C0023: Operation Ghost
Operation Ghost was an APT29 campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During Operation Ghost, APT29 used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.[1]
Analyst context for executives and security teams
Operation Ghost is a historical APT29-attributed campaign that matters because it combined custom malware, victim-specific command-and-control infrastructure, web services, steganography, domain-account abuse, and WMI-based persistence. For leaders, the decision value is not that this exact campaign is current, but that the behaviors map to hard-to-see intrusions where legitimate services, credentials, and administrative tooling can blend into normal operations.
Executive priority
Prioritize validation of identity controls, endpoint visibility, web-service egress monitoring, and incident response readiness for stealthy, long-running intrusions. The campaign’s relationships highlight risks that affect business continuity and audit confidence: domain account misuse, persistence through Windows Management Instrumentation, use of legitimate tools such as PsExec, and C2 that may hide in web services or steganographic content. Executives should ask whether the organization can prove who used privileged/domain accounts, where remote execution occurred, and whether unusual outbound web-service activity would be investigated quickly.
Technical view
SOC and IR teams should treat this campaign as a coverage validation case across the related ATT&CK behaviors: Domain Accounts (T1078.002), WMI Event Subscription persistence (T1546.003), Bidirectional Communication over web services (T1102.002), steganography for C2 or concealment (T1001.002, T1027.003), acquired domains and social media accounts for resource development (T1583.001, T1585.001), malware development (T1587.001), and software linked to the campaign including PsExec, MiniDuke, RegDuke, FatDuke, and PolyglotDuke. Because MITRE provides no campaign-specific detection text, teams should validate telemetry and analytics against the related techniques rather than assuming campaign-level detection coverage.
Likely telemetry
- Authentication and domain account logon events, especially privileged, service, and unusual cross-host usage
- Endpoint process creation, command-line, parent-child process, and remote execution evidence, including PsExec-like activity
- Windows Management Instrumentation repository, event filter, consumer, and binding creation or modification events
- Network proxy, DNS, firewall, and TLS metadata for unusual outbound web-service or victim-specific domain activity
- Web download/upload metadata and file-transfer records involving images, documents, or other media that could carry hidden content
Detection direction
- Map current detections to the related techniques rather than to the campaign name alone; campaign-level detection guidance is not provided by MITRE.
- Validate that domain-account monitoring can distinguish normal administration from unusual account use across hosts, services, and privilege boundaries.
- Tune PsExec and remote administration detections carefully because PsExec is also used legitimately by IT administrators; require context such as source host, account, timing, target set, and command executed.
- Hunt for WMI event subscription persistence on Windows systems, especially new or unusual filters, consumers, and bindings.
- Review egress visibility for legitimate web services used bidirectionally, since allowlisted services can create blind spots for C2 monitoring.
Mitigation priorities
- Strengthen identity hygiene first: least privilege, privileged account monitoring, service account review, and rapid credential reset procedures for suspected domain account abuse.
- Restrict and monitor remote administration paths, including legitimate tools such as PsExec, with clear administrative baselines and approval processes.
- Harden Windows persistence surfaces by auditing WMI event subscriptions and limiting who can create or modify them.
- Improve outbound network control by monitoring DNS, proxy, and web-service traffic patterns, especially to newly observed or unusual domains.
- Ensure endpoint detection and response coverage captures process, persistence, and file activity needed to investigate downloader/backdoor behavior.
Analyst notes and limits
This take is based only on the supplied ATT&CK campaign object, external reference to ESET’s Operation Ghost report, and listed relationships. The campaign is attributed in ATT&CK to APT29 and is described as starting in 2013 against foreign affairs ministries in Europe and a Washington, D.C. embassy of a European Union country. Related software indicates Windows relevance for several tools, while related techniques include Windows, Linux, macOS, ESXi, and PRE platforms; the campaign object itself does not specify platforms or tactics.
MITRE does not provide official detection text for this campaign, and the supplied campaign object does not specify platforms or tactics directly. The relationship descriptions are partially truncated in places, so conclusions should remain technique-based and validated against local telemetry. This summary does not assert current activity, customer exposure, or guaranteed detection coverage.
Operation Ghost
Operation Ghost was an APT29 campaign starting in 2013 that included operations against ministries of foreign affairs in Europe and the Washington, D.C. embassy of a European Union country. During Operation Ghost, APT29 used new families of malware and leveraged web services, steganography, and unique C2 infrastructure for each victim.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1078.002 | Domain Accounts Sub-technique | For Operation Ghost, APT29 used stolen administrator credentials for lateral movement on compromised networks.CitationESET Dukes October 2019 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | For Operation Ghost, APT29 used social media platforms to hide communications to C2 servers.CitationESET Dukes October 2019 |
| Enterprise | T1001.002 | Steganography Sub-technique | During Operation Ghost, APT29 used steganography to hide the communications between the implants and their C&C servers.CitationESET Dukes October 2019 |
| Enterprise | T1583.001 | Domains Sub-technique | For Operation Ghost, APT29 registered domains for use in C2 including some crafted to appear as existing legitimate domains.CitationESET Dukes October 2019 |
| Enterprise | T1587.001 | Malware Sub-technique | For Operation Ghost, APT29 used new strains of malware including FatDuke, MiniDuke, RegDuke, and PolyglotDuke.CitationESET Dukes October 2019 |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | During Operation Ghost, APT29 used WMI event subscriptions to establish persistence for malware.CitationESET Dukes October 2019 |
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | For Operation Ghost, APT29 registered Twitter accounts to host C2 nodes.CitationESET Dukes October 2019 |
| Enterprise | T1027.003 | Steganography Sub-technique | During Operation Ghost, APT29 used steganography to hide payloads inside valid images.CitationESET Dukes October 2019 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
S0512: FatDuke
S0051: MiniDuke
S0511: RegDuke
S0518: PolyglotDuke
PolyglotDuke is a downloader that has been used by APT29 since at least 2013. PolyglotDuke has been used to drop MiniDuke.[1]
S0029: PsExec
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b31062900907… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Dukes October 2019
Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
Open source URL -
[2]
mitre-attack C0023Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.