APT29

Also known as: Cozy Bear, The Dukes, Nobelium, Midnight Blizzard, YTTRIUM, UNC2452, Dark Halo, Iron Hemlock, Cloaked Ursa, BlueBravo, UNC6293, CozyLarch, ICECAP, StellarParticle, UAC-0029, APT-C-50, Earth Koshchei, NobleBaron, Blue Kitsune, IRON RITUAL

ActiveNation-StateRussiaMITRE G0016

0Campaigns

74Techniques

33IOCs

35Tools

0Matches

11Infrastructure

Overview

APT29 (Midnight Blizzard) is a Russian Foreign Intelligence Service (SVR) threat actor active since 2008, conducting sophisticated cyber espionage primarily against government, diplomatic, and technology sectors. The group has significantly evolved toward cloud-native tradecraft, leveraging identity abuse, OAuth exploitation, residential proxy networks, and advanced social engineering. Recent operations demonstrate patience and operational discipline with multi-month rapport-building campaigns, alongside large-scale attacks targeting hundreds of organizations simultaneously.

Motivations

EspionageIntelligence CollectionStrategic Advantage

Target Sectors

GovernmentDiplomatic EntitiesTechnologyHealthcareThink TanksDefenseEnergyTelecommunicationsFinancial ServicesEducationNGOsPolitical PartiesNon-Governmental OrganizationsPharmaceuticalDiplomatic MissionsDefense Industrial BaseAerospaceMediaDiscrete Manufacturing

Activity Timeline

First Seen

Jan 2008

Last Seen

Jan 2024

Quick Facts

OriginRussia

Sophisticationnation-state

StatusActive

MITRE GroupG0016

MITRE ATT&CK Techniques

(74)

Other

Execution

T1059.001

PowerShell

Use PowerShell commands and scripts for execution and automation.

Exfiltration

T1048

Exfiltration Over Alternative Protocol

Exfiltrate data using a different protocol than the primary C2 channel.

T1041

Exfiltration Over C2 Channel

Exfiltrate stolen data over the existing command and control channel.

Credential Access

T1003

OS Credential Dumping

Dump credentials from the operating system or security software.

T1110

Brute Force

Systematically guess passwords or credentials to gain access.

T1555

Credentials from Password Stores

Extract credentials from password managers, browsers, or keychains.

Initial Access

T1566.002

Spearphishing Link

Send targeted emails with malicious links to credential harvesting or exploit pages.

T1133

External Remote Services

Abuse remote services like VPNs or RDP to gain access to the network.

T1189

Drive-by Compromise

Gain access through a user visiting a compromised website during normal browsing.

T1190

Exploit Public-Facing Application

Exploit vulnerabilities in internet-facing applications to gain access.

Discovery

T1087

Account Discovery

Enumerate local, domain, or cloud accounts on a system or environment.

T1083

File and Directory Discovery

Enumerate files and directories to find sensitive data or binaries.

Tools & Malware

(35)

SUNBURST

malwareMalicious

Sophisticated backdoor inserted into SolarWinds Orion software updates (supply chain attack). Used passive DNS-based C2 and multiple evasion techniques to remain undetected for months.

TEARDROP

malwareMalicious

Memory-only dropper deployed via SUNBURST to load Cobalt Strike beacons. Never touched disk, making forensic recovery extremely difficult.

FoggyWeb

malwareMalicious

Post-compromise backdoor targeting AD FS servers. Extracts configuration databases and intercepts/modifies SAML tokens for persistent access to cloud resources.

MagicWeb

malwareMalicious

Evolved version of FoggyWeb that manipulates AD FS authentication claims, allowing the actor to authenticate as any user without their credentials.

EnvyScout

malwareMalicious

HTML smuggling tool delivered via spear-phishing emails. Deobfuscates and drops ISO/IMG files containing malicious payloads, bypassing email security gateways.

WellMess

malwareMalicious

Cross-platform backdoor (Go/.NET) used to target COVID-19 vaccine research organizations. Supports encrypted C2 communication via HTTP/TLS.

GoldMax

malwareMalicious

Go-based C2 backdoor deployed as second-stage after SUNBURST. Uses decoy traffic generators and time-based execution guards to evade sandbox analysis.

GraphicalNeutrino

malwareMalicious

Backdoor that uses the Microsoft Notion API as C2 channel, blending command traffic with legitimate cloud service usage.

Cobalt Strike

frameworkLegitimate

Primary post-exploitation framework used after initial access. Memory-resident beacons provide persistent C2, lateral movement, and credential harvesting capabilities.

