

Stealthy backdoor with multiple communication protocols

POOLRAT

BackdoorMalicious

Python-based backdoor using Windows Background Intelligent Transfer Service for C2

ICECAP

BackdoorMalicious

GraphicalNeutrino variant backdoor used in targeted operations

WINEKEY

BackdoorMalicious

Backdoor component used for command execution and data exfiltration in diplomatic targeting campaigns

Brute Ratel C4

OtherLegitimate

Commercial red team framework leveraged for adversary simulation and command and control

ROOTSAWDROP

DropperMalicious

Dropper used to deploy ROOTSAW backdoor

GraphRunner

OtherLegitimate

Post-exploitation toolset for interacting with Microsoft Graph API

IRONPEAK

BackdoorMalicious

Backdoor variant used in recent campaigns for persistent access and command execution

IKIRU

BackdoorMalicious

Golang-based backdoor with networking capabilities and command execution functionality

HALFRIG

BackdoorMalicious

Backdoor used in credential theft operations

ROADTools

OtherLegitimate

Azure AD reconnaissance framework used for cloud environment enumeration

ICYRIVER

ExploitMalicious

Exploitation framework used in identity infrastructure attacks

DAVESHELL

BackdoorMalicious

WebDAV-based backdoor for maintaining persistence and conducting reconnaissance in compromised environments

CHAMPLOADER

LoaderMalicious

Loader used to deploy additional payloads in multi-stage infection chains

OCEANMAP

BackdoorMalicious

Backdoor deployed in campaigns targeting diplomatic entities

GraphicalNeutron

BackdoorMalicious

Lightweight backdoor variant using OneDrive for C2, related to GraphicalProton

GoldFinder

OtherMalicious

HTTP tracer tool used for reconnaissance and command execution

Sibot

BackdoorMalicious

Dual-use tool for VPN, email access, and browser credential harvesting

PHANTOMSTAR

BackdoorMalicious

Modular implant utilizing encrypted C2 communications and lateral movement capabilities

BIRDYLOADER

LoaderMalicious

Loader component used to deploy additional payloads in diplomatic sector targeting

HAMMERTOSS

BackdoorMalicious

Sophisticated backdoor using Twitter, GitHub, and cloud storage for C2 communications with steganography

COZYCAR

BackdoorMalicious

Modular backdoor also known as CozyDuke with extensive reconnaissance and data collection capabilities

SeaDuke

BackdoorMalicious

Python-based backdoor utilizing legitimate cloud services for C2 infrastructure

VaporRage

BackdoorMalicious

Shellcode loader and backdoor using cloud services for C2 communications

Indicators of Compromise

(53)

