Skip to main content
Mallory
Back to threat actors
11 malware familiesExploits CVEs in the wild

Blue Mockingbird

Also known asBlue Mockingbird

Blue Mockingbird is a threat actor associated in the provided content with exploitation of public-facing applications, including activity tied to Telerik UI for ASP.NET AJAX/CVE-2019-18935 guidance. The actor is described using batch scripts to automate payload execution and deployment, PowerShell reverse TCP shells for interactive command execution, and Remote Desktop to log on to servers interactively and manually copy files to remote hosts. Blue Mockingbird has used Windows Scheduled Tasks for persistence on local and remote hosts and modified the Windows Registry to specify a DLL payload. The actor has obtained and used tools such as Mimikatz, collected victim hardware details including CPU and memory information, and used obfuscation and masquerading to hinder detection, including obfuscating a wallet address in a payload binary and naming an XMRIG payload wercplsupporte.dll to resemble the legitimate wercplsupport.dll. ATT&CK techniques explicitly referenced in the content include Exploit Public-Facing Application (T1190), IIS Components (T1505.004), Web Shell (T1505.003), Command and Scripting Interpreter (T1059), Proxy (T1090), Regsvr32 (T1218.010), Modify Registry (T1112), Downgrade Attack (T1689), Upload Malware (T1608.001), and Upload Tool (T1608.002). No additional aliases or sub-groups beyond "blue_mockingbird" are provided in the content.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

39 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics63 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0042
Resource Development
2 techniques
T1588
Obtain Capabilities
T1588.002×2
Tool
T1608×2
Stage Capabilities
T1608.001
Upload Malware
T1608.002
Upload Tool
TA0001
Initial Access
1 technique
T1190×13
Exploit Public-Facing Application
TA0002
Execution
6 techniques
T1047
Windows Management Instrumentation
T1053
Scheduled Task/Job
T1053.005×4
Scheduled Task
T1059
Command and Scripting Interpreter
T1059.001×9
PowerShell
T1059.003×3
Windows Command Shell
T1129
Shared Modules
T1569
System Services
T1569.002
Service Execution
T1574
Hijack Execution Flow
TA0003
Persistence
6 techniques
T1053
Scheduled Task/Job
T1053.005×4
Scheduled Task
T1112×14
Modify Registry
T1137
Office Application Startup
T1505
Server Software Component
T1505.003×2
Web Shell
T1505.004
IIS Components
T1543
Create or Modify System Process
T1543.003×2
Windows Service
T1546
Event Triggered Execution
T1546.003
Windows Management Instrumentation Event Subscription
TA0004
Privilege Escalation
4 techniques
T1053
Scheduled Task/Job
T1053.005×4
Scheduled Task
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
T1543
Create or Modify System Process
T1543.003×2
Windows Service
T1546
Event Triggered Execution
T1546.003
Windows Management Instrumentation Event Subscription
TA0005
Stealth
4 techniques
T1027×3
Obfuscated Files or Information
T1036
Masquerading
T1218
System Binary Proxy Execution
T1218.010
Regsvr32
T1218.011×4
Rundll32
T1574
Hijack Execution Flow
TA0112
Defense Impairment
2 techniques
T1112×14
Modify Registry
T1484
Domain or Tenant Policy Modification
T1484.001
Group Policy Modification
TA0006
Credential Access
3 techniques
T1003×3
OS Credential Dumping
T1003.001
LSASS Memory
T1187
Forced Authentication
T1557
Adversary-in-the-Middle
T1557.001
Name Resolution Poisoning and SMB Relay
TA0007
Discovery
4 techniques
T1012
Query Registry
T1018
Remote System Discovery
T1082×5
System Information Discovery
T1518
Software Discovery
TA0008
Lateral Movement
1 technique
T1021
Remote Services
T1021.001×4
Remote Desktop Protocol
T1021.002×2
SMB/Windows Admin Shares
TA0009
Collection
1 technique
T1557
Adversary-in-the-Middle
T1557.001
Name Resolution Poisoning and SMB Relay
TA0011
Command and Control
3 techniques
T1090×4
Proxy
T1090.001×2
Internal Proxy
T1090.004
Domain Fronting
T1102
Web Service
T1105
Ingress Tool Transfer
ARSENAL

