APT29 COVID-19 Vaccine Data

Stage a disarmed APT29 WellMess malware sample and use gost (Go Simple Tunnel) to create a SOCKS5 proxy server and client.

TTP Tuesday: APT29 - COVID-19 Vaccine Data

Execute a disarmed WellMess malware sample

Theme Overview

Our last release looked at Operation Ghost and the use of steganography to encode malware in a PNG file.

For this week’s TTP Tuesday we are releasing a new APT29 themed chain based on WellMess malware used to target COVID-19 vaccine manufacturers. Both NCSC and CISA released multiple advisories on APT29 targeting vaccine development in early 2020. More information, including YARA rules, can be found in the original reports here and here.


WellMess has a small set of features such as file upload and download, command execution via CMD or execve, and encrypted C2 traffic. Notably, WellMess uses gost (Go Simple Tunnel) for lateral movement. Gost can be used for multi-hop socks5 proxies as well as several other routing and proxy capabilities discussed further on the project page.

This week, our primary chain stages and executes a disarmed WellMess malware sample. We’ve included two additional chains to both set up a gost server and a gost client so you can start routing network traffic through a socks5 proxy. To get started, configure your range with the required gost facts such as server IP and proxy port.

Watch a demonstration: APT29 COVID Vaccine Data

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Disarmed WellMess malware