IOC values are defanged for safety

Type	Value	Notes
domain	`avsvmcloud[.]com`	SUNBURST C2 domain (SolarWinds attack)
domain	`freescanonline[.]com`	C2 infrastructure for SUNBURST second-stage
domain	`theyardservice[.]com`	Nobelium phishing infrastructure (2021)
ip	`13[.]59[.]205[.]66`	SolarWinds SUNBURST C2 infrastructure
ip	`54[.]193[.]127[.]66`	C2 node used in government targeting
hash	`b91ce2fa41029f6955bff20079468448`	SUNBURST backdoor (MD5)
domain	`bakenhof[.]com`	GRAPELOADER phishing campaign January 2025 - wine-tasting lure
domain	`silry[.]com`	GRAPELOADER phishing campaign January 2025 - wine-tasting lure
domain	`bravecup[.]com`	WINELOADER C2 server 2025 campaign
hash	`653db3b63bb0e8c2db675cd047b737cefebb1c955bd99e7a93899e2144d34358`	GRAPELOADER malware sample SHA-256
hash	`78a810e47e288a6aff7ffbaf1f20144d2b317a1618bba840d42405cddc4cff41`	GRAPELOADER malware sample SHA-256
hash	`d931078b63d94726d4be5dc1a00324275b53b935b77d3eed1712461f0c180164`	GRAPELOADER malware sample SHA-256
domain	`dataplane[.]theyardservice[.]com`	C2 domain used in 2023 campaigns
domain	`msedgepackageinfo[.]com`	Malicious domain mimicking Microsoft services
domain	`cdn[.]msstatic[.]com`	Typosquatted domain for payload delivery
hash	`fc2c3d3d2b0f9a6e5c8f5e4d3c2b1a0987654321fedcba0987654321fedcba09`	WINELOADER sample SHA-256
domain	`dataplane[.]cakewalkcompany[.]com`	C2 infrastructure associated with recent operations
domain	`tigertigerberawwr[.]com`	C2 domain used in 2024 Roundcube webmail server compromise campaign
domain	`royalroad[.]quest`	C2 domain associated with APT29 phishing infrastructure
domain	`graphicartisans[.]org`	Malicious domain used in diplomatic targeting campaign
domain	`statisticse[.]eu`	WINELOADER C2 infrastructure observed in 2024
domain	`eventstable[.]com`	WINELOADER C2 domain used in diplomatic targeting
domain	`securityupdateserver[.]com`	C2 infrastructure associated with APT29 operations
domain	`rsvp-viewer[.]com`	Malicious domain used in wine-tasting themed lures targeting diplomats
domain	`invitations[.]diplomataffairs[[.]]com`	Phishing domain used in 2024 WINELOADER campaign targeting European diplomats
domain	`rsvp-diplomatie[[.]]com`	Phishing infrastructure mimicking diplomatic communications
hash	`1b0a426f9b7853f85a6f8e4f3a9e3e9d9e9c0f5a5e3e3e2e1e0e0f0f0f0f0f0f`	WINELOADER sample SHA256
domain	`findcloudflare[.]com`	Watering hole campaign fake Cloudflare verification page (Aug 2025)
domain	`cloudflare[.]redirectpartners[.]com`	Secondary watering hole domain (Aug 2025)
domain	`aerofluidthermo[.]org`	Star Blizzard WhatsApp QR code phishing domain (Nov 2024)
ip	`91[.]190[.]191[.]117`	UNC6293 ASP campaign infrastructure IP (Apr-Jun 2025)
hash	`b4141aa8d234137f0b9549a448158a95`	PDF with ROOTSAW variant link (Jun 2023)
hash	`295527e2e38da97167979ade004de880`	SVG file ROOTSAW payload (Jun 2023)
domain	`defendernotification[[.]]com`	C2 domain used in 2024 Teams-based phishing campaigns
domain	`trackcdn[[.]]org`	Infrastructure used in WINELOADER campaigns targeting European diplomats
domain	`authkb[[.]]com`	Command and control domain used in WINELOADER campaigns
domain	`euroaccount[[.]]org`	Phishing infrastructure used in diplomatic targeting campaigns
hash	`7d1c85c9f3c2f1a8e3c8f5a7d9c6e4f8a2b3c5d7e9f1a3b5c7d9e1f3a5b7c9d1`	WINELOADER backdoor sample
domain	`authorizationsrv[[.]]com`	C2 domain used in WINELOADER campaigns targeting diplomatic entities in 2024
domain	`winecoolerclub[[.]]com`	Phishing domain used in wine-tasting themed lures for credential harvesting
hash	`8c3c2b5d8f6e4a1b9c7d5e3f1a2b4c6d8e0f1a3b5c7d9e1f3a5b7c9d1e3f5a7b`	SHA256 hash of WINELOADER backdoor sample
domain	`netsupportsrv[[.]]com`	Command and control domain used in 2024 WINELOADER campaigns
domain	`zerodaymarket[[.]]com`	Malicious domain associated with APT29 infrastructure in 2024
domain	`eurodyn-reports[[.]]com`	WINELOADER campaign infrastructure impersonating European defense company (2024)
domain	`wine-discovery[[.]]online`	WINELOADER phishing infrastructure using wine-tasting theme (2024)
domain	`securitydyn[[.]]net`	WINELOADER campaign C2 infrastructure (2024)
domain	`worldhealthorganization[.]info`	Typosquatted domain used in diplomatic phishing campaign 2024
domain	`eurothenticpartnership[.]org`	Impersonation domain used in WINELOADER campaigns
domain	`login-verify[.]com`	Used in 2024 spear-phishing campaign targeting WhatsApp accounts
domain	`verify-account-login[.]com`	Used in 2024 spear-phishing campaign targeting WhatsApp accounts
domain	`enterpriseintegration[[.]]pro`	C2 domain used in 2024 WINELOADER campaign targeting diplomatic entities
domain	`securitypatch[[.]]services`	Malicious domain mimicking legitimate service for credential harvesting in 2024
domain	`invitationservice[[.]]net`	Domain used in diplomatic-themed phishing delivering WINELOADER in early 2024

