The sub-techniques beta is now live! Read the release blog post for more info.


OLDBAIT is a credential harvester used by APT28. [1] [2]

ID: S0138
Associated Software: Sasfis
Platforms: Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1003 Credential Dumping

OLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, Eudora, and several email clients.[1]

Enterprise T1036 Masquerading

OLDBAIT installs itself in %ALLUSERPROFILE%\Application Data\Microsoft\MediaPlayer\updatewindws.exe; the directory name is missing a space and the file name is missing the letter "o."[1]

Enterprise T1027 Obfuscated Files or Information

OLDBAIT obfuscates internal strings and unpacks them at startup.[1]

Enterprise T1071 Standard Application Layer Protocol

OLDBAIT can use HTTP or SMTP for C2.[1]

Groups That Use This Software

ID Name References
G0007 APT28 [1]