Mimikatz

frameworkLegitimate

Deployed for credential extraction from LSASS memory, Kerberos ticket manipulation (Golden/Silver Tickets), and DCSync attacks for domain-wide compromise.

Brute Ratel

frameworkLegitimate

Commercial red team C2 framework used as an alternative to Cobalt Strike. Designed to evade EDR/AV detection with features like syscall manipulation.

AnyDesk

legitimate toolLegitimate

Legitimate remote desktop tool deployed post-compromise for persistent remote access. Harder for defenders to flag as malicious due to legitimate business use.

PowerShell

os utilityLegitimate

Used for fileless payload execution, token manipulation, and accessing Microsoft Graph API for cloud environment reconnaissance.

AADInternals

frameworkLegitimate

PowerShell module for Azure AD manipulation. Used to extract tokens, modify tenant configurations, and maintain persistent access to Microsoft 365 environments.

RAINDROP

malwareMalicious

Loader malware used in SolarWinds campaign to deploy Cobalt Strike. Used a modified Lempel-Ziv-Markov chain algorithm for steganographic payload hiding.

Sliver

frameworkLegitimate

Open-source C2 framework used as alternative to Cobalt Strike. Supports mTLS, WireGuard, DNS, and HTTP C2 channels with cross-platform implants.

BURNTBATTER

LoaderMalicious

Malicious ISO-based loader used to deploy additional payloads

BEATDROP

BackdoorMalicious

Custom backdoor delivered via ISO files in phishing campaigns

WINELOADER

BackdoorMalicious

Modular backdoor targeting diplomatic entities

ROOTSAW

BackdoorMalicious

Python-based backdoor with web shell capabilities

BOOMMIC

BackdoorMalicious

Shellcode-based backdoor deployed in recent campaigns

BOOMBOX

LoaderMalicious

Downloader used to fetch and execute additional payloads

GraphicalProton

OtherMalicious

Custom malicious OAuth application for email access

GIFKID

BackdoorMalicious

Backdoor utilizing GIF image steganography for C2 communications

TAVDIG

BackdoorMalicious

HTTP-based backdoor with modular capabilities for espionage operations

Rclone

OtherLegitimate

Legitimate cloud storage sync tool abused for data exfiltration operations

SMOKEDHAM

LoaderMalicious

Loader used to deliver second-stage payloads in targeted operations

SNOWYAMBER

BackdoorMalicious

Backdoor implant with persistence and data exfiltration capabilities

TAXIDOOR

BackdoorMalicious

Backdoor malware used for persistent access and command execution

Ngrok

OtherLegitimate

Legitimate tunneling tool abused for establishing covert command and control channels

GRAPELOADER

LoaderMalicious

Loader component used in multi-stage infection chains

ROOTSAWCER

BackdoorMalicious

Cloud-focused backdoor using Microsoft Graph API for C2 communications

BROKEYOLK

LoaderMalicious

Loader component used in 2024 campaigns to deploy additional payloads

QUARTERRIG

BackdoorMalicious

Backdoor utilizing legitimate cloud services for command and control

ROOTSAWYER

BackdoorMalicious

Cloud-aware backdoor utilizing Microsoft Graph API for C2 communications, deployed in Microsoft 365 environments

Indicators of Compromise

(33)

