C0021: C0021
C0021 was a spearphishing campaign conducted in November 2018 that targeted public sector institutions, non-governmental organizations (NGOs), educational institutions, and private-sector corporations in the oil and gas, chemical, and hospitality industries. The majority of targets were located in the US, particularly in and around Washington D.C., with other targets located in Europe, Hong Kong, India, and Canada. C0021's technical artifacts, tactics, techniques, and procedures (TTPs), and targeting overlap with previous suspected APT29 activity.[1][2]
Analyst context for executives and security teams
C0021 matters because it shows how a targeted spearphishing-link campaign can combine social engineering, staged infrastructure, obfuscated payloads, PowerShell, legitimate execution utilities, and Cobalt Strike-style post-exploitation tooling. For leaders, the practical issue is not the 2018 date alone; it is whether the organization can prove that email, identity, endpoint, and network teams would see and contain this chain before it becomes a broader intrusion.
Executive priority
Prioritize this as a resilience and evidence problem: can the business demonstrate controls against targeted phishing links, payload download, command execution, and command-and-control traffic? The campaign targeted public sector, NGOs, education, and several private-sector industries including oil and gas, chemical, and hospitality, so risk owners in similar environments should use it to test phishing readiness, incident response handoffs, and audit evidence for email security, endpoint logging, and network monitoring. Treat the reported overlap with suspected APT29 activity as context, not as a definitive attribution claim.
Technical view
SOC and IR teams should validate visibility across the relationship chain: spearphishing links and user click activity; execution via PowerShell and rundll32; embedded or obfuscated payloads and later deobfuscation/decoding; ingress tool transfer; C2 over web protocols, non-application-layer protocols, and encrypted/asymmetric channels; and use of Cobalt Strike. Because ATT&CK provides no official detection text for this campaign, detection engineering should map controls to the related techniques rather than relying on campaign-level indicators.
Likely telemetry
- Email security logs for inbound messages, URLs, sender metadata, and user click events
- Identity provider and Office Suite logs related to link access and authentication context
- Endpoint process creation telemetry, especially PowerShell and rundll32 command lines
- Script block, command-line, and file creation telemetry where available
- Web proxy, DNS, firewall, and network flow logs for outbound web and non-application-layer communications
Detection direction
- Test whether phishing-link detections preserve enough context to connect email delivery, URL click, payload retrieval, and endpoint execution.
- Tune PowerShell and rundll32 analytics for suspicious parent-child process chains, unusual command-line structure, and encoded or obfuscated content while accounting for legitimate administrative use.
- Validate detections for payload staging and tool transfer from external infrastructure, especially where web traffic may appear routine.
- Look for Cobalt Strike-related behavior through behavioral analytics rather than assuming tool-name signatures are sufficient.
- Correlate host and network telemetry because web protocols, encrypted communications, and non-application-layer protocols can reduce visibility if monitored in isolation.
Mitigation priorities
- Strengthen phishing-link defenses first: email filtering, URL inspection, user reporting workflows, and rapid takedown/blocking processes.
- Harden identity and Office Suite access paths with conditional access, strong authentication, and monitoring of suspicious link-driven sessions where applicable.
- Constrain and monitor scripting and living-off-the-land execution, especially PowerShell and rundll32 on Windows endpoints.
- Ensure endpoint controls can inspect downloaded files, embedded payloads, obfuscated content, and decoding activity.
- Restrict unnecessary outbound traffic and maintain proxy, DNS, firewall, and network telemetry for investigation.
Analyst notes and limits
The official campaign description states that C0021 was a November 2018 spearphishing campaign targeting public sector institutions, NGOs, educational institutions, and private-sector corporations in oil and gas, chemical, and hospitality, with most targets in the US and others in Europe, Hong Kong, India, and Canada. It also states technical artifacts, TTPs, and targeting overlapped with previous suspected APT29 activity. This take uses that as contextual intelligence only and focuses on defensive validation against the related ATT&CK techniques and Cobalt Strike relationship.
ATT&CK supplies no official detection text, no campaign-level platforms or tactics, and no local indicators in the provided object. Any statement about current exposure, active exploitation, attribution, or coverage requires environment-specific telemetry and intelligence beyond the supplied fields.
C0021
C0021 was a spearphishing campaign conducted in November 2018 that targeted public sector institutions, non-governmental organizations (NGOs), educational institutions, and private-sector corporations in the oil and gas, chemical, and hospitality industries. The majority of targets were located in the US, particularly in and around Washington D.C., with other targets located in Europe, Hong Kong, India, and Canada. C0021's technical artifacts, tactics, techniques, and procedures (TTPs), and targeting overlap with previous suspected APT29 activity.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1583.001 | Domains Sub-technique | For C0021, the threat actors registered domains for use in C2.CitationFireEye APT29 Nov 2018 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | During C0021, the threat actors used `rundll32.exe` to execute the Cobalt Strike Beacon loader DLL.CitationFireEye APT29 Nov 2018 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | During C0021, the threat actors used encoded PowerShell commands.CitationFireEye APT29 Nov 2018CitationMicrosoft Unidentified Dec 2018 |
| Enterprise | T1584.001 | Domains Sub-technique | For C0021, the threat actors used legitimate but compromised domains to host malicious payloads.CitationMicrosoft Unidentified Dec 2018 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | During C0021, the threat actors lured users into clicking a malicious link which led to the download of a ZIP archive containing a malicious .LNK file.CitationFireEye APT29 Nov 2018 |
| Enterprise | T1095 | Non-Application Layer Protocol | During C0021, the threat actors used TCP for some C2 communications.CitationFireEye APT29 Nov 2018 |
| Enterprise | T1588.002 | Tool Sub-technique | For C0021, the threat actors used Cobalt Strike configured with a modified variation of the publicly available Pandora Malleable C2 Profile.CitationFireEye APT29 Nov 2018CitationMicrosoft Unidentified Dec 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | During C0021, the threat actors used HTTP for some of their C2 communications.CitationFireEye APT29 Nov 2018 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | For C0021, the threat actors uploaded malware to websites under their control.CitationFireEye APT29 Nov 2018CitationMicrosoft Unidentified Dec 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | During C0021, the threat actors downloaded additional tools and files onto victim machines.CitationMicrosoft Unidentified Dec 2018CitationFireEye APT29 Nov 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | During C0021, the threat actors deobfuscated encoded PowerShell commands including use of the specific string `'FromBase'+0x40+'String'`, in place of `FromBase64String` which is normally used to decode base64.CitationFireEye APT29 Nov 2018CitationMicrosoft Unidentified Dec 2018 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | During C0021, the threat actors sent phishing emails with unique malicious links, likely for tracking victim clicks.CitationFireEye APT29 Nov 2018CitationMicrosoft Unidentified Dec 2018 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | During C0021, the threat actors used SSL via TCP port 443 for C2 communications.CitationFireEye APT29 Nov 2018 |
| Enterprise | T1059.001 | PowerShell Sub-technique | During C0021, the threat actors used obfuscated PowerShell to extract an encoded payload from within an .LNK file.CitationFireEye APT29 Nov 2018CitationMicrosoft Unidentified Dec 2018 |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | For C0021, the threat actors embedded a base64-encoded payload within a LNK file.CitationMicrosoft Unidentified Dec 2018 |
Groups, software, and campaigns
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 11fb25f7b47f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft Unidentified Dec 2018
Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019.
Open source URL -
[2]
FireEye APT29 Nov 2018
Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
Open source URL -
[3]
mitre-attack C0021Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.