TrailBlazer

TrailBlazer is a modular malware that has been used by APT29 since at least 2019.[1]

ID: S0682
Type: MALWARE
Platforms: Windows
Version: 1.1
Created: 08 February 2022
Last Modified: 27 March 2023

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

TrailBlazer has used HTTP requests for C2.[1]

Enterprise T1001 Data Obfuscation

TrailBlazer can masquerade its C2 traffic as legitimate Google Notifications HTTP requests.[1]

.001 Junk Data

TrailBlazer has used random identifier strings to obscure its C2 operations and result codes.[1]

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

TrailBlazer has the ability to use WMI for persistence.[1]

Enterprise T1036 Masquerading

TrailBlazer has used filenames that match the name of the compromised system in attempt to avoid detection.[1]

Groups That Use This Software

ID Name References
G0016 APT29

[1][2][3][4]

Campaigns

ID Name Description
C0024 SolarWinds Compromise

[1]

References