1. Home
  2. Software
  3. TrailBlazer

TrailBlazer

TrailBlazer is a modular malware that has been used by APT29 since at least 2019.[1]

ID: S0682
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 08 February 2022
Last Modified: 27 March 2023
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TrailBlazer has used HTTP requests for C2.[1]
Enterprise T1001 Data Obfuscation

TrailBlazer can masquerade its C2 traffic as legitimate Google Notifications HTTP requests.[1]
.001 Junk Data

TrailBlazer has used random identifier strings to obscure its C2 operations and result codes.[1]
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

TrailBlazer has the ability to use WMI for persistence.[1]
Enterprise T1036 Masquerading

TrailBlazer has used filenames that match the name of the compromised system in attempt to avoid detection.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][2][3][4]

Campaigns

ID Name Description
C0024 SolarWinds Compromise

[1]

References

  1. CrowdStrike. (2022, January 27). Early Bird Catches the Wormhole: Observations from the StellarParticle Campaign. Retrieved February 7, 2022.
  2. NSA, FBI, DHS. (2021, April 15). Russian SVR Targets U.S. and Allied Networks. Retrieved April 16, 2021.
  1. UK NCSC. (2021, April 15). UK and US call out Russia for SolarWinds compromise. Retrieved April 16, 2021.
  2. Mandiant. (2020, April 27). Assembling the Russian Nesting Doll: UNC2452 Merged into APT29. Retrieved March 26, 2023.