S0515: WellMail
Analyst context for executives and security teams
WellMail matters because it represents a lightweight Windows malware capability associated in ATT&CK with APT29 and linked to collection, discovery, tool transfer, and encrypted or non-standard command-and-control behaviors. For leaders, the practical question is not whether the name is recognized, but whether the organization can see suspicious host discovery, local data staging, archive creation, inbound tool transfer, and unusual outbound communications before they become an incident response problem.
Executive priority
Prioritize this as a readiness and resilience validation item for Windows endpoint visibility, egress control, and incident response. The ATT&CK record does not provide detection guidance, so executives should ask whether SOC coverage is based on observable behaviors rather than malware naming alone, whether sensitive local data stores are monitored, and whether audit evidence exists for outbound network restrictions, endpoint logging, and response procedures tied to suspected command-and-control and collection activity.
Technical view
ATT&CK lists WellMail as Windows malware written in Golang and used by APT29. The relationship set maps it to Data from Local System, System Network Configuration Discovery, System Owner/User Discovery, Non-Application Layer Protocol, Ingress Tool Transfer, Deobfuscate/Decode Files or Information, Archive Collected Data, Non-Standard Port, and Asymmetric Cryptography. SOC and IR teams should validate behavior-based detections across Windows process execution, file access and archive activity, user and network discovery commands, suspicious file downloads or transfers, and outbound traffic that uses unusual protocol/port pairings or encrypted C2 patterns. Because no official detection text is supplied, detection engineering should treat this as a coverage-mapping exercise against the related techniques rather than a signature-only malware rule.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- File creation, modification, archive, and staging activity on local systems
- Windows user/session and account discovery evidence
- Host network configuration discovery evidence
- Endpoint network connection logs showing destination, protocol, and port
Detection direction
- Map existing detections to the related ATT&CK techniques rather than relying on the WellMail name alone.
- Tune for combinations of discovery, local data access, archive creation, and outbound communication from the same Windows host.
- Review egress monitoring for non-standard port use and protocol/port mismatches; account for legitimate administrative tools and business applications to reduce false positives.
- Validate whether encrypted or asymmetric C2-like traffic would still produce usable metadata even when payload inspection is unavailable.
- Look for ingress tool transfer followed by execution or discovery activity, especially where endpoint and network events can be correlated.
Mitigation priorities
- Start with visibility: ensure Windows endpoint logging, process telemetry, file activity, and network connection metadata are collected and retained.
- Restrict and monitor outbound connectivity, especially unusual ports and protocol/port combinations, using allowlisting where operationally feasible.
- Apply least-privilege access to sensitive local data and monitor access to high-value directories and files.
- Harden controls around file transfer into the environment and investigate unexpected tools or binaries appearing on endpoints.
- Prepare IR playbooks for suspected collection and C2 activity, including host isolation, evidence preservation, and scoping across related discovery and transfer behaviors.
Analyst notes and limits
The strongest decision value is in validating behavioral coverage for the ATT&CK relationships: discovery, collection, archive staging, tool transfer, and C2 over non-standard or encrypted channels. The APT29 relationship raises the importance of disciplined evidence handling and executive escalation, but the supplied object does not justify assumptions about current targeting or exposure in any specific environment.
Official ATT&CK detection guidance is not provided for this object. Tactics are not specified on the malware object itself, so defensive guidance is derived from the supplied relationship context. Local prevalence, exploit path, initial access method, indicators, and confirmed detection efficacy require environment-specific evidence and the cited external reports.
WellMail
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | WellMail can receive data and executable scripts from C2.CitationCISA WellMail July 2020 |
| Enterprise | T1571 | Non-Standard Port | WellMail has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications.CitationCISA WellMail July 2020CitationNCSC APT29 July 2020 |
| Enterprise | T1560 | Archive Collected Data | WellMail can archive files on the compromised host.CitationCISA WellMail July 2020 |
| Enterprise | T1095 | Non-Application Layer Protocol | WellMail can use TCP for C2 communications.CitationCISA WellMail July 2020 |
| Enterprise | T1033 | System Owner/User Discovery | WellMail can identify the current username on the victim system.CitationCISA WellMail July 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | WellMail can identify the IP address of the victim system.CitationCISA WellMail July 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | WellMail can decompress scripts received from C2.CitationCISA WellMail July 2020 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | WellMail can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS.CitationCISA WellMail July 2020CitationNCSC APT29 July 2020 |
| Enterprise | T1005 | Data from Local System | WellMail can exfiltrate files from the victim machine.CitationCISA WellMail July 2020 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ec437100d55a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA WellMail July 2020
CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020.
Open source URL -
[2]
NCSC APT29 July 2020
National Cyber Security Centre. (2020, July 16). Advisory: APT29 targets COVID-19 vaccine development. Retrieved September 29, 2020.
Open source URL -
[3]
mitre-attack S0515Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.