APT29 is a new threat actor that operates during UTC+3 work hours. APT29 targets government organizations in an attempt to collect geopolitical data that could be of interest to Russia. APT29 (names associated APT29, Cozybear, Cozyduke, Hammertoss, Hammerduke) might be a state sponsored threat group; however, the group is too new to exhibit definitive signs of state sponsorship.

APT29 employs anti-forensic techniques, they monitor analysis and remediation efforts, and they rely upon compromised C2C infrastructure. APT28 embeds the Hammertoss commands into images using steganography. APT29 programs Hammertoss to operate to blend into normal target network traffic and normal target network traffic patterns. The group preconfigures Hammertoss to activate after a predetermined date and only communicates during specified hours.

There are two variants of Hammertoss, Uploader and Discoverer. Both variants receive their instructions from an embedded image. Uploader goes to a hard-coded C2C server address and downloads an image of a specific file size. tDiscoverer generates and visits a new Twitter handle every day from a preconfigured algorithm. It attempts to visit that page. If the actor has registered the handle, then it visits the page and looks for a tweet with a URL that indicates the location of its instructions and a hashtag that specifies the minimum size of the image file. After the number of bytes, the hashtag may also contain a string that the malware adds to its encryption key so that it can decrypt the data. If the actor has not registered the handle, then the malware waits until the next day and repeats the process with the next handle generated by the algorithm. The malware fetches the image from the URL. Uploader or tDiscoverer, decrypts the data hidden in the image, and processes the attackers’ command. Commands include conducting reconnaissance on the victim system, executing commands via PowerShell, or uploading stolen data to a cloud storage service.

Type: Nation-State Sponsored

Status: Active

Other Names: CozyBear/ CozyDuke/ Hammertoss/ Group 100 / Minidionis/ CozyCar/ CozyBear/ Office Monkeys/ Cozer/ EuroAPT

Active Since/Discovered: July 2014/ 2015

Last Report:

Targets: USA, Germany, Uzbekistan, South Korea

Target Sectors: Government and Commercial entities


  • Hammertoss/ HammerDuke/ NetDuke – backdoor (2015)
    • controlled via commands that are appended to image files
    • “tDiscoverer” variant establishes a C2 channel by downloading resources from Web services like Twitter and GitHub
    • commands are encrypted with a key composed of both a hard-coded value and a string contained on that day’s tweet
    • “Uploader” variant visits a hard-coded server over HTTP/S to download the images HAMMERTOSS uses to receive commands
    • exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later
  • CozyDuke/ CozyCar/ CozyBear/ Cozer/ EuroAPT- modular malware platform and backdoor
    • Strong similarity to MiniDuke toolset.
    • Command execution module for executing arbitrary Windows Command Prompt commands
    • Password stealer module
    • NT LAN Manager (NTLM) hash stealer module
    • System information gathering module
    • Screenshot module
    • Dropper
    • Modular backdoor
    • Multiple persistence components
    • Information gathering module
    • Screenshot module
    • Password hash stealing module
    • Security software discovery
    • Payload encrypted with simple XOR with a rotating key
    • Configuration file encrypted with RC4 keys
  • OnionDuke – used 2013-2015 – credential stealer
    • Uses twitter as a backup method
    • HTTP(s) for C2
  • CosmicDuke/ TinyBaron/ BotgenStudios/ NemesisGemina – File/ Information harvester
  • MiniDuke – toolset consisting of multiple downloader and backdoor components
  • SeaDuke/ SeaDaddy/ SeaDesk – Used 2014-2015- secondary backdoor
  • Mimikatz- credential dumper
  • Python implants compiled with py2exe
  • AdobeARM
  • ATI-Agent
  • MiniDionis/ CloudDuke / CloudLook – data exfiltration via Microsoft OneDrive account
  • PSExec – free Microsoft tool that can be used to execute a program on another computer

Preferred Attack Vector:  

  • Social engineering
  • Watering hole attacks


  • Cyberespionage
  • Cryptographic and obfuscation techniques
    • Uses steganography to deliver commands via Twitter images
    • Malware scans for Kaspersky Lab, Sophos, DrWeb, Avira, Crystal and Comodo Dragon security products in order to attempt to evade them


  • High profile victims include White House and State Department
Privacy Settings
We use cookies to enhance your experience while using our website. If you are using our Services via a browser you can restrict, block or remove cookies through your web browser settings. We also use content and scripts from third parties that may use tracking technologies. You can selectively provide your consent below to allow such third party embeds. For complete information about the cookies we use, data we collect and how we process them, please check our Privacy Policy
Consent to display content from Youtube
Consent to display content from Vimeo
Google Maps
Consent to display content from Google