S0046: CozyCar
Analyst context for executives and security teams
CozyCar matters because MITRE describes it as a Windows modular malware platform with a backdoor able to download and execute additional modules. Even though the reported use is historical, the behavior set is still operationally relevant: credential theft from LSASS and SAM, persistence through scheduled tasks, services, and Run keys, command execution, discovery, evasion, and web-based command and control are all controls that determine whether an organization can contain a Windows intrusion before it becomes broader compromise.
Executive priority
Treat CozyCar as a coverage validation case for Windows intrusion resilience rather than as a current threat claim. Leaders should ask whether endpoint, identity, and network teams can prove visibility into credential access, persistence creation, suspicious command execution, and outbound web-based C2. The business priority is protecting domain credentials, reducing dwell time, and ensuring incident responders have evidence to scope affected hosts and accounts.
Technical view
For SOC and IR teams, validate detections and investigation playbooks around the related ATT&CK behaviors: LSASS and SAM credential access, encrypted or encoded files, renamed legitimate utilities, scheduled tasks, Windows command shell, web protocol C2, bidirectional web-service communication, system and security software discovery, rundll32 proxy execution, sandbox evasion, Windows service persistence, and Registry Run key or Startup Folder persistence. Because MITRE provides no official detection text for CozyCar, coverage should be technique-driven and tested against local Windows telemetry rather than based on a single malware signature.
Likely telemetry
- Windows process creation events with command-line arguments, parent-child process context, and executable paths
- Endpoint telemetry for access to LSASS memory and SAM/Registry credential material
- Registry monitoring for Run keys, Startup Folder references, service configuration changes, and persistence-related values
- Windows Task Scheduler and service creation/modification logs
- File telemetry for encoded or encrypted payload artifacts and renamed legitimate utilities
Detection direction
- Build coverage from the related techniques, since the ATT&CK object does not provide CozyCar-specific detection guidance.
- Prioritize high-risk correlations: credential-access behavior followed by persistence creation, command shell execution, rundll32 use, or outbound web communications.
- Tune renamed-utility and rundll32 detections carefully because legitimate administrative activity can create false positives; use path, signer, parent process, user context, and timing to improve fidelity.
- Validate that scheduled task, Windows service, and Run key monitoring captures both creation and modification events, not only execution.
- Confirm that credential-access detections cover both LSASS memory access and SAM/Registry access, and that alerts include the responsible process and account context.
Mitigation priorities
- Harden Windows credential exposure first: restrict administrative privileges, protect LSASS where feasible, and monitor access to credential stores.
- Reduce persistence opportunities by controlling who can create services, scheduled tasks, and autorun Registry entries, and by auditing changes to those locations.
- Improve application control and execution policy coverage for command shell abuse, rundll32 proxy execution, renamed utilities, and unexpected module execution.
- Strengthen outbound web monitoring and egress controls so unusual endpoint-to-web-service communication can be investigated quickly.
- Ensure endpoint logging, EDR collection, and retention are sufficient for incident scoping across process, registry, service, task, file, and network activity.
Analyst notes and limits
MITRE identifies CozyCar as malware used by APT29 from 2010 to 2015 and describes it as a modular platform with a backdoor capable of downloading and executing additional modules. The most useful defensive value comes from the mapped behaviors, especially Windows credential access, persistence, execution, discovery, evasion, and command-and-control techniques.
The supplied ATT&CK object has no official detection text, no aliases or labels, and no tactics specified on the malware object itself. Relationship descriptions are sufficient to guide defensive validation but do not prove current activity, local exposure, or attribution in any environment. Local telemetry, asset criticality, and incident evidence are required for risk decisions.
CozyCar
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | A module in CozyCar allows arbitrary commands to be executed by invoking |
| Enterprise | T1082 | System Information Discovery | A system info module in CozyCar gathers information on the victim host’s configuration.CitationF-Secure CozyDuke |
| Enterprise | T1071.001 | Web Protocols Sub-technique | CozyCar's main method of communicating with its C2 servers is using HTTP or HTTPS.CitationF-Secure CozyDuke |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | CozyCar uses Twitter as a backup C2 channel to Twitter accounts specified in its configuration file.CitationF-Secure CozyDuke |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | One persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys: |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | The main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit.CitationF-Secure CozyDuke |
| Enterprise | T1218.011 | Rundll32 Sub-technique | |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Some versions of CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. If it detects that it is, it will exit.CitationF-Secure CozyDuke |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | Password stealer and NTLM stealer modules in CozyCar harvest stored credentials from the victim, including credentials used as part of Windows NTLM user authentication.CitationF-Secure CozyDuke |
| Enterprise | T1036.003 | Rename Legitimate Utilities Sub-technique | The CozyCar dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file.CitationF-Secure CozyDuke |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | One persistence mechanism used by CozyCar is to register itself as a scheduled task.CitationF-Secure CozyDuke |
| Enterprise | T1543.003 | Windows Service Sub-technique | One persistence mechanism used by CozyCar is to register itself as a Windows service.CitationF-Secure CozyDuke |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 55a792f95e7a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
F-Secure The Dukes
F-Secure Labs. (2015, September 17). The Dukes: 7 years of Russian cyberespionage. Retrieved December 10, 2015.
Open source URL -
[2]
mitre-attack S0046Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.