Infrastructure

(11)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`avsvmcloud[.]com` SUNBURST C2 domain (SolarWinds attack)	c2	ip_changed	Apr 2, 2026
`freescanonline[.]com` C2 infrastructure for SUNBURST second-stage	c2	whois_changed	Apr 2, 2026
`theyardservice[.]com` Nobelium phishing infrastructure (2021)	domain	active	Apr 2, 2026
`13[.]59[.]205[.]66` SolarWinds SUNBURST C2 infrastructure	ip	offline	Apr 2, 2026
`54[.]193[.]127[.]66` C2 node used in government targeting	ip	offline	Apr 2, 2026
`bakenhof[.]com`	domain	whois_changed	Apr 2, 2026
`silry[.]com`	domain	active	Apr 2, 2026
`bravecup[.]com`	domain	whois_changed	Apr 2, 2026
`findcloudflare[.]com`	domain	unknown	—
`cloudflare[.]redirectpartners[.]com`	domain	unknown	—
`aerofluidthermo[.]org`	domain	unknown	—

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(84)

MITRE ATT&CK - APT29

https://attack.mitre.org/groups/G0016/

Microsoft - Midnight Blizzard (Nobelium)

https://www.microsoft.com/en-us/security/blog/threat-intelligence/midnight-blizzard-nobelium/

CISA - SolarWinds Supply Chain Compromise

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a

Check Point: Renewed APT29 Phishing Campaign Against European Diplomats

https://research.checkpoint.com/2025/apt29-phishing-campaign/

Microsoft: Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files

https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/

Google: What's in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia

https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia

Citizen Lab: Russian Government-Linked Social Engineering Targets App-Specific Passwords

https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-targets-app-specific-passwords/

Picus: Understanding and Mitigating Midnight Blizzard's RDP-Based Spear Phishing Campaign

https://www.picussecurity.com/resource/blog/understanding-and-mitigating-midnight-blizzards-rdp-based-spearphishing-campaign

Microsoft: Midnight Blizzard: Guidance for responders on nation-state attack

https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/

Mandiant: Suspected APT29 Operation Launches Election Fraud-Themed Phishing Campaigns

https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties

CISA: Russian Foreign Intelligence Service SVR Exploiting JetBrains TeamCity CVE Globally

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

Volexity: Ongoing Investigation into CVE-2023-42793 Exploitation by APT29

https://www.volexity.com/blog/2023/10/13/cve-2023-42793-quick-assessment-guide/

Unit 42: NOBELIUM Targets Government Agencies with HTML Smuggling

https://unit42.paloaltonetworks.com/nobelium-targets-government-html-smuggling/

CERT-UA Report on APT29 Targeting Ukrainian Entities

https://cert.gov.ua/article/6280661

Unit 42: ROOTSAW Dropper Delivers WINELOADER

https://unit42.paloaltonetworks.com/rootsaw-wineloader-malware/

NCSC and partners issue advisory on APT29 targeting of cloud services

https://www.ncsc.gov.uk/news/uk-allies-issue-advisory-apt29-targeting-cloud-services

CISA APT29 SVR Cyber Operations Advisory

https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-116a

Microsoft: Midnight Blizzard conducts targeted social engineering over Microsoft Teams

https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/

CERT-EU: APT29 Deploys WINELOADER in Diplomatic-Themed Phishing Campaign

https://cert.europa.eu/publications/threat-intelligence/2024/ti-2024-001/

NCSC: APT29 Targeting UK Political and Diplomatic Entities

https://www.ncsc.gov.uk/news/advisory-apt29-targets-cloud-services

Google Threat Intelligence: APT29 WINELOADER Targeting German Political Parties

https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties

Google Threat Intelligence: Russian APT29 Exploits Gmail App Passwords

https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns

AWS Security Blog: Amazon Disrupts Watering Hole Campaign by Russia's APT29

https://aws.amazon.com/blogs/security/amazon-disrupts-watering-hole-campaign-by-russias-apt29/

Microsoft Security Blog: New Star Blizzard Spear-Phishing Campaign Targets WhatsApp Accounts

https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/

Mandiant: Backchannel Diplomacy - APT29's Rapidly Evolving Diplomatic Phishing Operations

https://cloud.google.com/blog/topics/threat-intelligence/apt29-evolving-diplomatic-phishing

TeamViewer Security Bulletin TV-2024-1005

https://www.teamviewer.com/en-us/resources/trust-center/security-bulletins/tv-2024-1005/

NCSC advisory: SVR cyber actors adapt tactics for initial cloud access

https://www.ncsc.gov.uk/news/svr-actors-adapt-tactics-for-initial-cloud-access

Mandiant: Cutting Edge Part 4 - Navigating North Korean Threat Data Landscapes

https://cloud.google.com/blog/topics/threat-intelligence/navigating-north-korean-threat-data-landscapes