Associated malware families

11 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
FRPFRP can proxy communications through a server in public IP space to local servers located behind a NAT or firewall.4Mar 18, 2026
ImpacketThe following analytic detects the use of Impacket's wmiexec.py tool for lateral movement by identifying specific command-line parameters.2Mar 17, 2026
MimikatzAPT28 has obtained and used open-source tools like Koadic, Mimikatz, and Responder.2May 26, 2026
PsExecThe following analytic identifies instances where PsExec.exe has been renamed and executed on an endpoint. ... renaming PsExec.exe is a common tactic to evade detection. If confirmed malicious, this could allow an attacker to execute commands remotely, potentially leading to unauthorized access, lateral movement, or further compromise of the network.2Mar 17, 2026
ssfBlue Mockingbird has used frp, ssf, and Venom to establish SOCKS proxy connections.2Mar 18, 2026

6 additional families tracked in Mallory.

WEAPONIZED

Associated vulnerabilities

9 CVEs this actor has used in observed campaigns. 9 of them exploited in the wild.

CVE-2019-18935Insecure Deserialization RCE in Progress Telerik UI for ASP.NET AJAX RadAsyncUploadIn the wildEvidence2

Blue Mockingbird has gained initial access by exploiting CVE-2019-18935, a vulnerability within Telerik UI for ASP.NET AJAX.

CVE-2025-9491Microsoft Windows LNK File UI Misrepresentation Remote Code Execution VulnerabilityIn the wildEvidence2

This detection identifies instances where Windows Explorer.exe spawns PowerShell or cmd.exe processes, particularly focusing on executions initiated by LNK files. This behavior is associated with the ZDI-CAN-25373 Windows shortcut zero-day vulnerability, where specially crafted LNK files are used to trigger malicious code execution through cmd.exe or powershell.exe. This technique has been actively exploited by multiple APT groups in targeted attacks through both HTTP and SMB delivery methods.

CVE-2021-31207Post-auth arbitrary file write in Microsoft Exchange Server (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34473ProxyShell pre-auth SSRF/authentication bypass in Microsoft Exchange AutodiscoverIn the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

CVE-2021-34523Microsoft Exchange PowerShell Backend Elevation of Privilege (ProxyShell)In the wildEvidence1

This analytic identifies potential exploitation attempts of ProxyShell (CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) and ProxyNotShell (CVE-2022-41040, CVE-2022-41082) vulnerabilities in Microsoft Exchange Server.

4 more CVEs tied to this actor tracked in Mallory.

IOCS

Observables

6 indicators attributed to this actor: domains, IPs, hashes, and other artifacts pulled from reporting. View more in app.

6 IOCsView more in app

IOC values are gated. View more in Mallory for domains, IPs, hashes, and other artifacts, or pipe them straight into your SIEM.

ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
Apr 22, 2026
Detection: PowerShell PInvoke Process Injection API Chain | Splunk Security Content

Listed as a threat actor associated with the PowerShell P/Invoke process injection API chain detection and related ATT&CK techniques.

Read more
splunk researchNews
Apr 20, 2026
Detection: PowerShell Environment Variable Execution | Splunk Security Content

Listed as a threat actor associated with PowerShell execution behavior relevant to this detection analytic.

Read more
splunk researchNews
Apr 16, 2026
Detection: Windows Anomalous Registry Value Length in Environment Key | Splunk Security Content

Referenced as a threat actor associated with registry modification behavior (MITRE ATT&CK T1112: Modify Registry) in the context of this detection analytic.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows Downdate Registry Activity | Splunk Security Content

Listed as a threat actor associated with the detection annotations for registry modification and downgrade attack techniques.

Read more
+196 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping39

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal11

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs9

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables6

Domains, IPs, and hashes tied to this actor, refreshed continuously.