S0635: BoomBox
Analyst context for executives and security teams
BoomBox matters because ATT&CK describes it as a Windows downloader used to execute next-stage components. For leaders, the practical risk is not the downloader alone, but what it enables: follow-on tooling, discovery, persistence, command-and-control, and possible cloud-storage exfiltration behaviors represented by its ATT&CK relationships.
Executive priority
Treat BoomBox as a readiness test for early-stage intrusion response. Executives should ask whether the organization can prove visibility into Windows execution, suspicious download/tool-transfer activity, web-based command-and-control, registry run-key persistence, and account/email discovery. Because the object is associated with APT29 in ATT&CK, risk owners in government, research, think-tank, and similarly sensitive environments may want to prioritize validation, while avoiding assumptions of current exposure without local evidence.
Technical view
ATT&CK provides no dedicated detection text for BoomBox, so SOC and IR teams should pivot from the malware relationship set. Validate detections around rundll32 proxy execution, malicious-file execution, obfuscated or decoded payloads, registry run keys/startup folders, system/user/domain/email account discovery, file and directory enumeration, ingress tool transfer, web protocols, web services, execution guardrails, and exfiltration to cloud storage. Because the object platform is Windows, prioritize Windows endpoint and network evidence first.
Likely telemetry
- Windows process creation and command-line telemetry
- DLL execution and rundll32 activity
- File creation, download, archive, decode, and payload staging events
- Registry run key and startup folder modifications
- User, domain account, and email account enumeration logs
Detection direction
- Do not rely on a BoomBox-specific signature; ATT&CK supplies no official detection guidance.
- Correlate suspicious Windows execution with subsequent discovery, tool transfer, persistence, and outbound web traffic.
- Tune rundll32 detections for unusual parent processes, command lines, DLL paths, and network activity while accounting for legitimate administrative and software behavior.
- Look for discovery bursts involving local user, domain account, email account, system information, and file listings after suspicious file execution.
- Review whether allowed web services and cloud storage destinations create blind spots for command-and-control or exfiltration-style behavior.
Mitigation priorities
- Prioritize endpoint visibility and logging for Windows execution, registry persistence, and file staging.
- Harden controls around user-opened files, including attachment handling, execution policy, and user awareness where appropriate.
- Restrict and monitor unnecessary use of living-off-the-land execution paths such as rundll32 without breaking legitimate operations.
- Apply egress governance for web protocols, web services, and cloud storage based on business need.
- Maintain incident response playbooks for downloader activity that assume follow-on payloads may already be present.
Analyst notes and limits
BoomBox is described as a downloader and is linked by ATT&CK to APT29 and multiple techniques spanning execution, stealth, discovery, persistence, command-and-control, ingress transfer, and exfiltration. The most useful defensive approach is behavior-chain validation rather than single-indicator matching.
The supplied ATT&CK object has no official detection text, no aliases, and no object-level tactics. Technique relationships provide behavioral context but not environment-specific indicators, prevalence, or guaranteed detection logic. Local telemetry, baselines, and incident evidence are required before making exposure, attribution, or impact claims.
BoomBox
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1218.011 | Rundll32 Sub-technique | BoomBox can use RunDLL32 for execution.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | BoomBox has the ability to download next stage malware components to a compromised system.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | BoomBox can decrypt AES-encrypted files downloaded from C2.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1102 | Web Service | BoomBox can download files from Dropbox using a hardcoded access token.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1087.002 | Domain Account Sub-technique | BoomBox has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | BoomBox has used HTTP POST requests for C2.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | BoomBox has gained execution through user interaction with a malicious file.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1082 | System Information Discovery | BoomBox can enumerate the hostname, domain, and IP of a compromised host.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1083 | File and Directory Discovery | BoomBox can search for specific files and directories on a machine.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1036 | Masquerading | BoomBox has the ability to mask malicious data strings as PDF files.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1480 | Execution Guardrails | BoomBox can check its current working directory and for the presence of a specific file and terminate if specific values are not found.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | BoomBox can establish persistence by writing the Registry value |
| Enterprise | T1033 | System Owner/User Discovery | BoomBox can enumerate the username on a compromised host.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | BoomBox can upload data to dedicated per-victim folders in Dropbox.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1087.003 | Email Account Sub-technique | BoomBox can execute an LDAP query to discover e-mail accounts for domain users.CitationMSTIC Nobelium Toolset May 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | BoomBox can encrypt data using AES prior to exfiltration.CitationMSTIC Nobelium Toolset May 2021 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5e36fde1d2de… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MSTIC Nobelium Toolset May 2021
MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.
Open source URL -
[2]
mitre-attack S0635Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.