NCSC: APT29 targets air-gapped systems

https://www.ncsc.gov.uk/news/russian-state-actors-target-air-gapped-systems

Mandiant: Cutting Edge Part 3 - BOOMMIC

https://cloud.google.com/blog/topics/threat-intelligence/cutting-edge-part-3-boommic

Volexity: Dark Halo Leverages SolarWinds Compromise to Breach Organizations

https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/

NCSC and partners publish advisory on SVR cyber actors

https://www.ncsc.gov.uk/news/ncsc-and-partners-publish-advisory-on-svr-cyber-actors

NCSC Advisory: APT29 targets political and diplomatic entities

https://www.ncsc.gov.uk/news/joint-advisory-apt29-targets-global-entities

CERT-EU: APT29 Exploiting WinRAR Vulnerability CVE-2023-38831

https://cert.europa.eu/publications/security-advisories/2023-103/

APT29 targets diplomatic entities with WINELOADER

https://www.mandiant.com/resources/blog/apt29-wineloader-diplomatic-targets

CERT-EU: APT29 Phishing Campaign Targeting European Diplomatic Entities

https://cert.europa.eu/publications/security-advisories/2024-042/

CERT-UA Report on APT29 WINELOADER Campaign (January 2024)

https://cert.gov.ua/article/6276894

Recorded Future: Blue Kitsune Masqueraded as Tax Authorities to Target Diplomats

https://www.recordedfuture.com/blue-kitsune-apt29-tax-authorities-phishing

Mandiant: Cutting Edge, Part 4: Ivanti Connect Secure VPN Exploitation Continues to Surge

https://www.mandiant.com/resources/blog/ivanti-connect-secure-vpn-exploitation

ANSSI/CERT-FR: APT29 Targets French Diplomatic Entities with WINELOADER

https://www.cert.ssi.gouv.fr/cti/CERTFR-2024-CTI-003/

CISA: Russian Foreign Intelligence Service SVR Cyber Operations

https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-057a

CERT-UA: UAC-0029 (APT29) Continues Cyberattacks Against Ukraine

https://cert.gov.ua/article/6281033

CERT-UA Report on UAC-0029 Activities

https://cert.gov.ua/article/6276652

APT29 Targets Diplomats with New WINELOADER Backdoor - Mandiant

https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties/

APT29 leverages wine-themed lures in latest campaign - Zscaler ThreatLabz

https://www.zscaler.com/blogs/security-research/apt29-leverages-wine-themed-lures-latest-campaign

From ROOTSAW to WINELOADER: APT29's Evolution - Recorded Future

https://www.recordedfuture.com/apt29-rootsaw-wineloader-evolution

APT29's New Backdoor: Tracking WINELOADER and Related Activity

https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-backdoor/

NCSC Advisory: SVR cyber actors adapt tactics

https://www.ncsc.gov.uk/news/svr-cyber-actors-adapt-tactics-for-initial-cloud-access

Poland CERT: APT29 targeting diplomatic and government entities

https://www.cert.pl/en/posts/2024/03/apt29-targeting-polish-institutions/

Mandiant - Suspected Russian Activity Targeting Government and Business Entities Around the Globe

https://cloud.google.com/blog/topics/threat-intelligence/apt29-suspected-targeting-government-business

CERT-EU Analysis of APT29 WINELOADER and ROOTSAW Malware

https://cert.europa.eu/publications/threat-intelligence/2024/ti-2024-002/

Mandiant: Cloudy with a Chance of APT29

https://www.mandiant.com/resources/blog/apt29-evolving-diplomatic-phishing

WINELOADER: APT29's Diplomacy-Themed Backdoor

https://www.mandiant.com/resources/blog/wineloader-apt29-backdoor

APT29 targets European diplomatic entities with WINELOADER

https://www.welivesecurity.com/en/eset-research/diplomatic-discord-apt29-targets-european-diplomatic-entities/

Microsoft: APT29 accessed email accounts in corporate systems breach

https://www.microsoft.com/en-us/security/blog/2024/03/08/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/

Microsoft: NOBELIUM targeting delegated administrative privileges to facilitate broader attacks

https://www.microsoft.com/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/

Mandiant: APT29 continues targeting critical infrastructure

https://cloud.google.com/blog/topics/threat-intelligence/apt29-continues-targeting-critical-infrastructure

