Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0138: OLDBAIT

OLDBAIT is a credential harvester used by APT28. [1] [2]

EnterpriseS0138MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

OLDBAIT is a Windows credential-harvesting malware family documented in ATT&CK as used by APT28. Its business significance is identity risk: stolen browser or password-store credentials can turn one compromised endpoint into broader account misuse, lateral movement opportunity, and incident-response complexity. Because ATT&CK provides no dedicated detection guidance for OLDBAIT, defenders should validate coverage through the behaviors it is linked to rather than relying on a malware name alone.

Executive priority

Prioritize OLDBAIT as an identity and endpoint resilience concern. Leadership should ask whether Windows endpoint telemetry, credential-store protections, browser credential policies, and outbound web/mail monitoring are sufficient to prove or disprove credential theft during an incident. This object also supports audit and readiness conversations: can the organization show evidence that credential access, suspicious outbound communications, obfuscated files, and masqueraded resources are monitored and investigated?

Technical view

For SOC, detection engineering, and IR teams, treat OLDBAIT coverage as behavior-led validation across its ATT&CK relationships: credential access from password stores and web browsers, obfuscated files or information, legitimate-looking names or locations, and command-and-control over web or mail protocols. Confirm visibility on Windows hosts first, since Windows is the supplied platform for the malware. Hunt and detection logic should correlate suspicious credential-store or browser data access with unusual process lineage, file naming/location anomalies, and outbound HTTP/S or mail-protocol activity. The lack of official detection text means local baselining and incident evidence are essential.

Likely telemetry

  • Windows endpoint process execution and parent/child process context
  • File creation, modification, and location metadata for suspicious or masqueraded executables/files
  • Browser profile and credential-store access indicators where legally and operationally appropriate
  • Endpoint security alerts for obfuscation, packed content, or suspicious file characteristics
  • Network proxy, firewall, DNS, and HTTP/S telemetry for outbound web-protocol communications

Detection direction

  • Validate detections against the related techniques T1555 and T1555.003 for access to password stores and browser credential material on Windows endpoints.
  • Correlate credential-access signals with T1027-style obfuscation and T1036.005-style legitimate-looking file names or locations to reduce reliance on static malware naming.
  • Review outbound web and mail protocol activity associated with suspicious endpoint processes, aligned to T1071.001 and T1071.003.
  • Tune for false positives from legitimate browser, password manager, backup, EDR, and administrative tools that may access credential-related files or use common web/mail protocols.
  • Identify blind spots where endpoint logging, proxy visibility, DNS logging, or mail-protocol inspection is absent or not retained long enough for incident response.

Mitigation priorities

  • Reduce credential exposure on Windows endpoints by reviewing browser password-saving policy and password-store governance.
  • Strengthen identity controls so harvested credentials are less useful, including least privilege and strong authentication where applicable.
  • Harden endpoint controls to flag or block suspicious obfuscated files and masqueraded resource names or locations.
  • Ensure egress monitoring covers common web and mail protocols used for command-and-control blending.
  • Prepare incident-response playbooks for rapid credential revocation, session invalidation, and scope assessment when credential harvesting is suspected.
Analyst notes and limits

ATT&CK identifies OLDBAIT as a credential harvester used by APT28 and links it to credential access, stealth, and command-and-control behaviors. The most useful defensive approach is to map controls and telemetry to those behaviors rather than expecting a single OLDBAIT-specific signature to be sufficient.

Official ATT&CK detection guidance is not provided, tactics are not specified on the malware object, and the supplied platform for OLDBAIT is limited to Windows. Relationship technique platform lists include other platforms, but those should not be treated as OLDBAIT platform evidence without local or additional source validation.

Official MITRE ATT&CK definition

OLDBAIT

OLDBAIT is a credential harvester used by APT28. [1] [2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

6 rows
Domain ID Name Relationship / procedure
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

OLDBAIT installs itself in %ALLUSERPROFILE%\\Application Data\Microsoft\MediaPlayer\updatewindws.exe; the directory name is missing a space and the file name is missing the letter "o."CitationFireEye APT28
Enterprise T1555.003 Credentials from Web Browsers Sub-technique

OLDBAIT collects credentials from Internet Explorer, Mozilla Firefox, and Eudora.CitationFireEye APT28
Enterprise T1071.003 Mail Protocols Sub-technique

OLDBAIT can use SMTP for C2.CitationFireEye APT28
Enterprise T1027 Obfuscated Files or Information

OLDBAIT obfuscates internal strings and unpacks them at startup.CitationFireEye APT28
Enterprise T1555 Credentials from Password Stores

OLDBAIT collects credentials from several email clients.CitationFireEye APT28
Enterprise T1071.001 Web Protocols Sub-technique

OLDBAIT can use HTTP for C2.CitationFireEye APT28
Associated objects

Groups, software, and campaigns

Group Enterprise

G0007: APT28

APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]

APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.

Relationship explorer

All related ATT&CK context

uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1555.003: Credentials from Web Browsers Enterprise uses · Technique T1071.003: Mail Protocols Enterprise uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Group G0007: APT28 Enterprise uses · Technique T1555: Credentials from Password Stores Enterprise uses · Technique T1071.001: Web Protocols Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
0df00fa645723019...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 0df00fa64572…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye APT28

    FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.

    Open source URL
  2. [2]
    FireEye APT28 January 2017

    FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024.

    Open source URL
  3. [3]
    mitre-attack S0138
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use