S0037: HAMMERTOSS
HAMMERTOSS is a backdoor that was used by APT29 in 2015. [1] [2]
Analyst context for executives and security teams
HAMMERTOSS is a Windows backdoor documented by ATT&CK as used by APT29 in 2015. Its practical significance is not the age of the malware name, but the defensive pattern it represents: PowerShell execution, hidden user-facing activity, command-and-control blended into web traffic and legitimate web services, steganography, encryption, and possible cloud-storage exfiltration. For leaders, this is a useful test case for whether the organization can see quiet, low-volume activity that hides inside normal web and cloud usage.
Executive priority
Prioritize this as a control-validation scenario for resilience against stealthy backdoor operations, not as proof of current exposure. Executives should ask whether Windows endpoint telemetry, PowerShell visibility, web egress monitoring, and cloud-storage governance can support incident decisions and audit evidence when activity blends with legitimate services. The relationship to APT29 raises the business relevance for organizations with government, research, policy, or sensitive intellectual-property exposure, but local risk depends on environment, targeting, and telemetry coverage.
Technical view
ATT&CK lists HAMMERTOSS as Windows malware with no official detection text, but relationships show use of PowerShell, hidden windows, web protocols, one-way communication through legitimate external web services, steganography, symmetric cryptography, and exfiltration to cloud storage. SOC and IR teams should validate visibility across Windows process execution, PowerShell command/script activity, parent-child process behavior, network web sessions, external web-service access, cloud-storage transfers, and anomalous encrypted or embedded content patterns. Detection should focus on correlated behavior rather than a single indicator or malware name.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell execution logs and script block/module logging where enabled
- Endpoint visibility into hidden or non-interactive window execution patterns
- Proxy, firewall, DNS, and web gateway logs for outbound HTTP/S and external web-service access
- Cloud storage access logs and upload/download activity where available
Detection direction
- Build detections around combinations: PowerShell execution plus unusual web egress, hidden execution behavior, or cloud-storage interaction.
- Baseline legitimate use of external web services and cloud storage before alerting aggressively; these techniques intentionally overlap with normal business traffic.
- Review whether web traffic inspection, DNS logging, and proxy retention are sufficient to reconstruct one-way or indirect command retrieval patterns.
- Tune PowerShell analytics for suspicious invocation patterns while accounting for administrative automation to reduce false positives.
- Hunt for Windows hosts accessing unusual external services shortly after script execution or process chains that do not match user activity.
Mitigation priorities
- Ensure PowerShell governance is in place, including logging, constrained use where appropriate, and review of administrative script activity.
- Limit and monitor outbound web access based on business need, with special attention to unmanaged external web services.
- Apply cloud-storage governance: approved services, access controls, logging, and alerting on unusual transfer behavior.
- Maintain Windows endpoint detection coverage for process lineage, command lines, and suspicious non-interactive execution.
- Retain proxy, DNS, endpoint, and cloud logs long enough to support incident response reconstruction.
Analyst notes and limits
The supplied ATT&CK object is sparse: HAMMERTOSS is identified as a backdoor used by APT29 in 2015, and the most useful defensive detail comes from relationships to ATT&CK techniques. The take therefore emphasizes behavior-based validation across Windows endpoint, web egress, and cloud-storage telemetry rather than malware-specific claims.
No official ATT&CK detection text, aliases, labels, or tactics are provided for the malware object itself. The assessment cannot confirm current exploitation, customer exposure, exact infrastructure, indicators, or detection coverage. Local environment evidence is required to determine relevance and priority.
HAMMERTOSS
HAMMERTOSS is a backdoor that was used by APT29 in 2015. [1] [2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | HAMMERTOSS exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.CitationFireEye APT29 |
| Enterprise | T1001.002 | Steganography Sub-technique | HAMMERTOSS is controlled via commands that are appended to image files.CitationFireEye APT29 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | HAMMERTOSS has used |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Before being appended to image files, HAMMERTOSS commands are encrypted with a key composed of both a hard-coded value and a string contained on that day's tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day's tweet, and the image file containing the command.CitationFireEye APT29 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | The "Uploader" variant of HAMMERTOSS visits a hard-coded server over HTTP/S to download the images HAMMERTOSS uses to receive commands.CitationFireEye APT29 |
| Enterprise | T1059.001 | PowerShell Sub-technique | HAMMERTOSS is known to use PowerShell.CitationFireEye APT29 |
| Enterprise | T1102.003 | One-Way Communication Sub-technique | The "tDiscoverer" variant of HAMMERTOSS establishes a C2 channel by downloading resources from Web services like Twitter and GitHub. HAMMERTOSS binaries contain an algorithm that generates a different Twitter handle for the malware to check for instructions every day.CitationFireEye APT29 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | ad3a95cd67b0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT29
FireEye Labs. (2015, July). HAMMERTOSS: Stealthy Tactics Define a Russian Cyber Threat Group. Retrieved November 17, 2024.
Open source URL -
[2]
F-Secure The Dukes
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
Open source URL -
[3]
mitre-attack S0037Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.