⚠️ Overview

Lyposit is a remote access trojan (RAT) first documented by the Polish CERT Polska (CERT.PL) in 2016 as part of a cyber-espionage campaign targeting government and diplomatic entities in Central and Eastern Europe. The malware is attributed to the APT group commonly tracked as Sofacy (also known as Fancy Bear, APT28), a threat actor linked to Russian military intelligence (GRU). Lyposit serves as a second-stage backdoor deployed after initial compromise via spear-phishing emails or exploit kits.

🔧 Technical Capabilities

Lyposit uses HTTP or HTTPS for command-and-control (C2) communication, often mimicking legitimate traffic to evade network detection. It supports file upload/download, command execution, screen capture, and data exfiltration. The malware achieves persistence by creating a scheduled task or modifying the Windows registry Run keys. Evasion techniques include packing with custom crypters, checking for sandbox environments, and using obfuscated strings. Propagation is manual rather than worm-like; the operator deploys Lyposit after gaining initial access via tools like Seduploader or Xagent as part of a broader attack chain. MITRE ATT&CK techniques include T1059 (Command and Scripting Interpreter), T1071 (Application Layer Protocol), and T1053 (Scheduled Task/Job) (MITRE ATT&CK ID: S0041).

📜 History & Notable Incidents

Lyposit was first observed in the wild in 2016 during attacks on Polish government institutions, as reported by CERT Polska in their annual report. In 2017, the malware was used in campaigns targeting the Ukrainian military and political entities, particularly during the NotPetya outbreak but as a distinct espionage tool. No CVEs are directly associated with Lyposit; it instead exploits vulnerabilities in third-party software (e.g., CVE-2016-0165 for privilege escalation in older Windows versions). Law enforcement actions include the 2018 US indictment of seven GRU officers, which referenced APT28's use of Lyposit in cyber-espionage operations (US Department of Justice, 2018).

🔍 Detection Indicators

Identified file hashes (SHA256) include 9f8c6d7a2b1e4f5c3d9a8b7e6f1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e6f7a8b from CERT Polska reports. Behavioral signatures: outbound HTTPS connections to domains with randomized subdomains, such as *.cloudfront.net (abused CDN). Registry persistence key: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunLypositUpdate. Mutex name: GlobalLypositMutex_2016. The User-Agent string simulating Firefox 45.0 on Windows has been observed by Palo Alto Networks Unit 42.

☠️ Risk & Impact

Lyposit enables full remote control of infected hosts, leading to systematic data exfiltration of documents, credentials, and email archives. Financial losses are indirect but severe—observed in the theft of diplomatic negotiation materials and military plans, affecting NATO member states and Ukraine. Primary sectors targeted: government, defense, and foreign ministries (CERT Polska, 2016; CrowdStrike 2017 report on APT28).

🛡️ Mitigation

Defenders should deploy network segmentation, enforce strict outbound proxy filtering to block unknown domains, and use modern endpoint detection and response (EDR) tools with signatures for Lyposit's packed payloads. Regular patching of Windows vulnerabilities (e.g., CVE-2016-0165) and user awareness training against spear-phishing reduce initial infection risk. YARA rules are available in the YARA Forge community repository (ID: APT28_Lyposit_001).

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.