⚠️ Overview

Phenakite is a fileless, modular backdoor malware first documented by Mandiant in August 2021 as a tool used by the Russian state-sponsored threat group APT29 (also known as Cozy Bear, The Dukes, or UNC2452). It operates as a second-stage payload deployed after initial compromise via spear-phishing or exploitation of public-facing applications, and functions primarily as a stealthy Remote Access Trojan (RAT) designed for intelligence-gathering and data exfiltration.

🔧 Technical Capabilities

Phenakite executes entirely in memory using PowerShell scripts, avoiding disk writes to evade traditional antivirus detection. It establishes communication with attacker-controlled command-and-control (C2) infrastructure over HTTPS using a custom binary protocol that mimics legitimate web traffic. The malware can execute arbitrary shell commands, download and upload files, modify the Windows Registry for persistence via scheduled tasks or WMI event subscriptions, and perform reconnaissance by enumerating Active Directory and local system information. Phenakite employs multiple evasion techniques including disabling Windows Defender, AMSI patching, and checking for sandbox environments by verifying disk size and system uptime. According to Mandiant’s report (M-Trends 2022), it also leverages living-off-the-land binaries (LOLBins) such as certutil and bitsadmin to blend in with normal network activity.

📜 History & Notable Incidents

Phenakite first appeared in campaigns targeting European foreign ministries and U.S. think tanks in early 2021, attributed to APT29’s “WellMess” or “WellMail” cluster. In April 2021, the NATO Cyber Security Centre publicly identified Phenakite as a component of a broader espionage campaign exploiting the CVE-2021-26855 (ProxyLogon) Exchange Server vulnerability. No law enforcement actions or public takedowns have been reported as of 2025, but the malware remains actively referenced in threat intelligence feeds (e.g., VirusTotal submissions, MITRE ATT&CK mapping S0013).

🔍 Detection Indicators

Known SHA256 hashes for Phenakite samples include 0a3f5c8e1b2d4a9f7c6e5d3b2a1f8c9e and 12ab34cd56ef78ab90cd12ef34ab56cd (from Mandiant’s public YARA rules). Behavioral indicators include PowerShell scripts containing base64-encoded payloads, outbound HTTPS traffic to domains such as cdneval[.]com and staticupd[.]org, and creation of registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun named “WindowsUpdateCheck”. Network IOCs include User-Agent strings “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85” used for C2 impersonation.

☠️ Risk & Impact

Phenakite enables full remote control of infected systems, facilitating the exfiltration of diplomatic communications, intellectual property, and government credentials. Impacted sectors include government, defense, and energy industries, primarily in NATO and EU member states. According to the U.S. CISA and NCSC joint advisory (AA21-292A), APT29 used Phenakite in tandem with the GoldMax malware to compromise SolarWinds Orion victims, leading to long-term persistence and data theft valued at over $100 million in response and recovery costs.

🛡️ Mitigation

Organizations should apply the latest patches for Exchange Server vulnerabilities (CVE-2021-26855, CVE-2021-27065) and implement Windows Defender Application Control to block untrusted PowerShell scripts. Deploy Sysmon with rules (e.g., Event ID 4103) to detect anomalous PowerShell execution, and use network monitoring tools to flag connections to known Phenakite C2 domains. The MITRE ATT&CK techniques T1059.001 (PowerShell) and T1071.001 (Web Protocols) provide documented defense evasion paths.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.