POSHSPY

Malware Profile Updated 2 months ago
Download STIX
Preview STIX
Poshspy is a sophisticated malware used by APT29, an advanced persistent threat group known for deploying stealthy backdoors. It leverages built-in Windows features such as PowerShell and Windows Management Instrumentation (WMI) to infiltrate systems. The malware was designed to store and persist the backdoor code using WMI, rendering it invisible to those unfamiliar with this technology. Poshspy's design allows it to download and execute additional PowerShell code and Windows binaries, making it a potent tool in the hands of its operators. The cybersecurity firm Mandiant first identified an early variant of the Poshspy backdoor during an incident response engagement in 2015. The backdoor was deployed as PowerShell scripts, showcasing its ability to blend into the system environment seamlessly. Over the subsequent years, Mandiant discovered Poshspy in several other environments compromised by APT29, confirming the malware's widespread use and effectiveness. In the operations conducted by APT29, Poshspy was often deployed as a secondary or failover backdoor. If the primary backdoors were detected and neutralized, Poshspy would maintain the attackers' access to the compromised systems. Its efficient and covert nature, coupled with its resilience and persistence mechanisms, make Poshspy an exemplary representation of the skill and craftiness of APT29.
What's your take? (Question 1 of 4)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Backdoor
Windows
PowerShell
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
APT29Unspecified
2
APT29, also known as Cozy Bear, Nobelium, The Dukes, Midnight Blizzard, SVR group, and BlueBravo, is a notable threat actor linked to Russia. This group has gained notoriety over the years for its sophisticated cyberattacks against various targets. Recently, APT29 exploited a zero-day vulnerability
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Apt29 Apt29Unspecified
1
None
Source Document References
Information about the POSHSPY Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
CERT-EU
9 months ago
Advanced Threat Techniques: Living off the Land
MITRE
a year ago
Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY) | Mandiant