IOC values are defanged for safety

Type	Value	Notes
domain	`avsvmcloud[.]com`	SUNBURST C2 domain (SolarWinds attack)
domain	`freescanonline[.]com`	C2 infrastructure for SUNBURST second-stage
domain	`theyardservice[.]com`	Nobelium phishing infrastructure (2021)
ip	`13[.]59[.]205[.]66`	SolarWinds SUNBURST C2 infrastructure
ip	`54[.]193[.]127[.]66`	C2 node used in government targeting
hash	`b91ce2fa41029f6955bff20079468448`	SUNBURST backdoor (MD5)
domain	`bakenhof[.]com`	GRAPELOADER phishing campaign January 2025 - wine-tasting lure
domain	`silry[.]com`	GRAPELOADER phishing campaign January 2025 - wine-tasting lure
domain	`bravecup[.]com`	WINELOADER C2 server 2025 campaign
hash	`653db3b63bb0e8c2db675cd047b737cefebb1c955bd99e7a93899e2144d34358`	GRAPELOADER malware sample SHA-256
hash	`78a810e47e288a6aff7ffbaf1f20144d2b317a1618bba840d42405cddc4cff41`	GRAPELOADER malware sample SHA-256
hash	`d931078b63d94726d4be5dc1a00324275b53b935b77d3eed1712461f0c180164`	GRAPELOADER malware sample SHA-256
domain	`dataplane[.]theyardservice[.]com`	C2 domain used in 2023 campaigns
domain	`msedgepackageinfo[.]com`	Malicious domain mimicking Microsoft services
domain	`cdn[.]msstatic[.]com`	Typosquatted domain for payload delivery
hash	`fc2c3d3d2b0f9a6e5c8f5e4d3c2b1a0987654321fedcba0987654321fedcba09`	WINELOADER sample SHA-256
domain	`dataplane[.]cakewalkcompany[.]com`	C2 infrastructure associated with recent operations
domain	`tigertigerberawwr[.]com`	C2 domain used in 2024 Roundcube webmail server compromise campaign
domain	`royalroad[.]quest`	C2 domain associated with APT29 phishing infrastructure
domain	`graphicartisans[.]org`	Malicious domain used in diplomatic targeting campaign
domain	`statisticse[.]eu`	WINELOADER C2 infrastructure observed in 2024
domain	`eventstable[.]com`	WINELOADER C2 domain used in diplomatic targeting
domain	`securityupdateserver[.]com`	C2 infrastructure associated with APT29 operations
domain	`rsvp-viewer[.]com`	Malicious domain used in wine-tasting themed lures targeting diplomats
domain	`invitations[.]diplomataffairs[[.]]com`	Phishing domain used in 2024 WINELOADER campaign targeting European diplomats
domain	`rsvp-diplomatie[[.]]com`	Phishing infrastructure mimicking diplomatic communications
hash	`1b0a426f9b7853f85a6f8e4f3a9e3e9d9e9c0f5a5e3e3e2e1e0e0f0f0f0f0f0f`	WINELOADER sample SHA256
domain	`findcloudflare[.]com`	Watering hole campaign fake Cloudflare verification page (Aug 2025)
domain	`cloudflare[.]redirectpartners[.]com`	Secondary watering hole domain (Aug 2025)
domain	`aerofluidthermo[.]org`	Star Blizzard WhatsApp QR code phishing domain (Nov 2024)
ip	`91[.]190[.]191[.]117`	UNC6293 ASP campaign infrastructure IP (Apr-Jun 2025)
hash	`b4141aa8d234137f0b9549a448158a95`	PDF with ROOTSAW variant link (Jun 2023)
hash	`295527e2e38da97167979ade004de880`	SVG file ROOTSAW payload (Jun 2023)

Infrastructure

(11)

Domain values are defanged for safety

Domain / Host	Type	Status	Last Checked
`avsvmcloud[.]com` SUNBURST C2 domain (SolarWinds attack)	c2	ip_changed	Apr 2, 2026
`freescanonline[.]com` C2 infrastructure for SUNBURST second-stage	c2	whois_changed	Apr 2, 2026
`theyardservice[.]com` Nobelium phishing infrastructure (2021)	domain	active	Apr 2, 2026
`13[.]59[.]205[.]66` SolarWinds SUNBURST C2 infrastructure	ip	offline	Apr 2, 2026
`54[.]193[.]127[.]66` C2 node used in government targeting	ip	offline	Apr 2, 2026
`bakenhof[.]com`	domain	whois_changed	Apr 2, 2026
`silry[.]com`	domain	active	Apr 2, 2026
`bravecup[.]com`	domain	whois_changed	Apr 2, 2026
`findcloudflare[.]com`	domain	unknown	—
`cloudflare[.]redirectpartners[.]com`	domain	unknown	—
`aerofluidthermo[.]org`	domain	unknown	—

Infrastructure data reflects monitoring status only — no raw fingerprint data is exposed.

References

(31)

MITRE ATT&CK - APT29

https://attack.mitre.org/groups/G0016/

Microsoft - Midnight Blizzard (Nobelium)

https://www.microsoft.com/en-us/security/blog/threat-intelligence/midnight-blizzard-nobelium/

CISA - SolarWinds Supply Chain Compromise

https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a

Check Point: Renewed APT29 Phishing Campaign Against European Diplomats

https://research.checkpoint.com/2025/apt29-phishing-campaign/

Microsoft: Midnight Blizzard conducts large-scale spear-phishing campaign using RDP files

https://www.microsoft.com/en-us/security/blog/2024/10/29/midnight-blizzard-conducts-large-scale-spear-phishing-campaign-using-rdp-files/

