StellarParticle Campaign – New Undetected Malware Revealed After Two Years



Researchers discovered that the hackers behind the SolarWinds supply-chain breach used two additional sophisticated viruses in their campaigns, which were installed on the victims’ systems much earlier.

What are the new threats that have been discovered?

One of the newly identified dangerous implants, according to CrowdStrike, is a variant of the GoldMax backdoor for Linux computers, and another is a new malware family known as TrailBlazer.

Since mid-2019, StellarParticle campaigns (linked to the APT29 hacking group) have used GoldMax and TrailBlazer. They were only identified two years later, during incident response investigations.

Researchers analysed the User Access Logging (UAL) database during their incident response efforts to uncover previous fraudulent account activities and discovered TrailBlazer malware and GoldMax for Linux.

Although GoldMax for Linux is nearly identical in functionality and implementation to the previously identified Windows counterpart in May 2020, TrailBlazer is a whole new malware family.

Taking a closer look at the new TrailBlazer implant

TrailBlazer uses the Windows Management Instrumentation (WMI) Event Subscriptions to establish persistence while masquerading as a legitimate file name, a technique discovered in 2019.

TrailBlazer communicates with the C2 server by masquerading HTTP requests as legitimate Google Notifications.

It shares similarities with other malware families used by the same threat actor, such as GoldMax and Sunburst, and has modular functionality and a low prevalence.

Procedures, tactics, and techniques

Researchers have provided detailed information about the TTPs observed in cyberattacks in the report.

Credential hopping, hijacking Office 365 Service Principal and Application, bypassing MFA by collecting browser cookies, and stealing credentials with Get-ADReplAccount were all employed by the organisation.

The report details the measures followed by the APT29 group to gain persistence, which allowed them to view any hacked organization’s email and OneDrive/SharePoint files.


The recent discovery of two new harmful implants demonstrates APT29’s capability and sophistication. The team has a broad understanding of Linux, Windows, Microsoft Azure, Office 365, and Active Directory. As a result, enterprises should create a multi-layered defence strategy to stay safe.


IEMLabs is an ISO 27001:2013 and ISO 9001:2015 certified company, we are also a proud member of EC Council, NASSCOM, Data Security Council of India (DSCI), Indian Chamber of Commerce (ICC), U.S. Chamber of Commerce, and Confederation of Indian Industry (CII). The company was established in 2016 with a vision in mind to provide Cyber Security to the digital world and make them Hack Proof. The question is why are we suddenly talking about Cyber Security and all this stuff? With the development of technology, more and more companies are shifting their business to Digital World which is resulting in the increase in Cyber Crimes.

Leave a comment

Your email address will not be published.

This site is under maintenance,
some features might not work!!!