TrailBlazer is a modular malware that has been used by APT29 since at least 2019.[1]
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
TrailBlazer has used HTTP requests for C2.[1] |
Enterprise | T1001 | Data Obfuscation |
TrailBlazer can masquerade its C2 traffic as legitimate Google Notifications HTTP requests.[1] |
|
.001 | Junk Data |
TrailBlazer has used random identifier strings to obscure its C2 operations and result codes.[1] |
||
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
TrailBlazer has the ability to use WMI for persistence.[1] |
Enterprise | T1036 | Masquerading |
TrailBlazer has used filenames that match the name of the compromised system in attempt to avoid detection.[1] |
ID | Name | References |
---|---|---|
G0016 | APT29 |