POSHSPY

Malware updated 6 months ago (2024-05-05T07:17:34.403Z)

Download STIX

Preview STIX

Poshspy is a sophisticated malware used by APT29, an advanced persistent threat group known for deploying stealthy backdoors. It leverages built-in Windows features such as PowerShell and Windows Management Instrumentation (WMI) to infiltrate systems. The malware was designed to store and persist the backdoor code using WMI, rendering it invisible to those unfamiliar with this technology. Poshspy's design allows it to download and execute additional PowerShell code and Windows binaries, making it a potent tool in the hands of its operators. The cybersecurity firm Mandiant first identified an early variant of the Poshspy backdoor during an incident response engagement in 2015. The backdoor was deployed as PowerShell scripts, showcasing its ability to blend into the system environment seamlessly. Over the subsequent years, Mandiant discovered Poshspy in several other environments compromised by APT29, confirming the malware's widespread use and effectiveness. In the operations conducted by APT29, Poshspy was often deployed as a secondary or failover backdoor. If the primary backdoors were detected and neutralized, Poshspy would maintain the attackers' access to the compromised systems. Its efficient and covert nature, coupled with its resilience and persistence mechanisms, make Poshspy an exemplary representation of the skill and craftiness of APT29.

Description last updated: 2024-05-05T06:37:00.373Z

What's your take? (Question 1 of 2)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Backdoor

Windows

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

Alias Description	Association Type	Votes
The APT29 Threat Actor is associated with POSHSPY. APT29, also known as Cozy Bear, Midnight Blizzard, Nobelium, and the Dukes, is a Russia-linked threat actor associated with SVR. This group is notorious for its sophisticated cyber espionage tactics, techniques, and procedures. APT29 often uses The Onion Router (TOR) network, leased and compromised	Unspecified	2

Source Document References

Information about the POSHSPY Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Preview	Source Link	CreatedAt	Title
	CERT-EU	a year ago	Advanced Threat Techniques: Living off the Land
	MITRE	2 years ago	Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY) \| Mandiant