S0634: EnvyScout
Analyst context for executives and security teams
EnvyScout matters because MITRE describes it as a Windows dropper associated with APT29 use since at least 2021, with relationships to phishing attachments, HTML smuggling, script execution, obfuscation, discovery, credential-access, and stealth behaviors. For leaders, the practical issue is not only the malware name; it is whether email, endpoint, identity, and SOC processes can connect an apparently benign attachment or HTML file to follow-on Windows execution and credential-risk signals.
Executive priority
Treat this as a readiness test for early-stage intrusion handling on Windows endpoints. Priority questions include: can the organization preserve and correlate email attachment evidence, browser/download activity, script and command-shell execution, rundll32 activity, hidden files, and forced-authentication indicators; and can incident responders quickly determine whether a dropper led to local data discovery or credential exposure. This supports budget and control decisions around phishing resilience, endpoint logging, managed detection quality, and incident evidence retention.
Technical view
ATT&CK provides no dedicated detection text for EnvyScout, so defenders should validate coverage through the related techniques: Spearphishing Attachment, Malicious File, HTML Smuggling, JavaScript, Windows Command Shell, Rundll32, Encrypted/Encoded File, Deobfuscate/Decode Files or Information, Masquerading, Hidden Files and Directories, Execution Guardrails, System Information Discovery, Data from Local System, and Forced Authentication. On Windows, the SOC should test whether alerts and investigations can link the delivery artifact to child processes, file writes, decoding or deobfuscation behavior, suspicious rundll32 or cmd usage, local discovery, and SMB or other forced-authentication attempts.
Likely telemetry
- Email security logs and message metadata for attachments and delivered HTML files
- Endpoint process creation telemetry, including parent-child relationships for browsers, script interpreters, cmd.exe, and rundll32.exe
- File creation, modification, hidden attribute, and download-zone evidence on Windows endpoints
- Browser and web proxy telemetry for HTML downloads and embedded or generated file download behavior
- Script execution telemetry for JavaScript/JScript where available
Detection direction
- Because MITRE provides no official detection guidance for this malware object, detection engineering should be behavior-led rather than name-only.
- Correlate suspicious attachment or HTML delivery with local file creation and subsequent Windows script, cmd.exe, or rundll32.exe execution.
- Tune for masquerading and hidden-file behavior in user-writable locations, while accounting for legitimate software installers and administrative scripts.
- Review false positives around rundll32.exe and command shell use by enterprise management tools before promoting high-severity alerts.
- Validate whether encoded or encrypted file staging and later decode/deobfuscation are visible in endpoint telemetry.
Mitigation priorities
- Prioritize phishing attachment controls, user-reporting workflows, and rapid message recall or containment processes.
- Harden Windows endpoint visibility for process creation, command line, script execution, file attributes, and rundll32 usage.
- Restrict or monitor script and living-off-the-land execution paths where operationally feasible.
- Reduce credential exposure from forced authentication by reviewing SMB authentication behavior and related identity controls.
- Ensure incident response playbooks preserve email artifacts, endpoint files, process telemetry, and authentication logs before cleanup.
Analyst notes and limits
The supplied ATT&CK object identifies EnvyScout as a dropper used by APT29 since at least 2021 and provides technique relationships that describe likely defensive focus areas. The strongest Glexia value is to use this object as a control-validation scenario across email, endpoint, identity, and incident response rather than relying on static malware naming.
Official ATT&CK detection text is not provided, the malware object has no object-level tactics listed, and the relationship descriptions are summarized. Local conclusions require environment-specific telemetry, file samples, email evidence, and authentication logs. This take does not assert active exploitation, customer exposure, or guaranteed detection coverage.
EnvyScout
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | EnvyScout can determine whether the ISO payload was received by a Windows or iOS device.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1480 | Execution Guardrails | EnvyScout can call |
| Enterprise | T1204.002 | Malicious File Sub-technique | EnvyScout has been executed through malicious files attached to e-mails.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | EnvyScout has the ability to proxy execution of malicious files with Rundll32.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1005 | Data from Local System | EnvyScout can collect sensitive NTLM material from a compromised host.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | EnvyScout has been distributed via spearphishing as an email attachment.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | EnvyScout can deobfuscate and write malicious ISO files to disk.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | EnvyScout can Base64 encode payloads.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1059.007 | JavaScript Sub-technique | EnvyScout can write files to disk with JavaScript using a modified version of the open-source tool FileSaver.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | EnvyScout can use hidden directories and files to hide malicious executables.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | EnvyScout can use cmd.exe to execute malicious files on compromised hosts.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1027.006 | HTML Smuggling Sub-technique | EnvyScout contains JavaScript code that can extract an encoded blob from its HTML body and write it to disk.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1187 | Forced Authentication | EnvyScout can use protocol handlers to coax the operating system to send NTLMv2 authentication responses to attacker-controlled infrastructure.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1036 | Masquerading | EnvyScout has used folder icons for malicious files to lure victims into opening them.CitationMSTIC Nobelium Toolset May 2021 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | f523b50456ab… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MSTIC Nobelium Toolset May 2021
MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
Open source URL -
[2]
mitre-attack S0634Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.