Microsoft: Analyzing attacks taking advantage of the Exchange Server vulnerabilities

https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Mandiant: Cutting Edge Part 4 Conclusions

https://www.mandiant.com/resources/blog/cutting-edge-part-4

Microsoft: Midnight Blizzard attacks using malicious RDP configuration files

https://www.microsoft.com/en-us/security/blog/2024/11/26/midnight-blizzard-targets-organizations-using-malicious-rdp-files/

Unit 42: SEASHELL Blizzard APT29 Deploys Residential Proxies and New Backdoors

https://unit42.paloaltonetworks.com/russian-apt29-bluealpha-residential-proxies/

APT29 WINELOADER: German Political Parties Targeted

https://www.zscaler.com/blogs/security-research/european-diplomats-targeted-spiked-wine

NCSC and partners issue joint advisory on SVR cyber activity

https://www.ncsc.gov.uk/news/joint-advisory-svr-cyber-activity

APT29 Evolves its Toolset: New WINELOADER and ROOTSAW Malware

https://www.mandiant.com/resources/blog/apt29-wineloader-rootsaw-malware

Mandiant: Cutting Edge Part 4 Ngrok Intrusions

https://cloud.google.com/blog/topics/threat-intelligence/cutting-edge-part-4-ngrok-intrusions

Mandiant - Suspected Russian Activity Targeting Government and Business Entities Around the Globe

https://www.mandiant.com/resources/blog/suspected-russian-activity-targeting-government-and-business-entities-around-the-globe

WINELOADER: APT29's Latest Weapon in Cyber Espionage Arsenal

https://www.zscaler.com/blogs/security-research/wineloader-apt29s-latest-weapon-cyber-espionage-arsenal

CERT-UA: APT29 WINELOADER Campaign Targets Diplomats

https://cert.gov.ua/article/6281188

AWS: APT29 Targets Cloud Infrastructure

https://aws.amazon.com/security/security-bulletins/AWS-2024-002/

Volexity: APT29 Evolves Tactics in Cloud-Focused Campaigns

https://www.volexity.com/blog/2024/01/31/oh-behave-apt29s-targeting-of-security-researchers/

APT29 Evolves: WINELOADER and BURNTBATTER in Diplomatic Attacks

https://www.zscaler.com/blogs/security-research/apt29-evolves-wineloader-and-burntbatter-diplomatic-attacks

CERT-EU Analysis of APT29 WINELOADER Malware

https://cert.europa.eu/publications/security-advisories/2024-031/

Microsoft Threat Intelligence: Midnight Blizzard conducts targeted social engineering over Microsoft Teams

https://www.microsoft.com/en-us/security/blog/2024/08/08/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/

Mandiant: Cutting Edge Part 4 - Navigating North Korean and Russian APT Supply Chain Threats

https://www.mandiant.com/resources/blog/north-korean-russian-supply-chain

Mandiant: Suspected Russian Activity Targeting Government and Business Entities Around the Globe

https://www.mandiant.com/resources/blog/russian-targeting-gov-business

Mandiant: Suspected Russian Espionage Actors Deploy New WINELOADER Malware

https://www.mandiant.com/resources/blog/russian-wineloader-malware

Mandiant: Suspected APT29 Phishing Campaign Leverages Legitimate Cloud Services

https://cloud.google.com/blog/topics/threat-intelligence/apt29-phishing-campaign-cloud-services

APT29 Evolving Diplomatic Phishing Tactics - Unit 42

https://unit42.paloaltonetworks.com/apt29-evolving-diplomatic-phishing/

Cloaked Ursa Resurfaces with ROOTSAW Malware - Unit 42

https://unit42.paloaltonetworks.com/cloaked-ursa-rootsaw-malware/

APT29 Targets Government and Political Entities with WINELOADER

https://www.zscaler.com/blogs/security-research/apt29-targets-government-and-political-entities-wineloader

NCSC and partners issue advisory on APT29 targeting of vulnerable network devices

https://www.ncsc.gov.uk/news/advisory-apt29-targeting-vulnerable-network-devices

Microsoft Threat Intelligence - Midnight Blizzard Profile

https://www.microsoft.com/en-us/security/blog/threat-intelligence/threat-actor/midnight-blizzard/

Mandiant: Highly Evasive Attacker Leverages SolarWinds Supply Chain

https://www.mandiant.com/resources/blog/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor

Microsoft: Nobelium Targeting Delegated Administrative Privileges

https://www.microsoft.com/en-us/security/blog/2021/10/25/nobelium-targeting-delegated-administrative-privileges-to-facilitate-broader-attacks/