S0045: ADVSTORESHELL
ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. [1] [2]
Analyst context for executives and security teams
ADVSTORESHELL is a Windows spying backdoor documented by ATT&CK as used by APT28 between at least 2012 and 2016 for long-term espionage after reconnaissance identifies targets of interest. Its value to defenders is not a single malware signature; it is the pattern of durable access, host discovery, credential collection via keylogging, local staging, encrypted or encoded command-and-control, and scheduled exfiltration.
Executive priority
Treat this as an espionage-oriented backdoor case study for resilience planning: can the organization prove it would notice a Windows host quietly persisting, surveying the environment, collecting credentials/data, and exfiltrating over web-like C2? Priority should go to evidence quality across endpoint, registry, process execution, and network egress—not just malware blocking—because the ATT&CK relationships emphasize stealth, persistence, collection, and exfiltration behaviors.
Technical view
ATT&CK provides no official detection text for ADVSTORESHELL, so SOC validation should be behavior-led from the relationships: Windows Registry query/modification, Run Key/Startup Folder and COM hijacking persistence, rundll32 proxy execution, command shell activity, process/system/file/peripheral discovery, keylogging indicators, local data staging, archive/custom archive behavior, file deletion, scheduled transfer, and C2 over web protocols with standard encoding and symmetric/asymmetric cryptography. IR teams should preserve host artifacts and network records before containment where feasible, because file deletion and obfuscation are part of the mapped behavior set.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and rundll32.exe activity
- Windows Registry auditing or EDR visibility for queried/modified keys, Run Keys, Startup Folder references, and COM-related registry changes
- File system telemetry for staging directories, archive creation, custom-looking compressed/encrypted files, and suspicious deletion activity
- Network proxy, firewall, DNS, TLS, and web request logs for unusual outbound C2-like communications and scheduled transfer patterns
- Endpoint security alerts or behavioral telemetry related to keylogging, input capture, or suspicious API use
Detection direction
- Build detections around chained behavior rather than a single indicator: persistence plus discovery plus staging/exfiltration is more meaningful than any one event alone.
- Tune rundll32, command shell, Registry, and COM hijacking analytics against known administrative and software-management activity to reduce false positives.
- Review whether web egress monitoring can detect unusual encoded or encrypted payload patterns without relying on decrypting all traffic.
- Validate that scheduled or periodic outbound transfers from endpoints are visible in proxy/firewall telemetry and can be correlated to host process context.
- Use the APT28 relationship as threat-intelligence context for historical tradecraft, not as proof of current activity or attribution in a local incident.
Mitigation priorities
- Prioritize hardening and monitoring of Windows persistence surfaces: Registry Run Keys, Startup folders, and COM object references.
- Limit unnecessary command shell and rundll32 abuse opportunities through least privilege, application control, and monitored administrative workflows where appropriate.
- Improve egress governance so endpoints cannot freely communicate to unapproved external web destinations without logging and review.
- Protect credentials by reducing exposure on workstations, monitoring for keylogging-like behavior, and accelerating credential reset decisions during confirmed compromise.
- Ensure incident response playbooks include preservation of registry hives, process history, staged files, deleted-file evidence where available, and network logs.
Analyst notes and limits
The strongest decision value is coverage assessment: ADVSTORESHELL maps to a broad espionage workflow across discovery, persistence, credential access, collection, command-and-control, stealth, and exfiltration. Because no official detection guidance is supplied, defenders should translate the related ATT&CK techniques into local data-source requirements and testable analytic hypotheses.
This take is limited to the supplied ATT&CK fields, references, and relationships. ATT&CK lists Windows as the malware platform and provides historical use by APT28 from at least 2012 to 2016, but does not provide current exploitation claims, indicators, detailed procedures, or official detections for this object. Local telemetry, asset criticality, and incident evidence are required to assess exposure or activity.
ADVSTORESHELL
ADVSTORESHELL is a spying backdoor that has been used by APT28 from at least 2012 to 2016. It is generally used for long-term espionage and is deployed on targets deemed interesting after a reconnaissance phase. [1] [2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1546.015 | Component Object Model Hijacking Sub-technique | Some variants of ADVSTORESHELL achieve persistence by registering the payload as a Shell Icon Overlay handler COM object.CitationESET Sednit Part 2 |
| Enterprise | T1082 | System Information Discovery | ADVSTORESHELL can run Systeminfo to gather information about the victim.CitationESET Sednit Part 2CitationBitdefender APT28 Dec 2015 |
| Enterprise | T1056.001 | Keylogging Sub-technique | ADVSTORESHELL can perform keylogging.CitationESET Sednit Part 2CitationBitdefender APT28 Dec 2015 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding.CitationKaspersky Sofacy |
| Enterprise | T1218.011 | Rundll32 Sub-technique | ADVSTORESHELL has used rundll32.exe in a Registry value to establish persistence.CitationBitdefender APT28 Dec 2015 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | ADVSTORESHELL achieves persistence by adding itself to the |
| Enterprise | T1560 | Archive Collected Data | ADVSTORESHELL encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration.CitationESET Sednit Part 2 |
| Enterprise | T1070.004 | File Deletion Sub-technique | ADVSTORESHELL can delete files and directories.CitationESET Sednit Part 2 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | ADVSTORESHELL stores output from command execution in a .dat file in the %TEMP% directory.CitationESET Sednit Part 2 |
| Enterprise | T1029 | Scheduled Transfer | ADVSTORESHELL collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes.CitationESET Sednit Part 2 |
| Enterprise | T1057 | Process Discovery | ADVSTORESHELL can list running processes.CitationESET Sednit Part 2 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | ADVSTORESHELL can create a remote shell and run a given command.CitationESET Sednit Part 2CitationBitdefender APT28 Dec 2015 |
| Enterprise | T1083 | File and Directory Discovery | ADVSTORESHELL can list files and directories.CitationESET Sednit Part 2CitationBitdefender APT28 Dec 2015 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | A variant of ADVSTORESHELL encrypts some C2 with 3DES.CitationBitdefender APT28 Dec 2015 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | ADVSTORESHELL connects to port 80 of a C2 server using Wininet API. Data is exchanged via HTTP POSTs.CitationKaspersky Sofacy |
| Enterprise | T1012 | Query Registry | ADVSTORESHELL can enumerate registry keys.CitationESET Sednit Part 2CitationBitdefender APT28 Dec 2015 |
| Enterprise | T1120 | Peripheral Device Discovery | ADVSTORESHELL can list connected devices.CitationESET Sednit Part 2 |
| Enterprise | T1112 | Modify Registry | ADVSTORESHELL is capable of setting and deleting Registry values.CitationBitdefender APT28 Dec 2015 |
| Enterprise | T1027 | Obfuscated Files or Information | Most of the strings in ADVSTORESHELL are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.CitationKaspersky SofacyCitationBitdefender APT28 Dec 2015 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | ADVSTORESHELL compresses output data generated by command execution with a custom implementation of the Lempel–Ziv–Welch (LZW) algorithm.CitationESET Sednit Part 2 |
| Enterprise | T1106 | Native API | ADVSTORESHELL is capable of starting a process using CreateProcess.CitationBitdefender APT28 Dec 2015 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | A variant of ADVSTORESHELL encrypts some C2 with RSA.CitationBitdefender APT28 Dec 2015 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | ADVSTORESHELL exfiltrates data over the same channel used for C2.CitationESET Sednit Part 2 |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 075eb3f8c565… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Sofacy
Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015.
Open source URL -
[2]
ESET Sednit Part 2
ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016.
Open source URL -
[3]
mitre-attack S0045Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.