APT29 (Cozy Bear) Operation Ghost

This week's kill chain focused on the staging process of APT29’s malware (collectively referred to as the Dukes). The malware used in this operation consisted of 4 stages. Steganography was used in the first two stages to store payloads and commands for the C2. We emulated this staging process by encoding Schism (a fully modular Python based HTTP agent) into a PNG file, running a decoder to obtain its contents, and executing Schism. We hope this kill chain will demonstrate defense evasion techniques by adversaries.

Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

GET OUR PRODUCTS
----------------
Download Prelude Operator: www.prelude.org/download/current
See the latest kill chain and TTP Releases: chains.prelude.org/
See our open-source repositories: github.com/preludeorg

JOIN OUR COMMUNITY
------------------
Discord: discord.gg/gzUv4XNquu
Reddit: www.reddit.com/r/preludeorg/
Twitter: twitter.com/preludeorg

READ, WATCH, AND LISTEN
-----------------------
Listen to our Podcast: anchor.fm/preludeorg
Read our blog: feed.prelude.org/
Watch our live streams: www.twitch.tv/preludeorg
Watch our pre-recorded content: youtube.com/c/preludeorg

FOLLOW OUR TEAM
---------------
David: twitter.com/privateducky
Alex: twitter.com/khyberspache
Kris: twitter.com/Xanthonus
Octavia: twitter.com/VV_X_7
Sam: twitter.com/wasupwithuman