Skip to content

S0636 VaporRage

VaporRage is a shellcode downloader that has been used by APT29 since at least 2021.1

Item Value
ID S0636
Associated Names
Version 1.0
Created 04 August 2021
Last Modified 04 August 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols VaporRage can use HTTP to download shellcode from compromised websites.1
enterprise T1140 Deobfuscate/Decode Files or Information VaporRage can deobfuscate XOR-encoded shellcode prior to execution.1
enterprise T1480 Execution Guardrails VaporRage has the ability to check for the presence of a specific DLL and terminate if it is not found.1
enterprise T1105 Ingress Tool Transfer VaporRage has the ability to download malicious shellcode to compromised systems.1

Groups That Use This Software

ID Name References
G0016 APT29 1