Skip to content

S0682 TrailBlazer

TrailBlazer is a modular malware that has been used by APT29 since at least 2019.1

Item Value
ID S0682
Associated Names
Version 1.1
Created 08 February 2022
Last Modified 27 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols TrailBlazer has used HTTP requests for C2.1
enterprise T1001 Data Obfuscation TrailBlazer can masquerade its C2 traffic as legitimate Google Notifications HTTP requests.1
enterprise T1001.001 Junk Data TrailBlazer has used random identifier strings to obscure its C2 operations and result codes.1
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription TrailBlazer has the ability to use WMI for persistence.1
enterprise T1036 Masquerading TrailBlazer has used filenames that match the name of the compromised system in attempt to avoid detection.1

Groups That Use This Software

ID Name References
G0016 APT29 1342