Thursday, May 23, 2024
HomeCyber CrimeStellarParticle Campaign - New Undetected Malware Revealed After Two Years

StellarParticle Campaign – New Undetected Malware Revealed After Two Years


Researchers discovered that the hackers behind the SolarWinds supply-chain breach used two additional sophisticated viruses in their campaigns, which were installed on the victims’ systems much earlier.

What are the new threats that have been discovered?

One of the newly identified dangerous implants, according to CrowdStrike, is a variant of the GoldMax backdoor for Linux computers, and another is a new malware family known as TrailBlazer.

Since mid-2019, StellarParticle campaigns (linked to the APT29 hacking group) have used GoldMax and TrailBlazer. They were only identified two years later, during incident response investigations.

Researchers analysed the User Access Logging (UAL) database during their incident response efforts to uncover previous fraudulent account activities and discovered TrailBlazer malware and GoldMax for Linux.

Although GoldMax for Linux is nearly identical in functionality and implementation to the previously identified Windows counterpart in May 2020, TrailBlazer is a whole new malware family.

Taking a closer look at the new TrailBlazer implant

TrailBlazer uses the Windows Management Instrumentation (WMI) Event Subscriptions to establish persistence while masquerading as a legitimate file name, a technique discovered in 2019.

TrailBlazer communicates with the C2 server by masquerading HTTP requests as legitimate Google Notifications.

It shares similarities with other malware families used by the same threat actor, such as GoldMax and Sunburst, and has modular functionality and a low prevalence.

Procedures, tactics, and techniques

Researchers have provided detailed information about the TTPs observed in cyberattacks in the report.

Credential hopping, hijacking Office 365 Service Principal and Application, bypassing MFA by collecting browser cookies, and stealing credentials with Get-ADReplAccount were all employed by the organisation.

The report details the measures followed by the APT29 group to gain persistence, which allowed them to view any hacked organization’s email and OneDrive/SharePoint files.


The recent discovery of two new harmful implants demonstrates APT29’s capability and sophistication. The team has a broad understanding of Linux, Windows, Microsoft Azure, Office 365, and Active Directory. As a result, enterprises should create a multi-layered defence strategy to stay safe.



Please enter your comment!
Please enter your name here

Most Popular

Recent Comments

Izzi Казино онлайн казино казино x мобильді нұсқасы on Instagram and Facebook Video Download Made Easy with
Temporada 2022-2023 on CamPhish
2017 Grammy Outfits on Meesho Supplier Panel: Register Now!
React JS Training in Bangalore on Best Online Learning Platforms in India
DigiSec Technologies | Digital Marketing agency in Melbourne on Buy your favourite Mobile on EMI
亚洲A∨精品无码一区二区观看 on Restaurant Scheduling 101 For Better Business Performance

Write For Us