1. Home
  2. Software
  3. TrailBlazer

TrailBlazer

TrailBlazer is a modular malware that has been used by APT29 since at least 2019.[1]

ID: S0682
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 08 February 2022
Last Modified: 27 March 2023
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1546 .003 事件触发执行: Windows Management Instrumentation Event Subscription

TrailBlazer has the ability to use WMI for persistence.[1]
Enterprise T1036 伪装

TrailBlazer has used filenames that match the name of the compromised system in attempt to avoid detection.[1]
Enterprise T1071 .001 应用层协议: Web Protocols

TrailBlazer has used HTTP requests for C2.[1]
Enterprise T1001 数据混淆

TrailBlazer can masquerade its C2 traffic as legitimate Google Notifications HTTP requests.[1]
.001 Junk Data

TrailBlazer has used random identifier strings to obscure its C2 operations and result codes.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][2][3][4]

Campaigns

ID Name Description
C0024 SolarWinds Compromise

[1]

References

  1. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  2. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
  1. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
  2. Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.