Skip to content


HAMMERTOSS is a backdoor that was used by APT29 in 2015. 1 2

Item Value
ID S0037
Associated Names
Version 1.2
Created 31 May 2017
Last Modified 09 February 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols The “Uploader” variant of HAMMERTOSS visits a hard-coded server over HTTP/S to download the images HAMMERTOSS uses to receive commands.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell HAMMERTOSS is known to use PowerShell.1
enterprise T1001 Data Obfuscation -
enterprise T1001.002 Steganography HAMMERTOSS is controlled via commands that are appended to image files.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Before being appended to image files, HAMMERTOSS commands are encrypted with a key composed of both a hard-coded value and a string contained on that day’s tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day’s tweet, and the image file containing the command.1
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage HAMMERTOSS exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.1
enterprise T1564 Hide Artifacts -
enterprise T1564.003 Hidden Window HAMMERTOSS has used -WindowStyle hidden to conceal PowerShell windows.1
enterprise T1102 Web Service -
enterprise T1102.003 One-Way Communication The “tDiscoverer” variant of HAMMERTOSS establishes a C2 channel by downloading resources from Web services like Twitter and GitHub. HAMMERTOSS binaries contain an algorithm that generates a different Twitter handle for the malware to check for instructions every day.1

Groups That Use This Software

ID Name References
G0016 APT29 23


Back to top