🇷🇺APT29
🇷🇺 APT29 is a tracked threat actor in the Clankerusecase corpus. Attributed to RU. Primary motivation: State. We map 26 detection use cases to this actor across 88 MITRE ATT&CK techniques, with 5 threat-intel articles citing them. Active in our corpus from 2026-02-08 to 2026-06-08.
crit 2high 1med 1low 1
26Use cases
5Articles
88Techniques
6IOCs
Known aliases
APT29Cozy BearNobeliumMidnight BlizzardThe DukesYTTRIUMSVRIRON RITUALIRON HEMLOCKNobleBaronDark HaloNOBELIUMUNC2452CozyDukeSolarStormBlue KitsuneUNC3524
Top techniques
All other tracked techniques
T1003.002 · Security Account ManagerT1003.004 · LSA SecretsT1005 · Data from Local SystemT1016.001 · Internet Connection DiscoveryT1021.002 · SMB/Windows Admin SharesT1021.007 · Cloud ServicesT1027 · Obfuscated Files or InformationT1027.001 · Binary PaddingT1027.002 · Software PackingT1027.006 · HTML SmugglingT1036.005 · Match Legitimate Resource Name or LocationT1037 · Boot or Logon Initialization ScriptsT1037.004 · RC ScriptsT1047 · Windows Management InstrumentationT1053.005 · Scheduled TaskT1059.001 · PowerShellT1059.005 · Visual BasicT1059.006 · PythonT1059.009 · Cloud APIT1068 · Exploitation for Privilege EscalationT1070.004 · File DeletionT1070.006 · TimestompT1071 · Application Layer ProtocolT1071.001 · Web ProtocolsT1078 · Valid AccountsT1078.003 · Local AccountsT1078.004 · Cloud AccountsT1087 · Account DiscoveryT1087.004 · Cloud AccountT1090.002 · External ProxyT1090.003 · Multi-hop ProxyT1090.004 · Domain FrontingT1098.001 · Additional Cloud CredentialsT1098.002 · Additional Email Delegate PermissionsT1098.005 · Device RegistrationT1105 · Ingress Tool TransferT1110.001 · Password GuessingT1110.003 · Password SprayingT1114.002 · Remote Email CollectionT1127.001 · MSBuildT1133 · External Remote ServicesT1136.003 · Cloud AccountT1195.002 · Compromise Software Supply ChainT1199 · Trusted RelationshipT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1204.002 · Malicious FileT1204.004 · Malicious Copy and PasteT1218 · System Binary Proxy ExecutionT1218.005 · MshtaT1219 · Remote Access ToolsT1505.003 · Web ShellT1528 · Steal Application Access TokenT1546.003 · Windows Management Instrumentation Event SubscriptionT1546.008 · Accessibility FeaturesT1547.001 · Registry Run Keys / Startup FolderT1548.002 · Bypass User Account ControlT1550 · Use Alternate Authentication MaterialT1550.001 · Application Access TokenT1550.003 · Pass the TicketT1553.005 · Mark-of-the-Web BypassT1556.007 · Hybrid IdentityT1566.001 · Spearphishing AttachmentT1566.003 · Spearphishing via ServiceT1566.004 · Spearphishing VoiceT1568 · Dynamic ResolutionT1569.002 · Service ExecutionT1573 · Encrypted ChannelT1573.002 · Asymmetric CryptographyT1574.002 · T1574.002T1583.001 · DomainsT1583.006 · Web ServicesT1586.002 · Email AccountsT1586.003 · Cloud AccountsT1587.001 · MalwareT1587.003 · Digital CertificatesT1588.002 · ToolT1595.002 · Vulnerability ScanningT1606.002 · SAML TokensT1621 · Multi-Factor Authentication Request GenerationT1649 · Steal or Forge Authentication CertificatesT1651 · Cloud Administration CommandT1656 · T1656T1665 · Hide InfrastructureT1685.002 · Disable or Modify Cloud Log
Detection use cases (26)
APT29 / Midnight Blizzard service principal credential addition followed by app-only Exchange Online access APT29 / Midnight Blizzard residential-proxy password spray landing on legacy-auth account External MS Teams chat invite from IT-impersonating unmanaged or federated tenant MFA approval within minutes of inbound external Microsoft Teams chat Activity involving ommicrosoft.com Cloaked-Ursa Teams typosquat Phishing-link click correlated to endpoint execution Email attachment opened from external sender Office app spawning script/LOLBin child process Microsoft Teams external-tenant chat from unverified IT-helpdesk impersonator RMM tool installed by non-IT user — remote-access utility for hands-on-keyboard Fake CAPTCHA / clipboard-injected PowerShell (ClickFix / FakeCaptcha) Network connections to article IPs / domains Curious Serpens / APT29 ROADtools-pattern: device registration immediately following non-interactive token acquisition UTA0355 device-code phishing: deviceCode auth flow with cross-IP token redemption 1Password activity from Tor exit node 1Password impossible-travel sign-in Auth-Bypass on Public-Facing Service → Post-Exploit Action on Same Host (≤10 min) Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) Developer package install spawning script-host with non-registry C2 within 5 minutes Edge-service post-exploitation chain: internet-facing daemon → child shell or token redemption within 10 min of external request Install-Triggered Registry Publish or Git Push (Supply-Chain Worm Self-Propagation) Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution Language-runtime server (node/python/java) spawns OS shell shortly after inbound request — eval / sandbox-escape exploitation chain Linux LPE chain — anomalous algif_aead/esp4/esp6/rxrpc kernel-module load followed by same-user root transitionThreat-intel articles (5)
crit PlugX Meeting Invitation via MSBuild and GDATA · 2026-02-26
med The GRU illegals · 2026-02-08
Tracked indicators
Domains (6)
decoorat.net decoraat.net gesecole.net ommicrosoft.com onedow.gesecole.net onedown.gesecole.net