Google: What's in an ASP? Creative Phishing Attack on Prominent Academics and Critics of Russia

https://cloud.google.com/blog/topics/threat-intelligence/creative-phishing-academics-critics-of-russia

Citizen Lab: Russian Government-Linked Social Engineering Targets App-Specific Passwords

https://citizenlab.ca/2025/06/russian-government-linked-social-engineering-targets-app-specific-passwords/

Picus: Understanding and Mitigating Midnight Blizzard's RDP-Based Spear Phishing Campaign

https://www.picussecurity.com/resource/blog/understanding-and-mitigating-midnight-blizzards-rdp-based-spearphishing-campaign

Microsoft: Midnight Blizzard: Guidance for responders on nation-state attack

https://www.microsoft.com/en-us/security/blog/2024/01/25/midnight-blizzard-guidance-for-responders-on-nation-state-attack/

Mandiant: Suspected APT29 Operation Launches Election Fraud-Themed Phishing Campaigns

https://www.mandiant.com/resources/blog/apt29-wineloader-german-political-parties

CISA: Russian Foreign Intelligence Service SVR Exploiting JetBrains TeamCity CVE Globally

https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-347a

Volexity: Ongoing Investigation into CVE-2023-42793 Exploitation by APT29

https://www.volexity.com/blog/2023/10/13/cve-2023-42793-quick-assessment-guide/

Unit 42: NOBELIUM Targets Government Agencies with HTML Smuggling

https://unit42.paloaltonetworks.com/nobelium-targets-government-html-smuggling/

CERT-UA Report on APT29 Targeting Ukrainian Entities

https://cert.gov.ua/article/6280661

Unit 42: ROOTSAW Dropper Delivers WINELOADER

https://unit42.paloaltonetworks.com/rootsaw-wineloader-malware/

NCSC and partners issue advisory on APT29 targeting of cloud services

https://www.ncsc.gov.uk/news/uk-allies-issue-advisory-apt29-targeting-cloud-services

CISA APT29 SVR Cyber Operations Advisory

https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-116a

Microsoft: Midnight Blizzard conducts targeted social engineering over Microsoft Teams

https://www.microsoft.com/en-us/security/blog/2023/08/02/midnight-blizzard-conducts-targeted-social-engineering-over-microsoft-teams/

CERT-EU: APT29 Deploys WINELOADER in Diplomatic-Themed Phishing Campaign

https://cert.europa.eu/publications/threat-intelligence/2024/ti-2024-001/

NCSC: APT29 Targeting UK Political and Diplomatic Entities

https://www.ncsc.gov.uk/news/advisory-apt29-targets-cloud-services

Google Threat Intelligence: APT29 WINELOADER Targeting German Political Parties

https://cloud.google.com/blog/topics/threat-intelligence/apt29-wineloader-german-political-parties

Google Threat Intelligence: Russian APT29 Exploits Gmail App Passwords

https://cloud.google.com/blog/topics/threat-intelligence/tracking-apt29-phishing-campaigns

AWS Security Blog: Amazon Disrupts Watering Hole Campaign by Russia's APT29

https://aws.amazon.com/blogs/security/amazon-disrupts-watering-hole-campaign-by-russias-apt29/

Microsoft Security Blog: New Star Blizzard Spear-Phishing Campaign Targets WhatsApp Accounts

https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/

Mandiant: Backchannel Diplomacy - APT29's Rapidly Evolving Diplomatic Phishing Operations

https://cloud.google.com/blog/topics/threat-intelligence/apt29-evolving-diplomatic-phishing

TeamViewer Security Bulletin TV-2024-1005

https://www.teamviewer.com/en-us/resources/trust-center/security-bulletins/tv-2024-1005/

NCSC advisory: SVR cyber actors adapt tactics for initial cloud access

https://www.ncsc.gov.uk/news/svr-actors-adapt-tactics-for-initial-cloud-access

Mandiant: Cutting Edge Part 4 - Navigating North Korean Threat Data Landscapes

https://cloud.google.com/blog/topics/threat-intelligence/navigating-north-korean-threat-data-landscapes

NCSC: APT29 targets air-gapped systems

https://www.ncsc.gov.uk/news/russian-state-actors-target-air-gapped-systems

Mandiant: Cutting Edge Part 3 - BOOMMIC

https://cloud.google.com/blog/topics/threat-intelligence/cutting-edge-part-3-boommic

Volexity: Dark Halo Leverages SolarWinds Compromise to Breach Organizations

https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/