Skip to content


OLDBAIT is a credential harvester used by APT28. 1 2

Item Value
ID S0138
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 19 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols OLDBAIT can use HTTP for C2.1
enterprise T1071.003 Mail Protocols OLDBAIT can use SMTP for C2.1
enterprise T1555 Credentials from Password Stores OLDBAIT collects credentials from several email clients.1
enterprise T1555.003 Credentials from Web Browsers OLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, and Eudora.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location OLDBAIT installs itself in %ALLUSERPROFILE%\Application Data\Microsoft\MediaPlayer\updatewindws.exe; the directory name is missing a space and the file name is missing the letter “o.”1
enterprise T1027 Obfuscated Files or Information OLDBAIT obfuscates internal strings and unpacks them at startup.1

Groups That Use This Software

ID Name References
G0007 APT28 1


Back to top