S0661: FoggyWeb
Analyst context for executives and security teams
FoggyWeb matters because it is described as a passive, highly targeted backdoor on a compromised AD FS server, with capability to remotely exfiltrate sensitive information. For leaders, the key issue is not just malware removal; AD FS is identity infrastructure, so evidence of this behavior should trigger questions about certificate/private key exposure, alternate authentication material, persistence, and whether identity trust needs to be revalidated.
Executive priority
Prioritize this as an identity-infrastructure resilience scenario. Executives should ask whether AD FS servers are treated as tier-critical assets, whether security teams collect enough host and network evidence to investigate stealthy DLL/module-based activity, and whether incident response plans include decisions for key/certificate protection, authentication material compromise, and controlled restoration of identity services. This object also supports audit and compliance conversations around privileged system monitoring, change control, and evidence retention for identity platforms.
Technical view
The supplied ATT&CK relationships place FoggyWeb across collection, credential access, discovery, execution, command and control, exfiltration, lateral movement, and stealth behaviors. SOC and IR teams should validate coverage on Windows AD FS servers for suspicious DLL/shared module loading, reflective or memory-resident execution, Native API-heavy behavior, compile-after-delivery artifacts, encoded/encrypted files, masqueraded resource names or locations, process/file discovery, private key access, archive creation, web-protocol C2, symmetric encrypted communications, ingress tool transfer, and exfiltration over a C2 channel. Because the malware object itself has no official ATT&CK detection text, detection engineering should be built from the related techniques and local AD FS baselines rather than assumed signatures.
Likely telemetry
- Windows process creation and parent-child process activity on AD FS servers
- DLL load, shared module load, and suspicious module path/name telemetry
- File system events for AD FS-related directories, certificate/private key locations, archives, encoded or encrypted artifacts, and newly delivered tools
- Compiler or build utility execution evidence where compile-after-delivery is plausible
- Memory or EDR telemetry for reflective code loading and anomalous in-process execution
Detection direction
- Start with a tight baseline of normal AD FS server behavior; alerting without baselines may generate noise because web protocols, DLLs, and legitimate modules are common.
- Correlate stealth indicators together: masqueraded names or locations, unexpected DLL/module loads, encoded files, deobfuscation, reflective loading, and Native API-heavy execution are more meaningful in combination.
- Treat access to private keys, certificates, token-related material, or AD FS-sensitive files as high-value investigative leads, especially when paired with archive creation or outbound web traffic.
- Review egress from AD FS servers for unusual destinations, timing, volume, or protocol use; T1071.001, T1041, and T1573.001 imply that normal-looking or encrypted web traffic can hide activity.
- Validate whether host telemetry can see memory-resident or module-based execution; file-only controls may miss reflective code loading and passive backdoor behavior.
Mitigation priorities
- Classify AD FS servers as critical identity assets and enforce stronger monitoring, change control, and administrative access restrictions around them.
- Protect private keys and certificates with strict access control, inventory, rotation procedures, and incident playbooks for suspected exposure.
- Limit and monitor outbound network paths from AD FS servers so unusual web-protocol communications and exfiltration paths are visible and reviewable.
- Maintain reliable host logging and EDR-style visibility for process, module, DLL, file, memory, and network activity on Windows identity servers.
- Harden file and module loading paths, review trusted locations, and monitor for resource-name masquerading or unexpected shared modules.
Analyst notes and limits
The strongest decision value is the identity angle: a backdoor on AD FS can affect trust, authentication material, and sensitive identity data. The ATT&CK relationships also indicate stealth and C2 behaviors that are likely to challenge simple perimeter or signature-only monitoring. Use the APT29 relationship as threat-intelligence context supported by MITRE, but do not assume current activity or local exposure without environment evidence.
The supplied object provides no official detection guidance, no aliases, no malware tactics, and no indicators of compromise. Several related technique platform lists are broader than the malware platform; for this take, Windows and AD FS should be treated as the supported focus. Local architecture, logging depth, certificate handling, and AD FS configuration are required to determine actual risk and detection coverage.
FoggyWeb
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | FoggyWeb can be decrypted in memory using a Lightweight Encryption Algorithm (LEA)-128 key and decoded using a XOR key.CitationMSTIC FoggyWeb September 2021 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | |
| Enterprise | T1041 | Exfiltration Over C2 Channel | FoggyWeb can remotely exfiltrate sensitive information from a compromised AD FS server.CitationMSTIC FoggyWeb September 2021 |
| Enterprise | T1027.004 | Compile After Delivery Sub-technique | FoggyWeb can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST.CitationMSTIC FoggyWeb September 2021 |
| Enterprise | T1005 | Data from Local System | FoggyWeb can retrieve configuration data from a compromised AD FS server.CitationMSTIC FoggyWeb September 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | FoggyWeb has been XOR-encoded.CitationMSTIC FoggyWeb September 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | FoggyWeb has the ability to communicate with C2 servers over HTTP GET/POST requests.CitationMSTIC FoggyWeb September 2021 |
| Enterprise | T1552.004 | Private Keys Sub-technique | FoggyWeb can retrieve token signing certificates and token decryption certificates from a compromised AD FS server.CitationMSTIC FoggyWeb September 2021 |
| Enterprise | T1036 | Masquerading | FoggyWeb can masquerade the output of C2 commands as a fake, but legitimately formatted WebP file.CitationMSTIC FoggyWeb September 2021 |
| Enterprise | T1057 | Process Discovery | FoggyWeb's loader can enumerate all Common Language Runtimes (CLRs) and running Application Domains in the compromised AD FS server's |
| Enterprise | T1550 | Use Alternate Authentication Material | FoggyWeb can allow abuse of a compromised AD FS server's SAML token.CitationMSTIC FoggyWeb September 2021 |
| Enterprise | T1106 | Native API | |
| Enterprise | T1129 | Shared Modules | |
| Enterprise | T1040 | Network Sniffing | FoggyWeb can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor.CitationMSTIC FoggyWeb September 2021 |
| Enterprise | T1560.002 | Archive via Library Sub-technique | FoggyWeb can invoke the `Common.Compress` method to compress data with the C# GZipStream compression class.CitationMSTIC FoggyWeb September 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | FoggyWeb can receive additional malicious components from an actor controlled C2 server and execute them on a compromised AD FS server.CitationMSTIC FoggyWeb September 2021 |
| Enterprise | T1574.001 | DLL Sub-technique | FoggyWeb's loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate `version.dll` during the `Microsoft.IdentityServer.ServiceHost.exe` execution process.CitationMSTIC FoggyWeb September 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1620 | Reflective Code Loading | FoggyWeb's loader has reflectively loaded .NET-based assembly/payloads into memory.CitationMSTIC FoggyWeb September 2021 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | FoggyWeb has used a dynamic XOR key and custom XOR methodology for C2 communications.CitationMSTIC FoggyWeb September 2021 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 229ccb18cb17… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MSTIC FoggyWeb September 2021
Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021.
Open source URL -
[2]
mitre-attack S0661Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.