Skip to content


POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. 1

Item Value
ID S0150
Associated Names
Version 1.2
Created 14 December 2017
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell POSHSPY uses PowerShell to execute various commands, one to execute its payload.1
enterprise T1030 Data Transfer Size Limits POSHSPY uploads data in 2048-byte chunks.1
enterprise T1568 Dynamic Resolution -
enterprise T1568.002 Domain Generation Algorithms POSHSPY uses a DGA to derive command and control URLs from a word list.1
enterprise T1573 Encrypted Channel -
enterprise T1573.002 Asymmetric Cryptography POSHSPY encrypts C2 traffic with AES and RSA.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription POSHSPY uses a WMI event subscription to establish persistence.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.006 Timestomp POSHSPY modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013.1
enterprise T1105 Ingress Tool Transfer POSHSPY downloads and executes additional PowerShell code and Windows binaries.1
enterprise T1027 Obfuscated Files or Information POSHSPY appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download.1

Groups That Use This Software

ID Name References
G0016 APT29 1


Back to top