S0514: WellMess
Analyst context for executives and security teams
WellMess matters because it represents a lightweight Windows malware family associated in ATT&CK with APT29 and behaviors that support discovery, command execution, command-and-control, local data collection, and tool transfer. For leaders, the practical question is not only “can we find WellMess,” but whether the organization can see the common Windows, DNS, web, and identity-enumeration activity that would make similar intrusions diagnosable during an incident.
Executive priority
Prioritize this as a readiness and evidence problem: confirm that SOC, incident response, identity, and network teams can reconstruct suspicious Windows command execution, domain group discovery, local data access, and outbound web/DNS communications. Because ATT&CK provides no official detection text for this object, leadership should ask for demonstrable telemetry coverage and tested investigation workflows rather than relying on malware-name detections alone.
Technical view
ATT&CK lists WellMess as Windows malware with .NET and Golang variants and relationships to techniques including PowerShell, Windows Command Shell, system/user/network/domain discovery, local data collection, ingress tool transfer, and C2 over web and DNS with encoding, junk data, and cryptography. SOC teams should validate detections around suspicious PowerShell/cmd execution followed by discovery commands, domain group queries, local file access, outbound HTTP/S or DNS activity, and external file transfer. IR teams should be prepared for encrypted or encoded C2 content where metadata, timing, destination reputation, process lineage, and host context may be more useful than payload inspection.
Likely telemetry
- Windows process creation events with full command line and parent/child process relationships
- PowerShell execution and script logging where available
- Windows command shell execution telemetry
- Endpoint file access, file creation, and binary execution evidence for local collection and tool transfer
- User, host, network configuration, and domain group enumeration evidence
Detection direction
- Do not depend solely on a WellMess signature; validate behavioral coverage for the related ATT&CK techniques.
- Correlate Windows shell or PowerShell execution with discovery activity such as system information, user, network configuration, and domain group enumeration.
- Look for unusual outbound web or DNS communications from processes that recently performed discovery or local data access.
- Account for C2 blind spots: junk data, standard encoding, and cryptography may reduce payload-level visibility, so metadata and endpoint context are important.
- Tune carefully for administrative false positives, especially legitimate PowerShell, cmd, domain administration, inventory, and monitoring tools.
Mitigation priorities
- Establish reliable endpoint, PowerShell, command-line, DNS, and proxy logging before relying on detection claims.
- Apply least privilege and monitor access to privileged domain groups so discovery of high-value accounts is visible and actionable.
- Restrict and monitor script and command interpreter use on Windows systems where business operations allow.
- Use egress controls, DNS controls, and proxy inspection policies to reduce unmanaged outbound C2 paths while preserving auditable logs.
- Maintain application control or allowlisting strategies for unapproved binaries and transferred tools where feasible.
Analyst notes and limits
This take is based on the supplied ATT&CK S0514 WellMess object, its external references from CISA, NCSC, PwC, and MITRE, and the listed relationships to APT29 and ATT&CK techniques. The malware object itself has no specified tactics and no official detection text, so defensive guidance is derived from the related techniques and the Windows platform listed for the malware.
The supplied fields do not provide indicators, hashes, C2 infrastructure, specific commands, mitigations, or official analytics. Local validation is required to determine whether an environment has relevant telemetry, whether behaviors are anomalous, and whether any observed activity should be attributed to WellMess or APT29.
WellMess
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | WellMess can collect the username on the victim machine to send to C2.CitationCISA WellMess July 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | WellMess can execute PowerShell scripts received from C2.CitationPWC WellMess July 2020CitationCISA WellMess July 2020 |
| Enterprise | T1005 | Data from Local System | WellMess can send files from the victim machine to C2.CitationPWC WellMess July 2020CitationCISA WellMess July 2020 |
| Enterprise | T1071.004 | DNS Sub-technique | WellMess has the ability to use DNS tunneling for C2 communications.CitationPWC WellMess July 2020CitationNCSC APT29 July 2020 |
| Enterprise | T1082 | System Information Discovery | WellMess can identify the computer name of a compromised host.CitationPWC WellMess July 2020CitationCISA WellMess July 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | WellMess can write files to a compromised host.CitationPWC WellMess July 2020CitationCISA WellMess July 2020 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | WellMess can communicate to C2 with mutual TLS where client and server mutually check certificates.CitationPWC WellMess July 2020CitationPWC WellMess C2 August 2020CitationCISA WellMess July 2020CitationNCSC APT29 July 2020 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | WellMess has used Base64 encoding to uniquely identify communication to and from the C2.CitationCISA WellMess July 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | WellMess can encrypt HTTP POST data using RC6 and a dynamically generated AES key encrypted with a hard coded RSA public key.CitationPWC WellMess July 2020CitationPWC WellMess C2 August 2020CitationCISA WellMess July 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | WellMess can execute command line scripts received from C2.CitationPWC WellMess July 2020 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | WellMess can identify domain group membership for the current user.CitationCISA WellMess July 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | WellMess can identify the IP address and user domain on the target machine.CitationPWC WellMess July 2020CitationCISA WellMess July 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | WellMess can decode and decrypt data received from C2.CitationPWC WellMess July 2020CitationPWC WellMess C2 August 2020CitationCISA WellMess July 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | WellMess can use HTTP and HTTPS in C2 communications.CitationPWC WellMess July 2020CitationPWC WellMess C2 August 2020CitationCISA WellMess July 2020CitationNCSC APT29 July 2020 |
| Enterprise | T1001.001 | Junk Data Sub-technique | WellMess can use junk data in the Base64 string for additional obfuscation.CitationCISA WellMess July 2020 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 029d3c7d4871… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA WellMess July 2020
CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020.
Open source URL -
[2]
PWC WellMess July 2020
PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020.
Open source URL -
[3]
NCSC APT29 July 2020
National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
Open source URL -
[4]
mitre-attack S0514Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.