WellMess
WellMess is a lightweight backdoor malware family known in both .NET/Windows and Golang/ELF Linux variants. It enables a remote operator to establish encrypted command-and-control sessions, execute commands and scripts on infected systems, and transfer files. Reported capabilities include executing PowerShell and batch scripts, accepting and executing shell scripts from a remote operator, uploading and downloading files, collecting host and system information, identifying domain group membership for the current user, exfiltrating data, and in some reporting using DNS tunneling for C2 communications.
The malware uses encrypted and obfuscated communications. Reported tradecraft includes RC6-encrypted host state data, dynamically generated AES session keys exchanged with RSA, Base64 encoding in HTTP Cookie headers to uniquely identify communications, optional junk data inserted into Base64 strings for obfuscation, and mutual TLS in some variants where client and server validate certificates. CISA reporting on analyzed samples identified Windows and Linux variants communicating with C2 infrastructure including 85.93.2.116, 103.73.188.101, 141.98.212.55, 192.48.88.107, and 209.58.186.196 over ports including 80, 53, and 443. One Windows sample masqueraded as powercfg.exe and decrypted an embedded DLL; CISA also published a YARA rule, CISA_10296782_01, for detection.
WellMess has been publicly associated with APT29/Cozy Bear/The Dukes, assessed as linked to Russia’s SVR. Multiple government and industry reports state APT29 used WellMess and the related WellMail malware in operations including targeting organizations involved in COVID-19 vaccine research and development in the US, UK, and Canada. Reported victim sectors for the broader APT29 activity tied to WellMess include government, diplomatic, think tank, healthcare, and energy organizations. Recorded Future also tracked related SVR-linked hosting and TLS certificate patterns under the designation GRAVITYWELL. Later reporting noted Russian state-sponsored actors incorporating Sliver into WellMess and WellMail campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GRAVITYWELL, the Recorded Future designation for server technology and TLS certificate configuration commonly used to host the Russian Foreign Intelligence Service (SVR)-linked WellMess backdoor...
“…deployment of custom malware known as WellMess, WellMail, and Sorefang to target organizations involved in COVID-19 vaccine development.”
NCSC published an advisory describing malicious activity targeting institutions related to research to find a vaccine for COVID-19. In this case, the malware used in the attacks belongs to a family called WellMess...
Techniques & procedures
23 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe group then deployed publicly known exploits against the vulnerable systems it found, including popular Citrix, Pulse Secure, and Fortinet devices, among others.
Specifically, APT29 uses a variety of tools and techniques, including spear phishing and custom malware known as “WellMess” and “WellMail”, according to the NCSC.
Execution
3 techniquesThe program is capable of encrypting, decrypting, uploading and downloading files. The malware can also execute commands and send and receive encrypted communications.
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Stealth
3 techniquesCompany Name Microsoft Corporation File Description Power Settings Command-Line Tool Internal Name powercfg.exe Original Filename powercfg.exe
Based on our observations, Russian state-attributed actors often use better operational security for C2 infrastructure... We also observe that when their C2 infrastructure is publicly reported upon, it is often quickly dispensed with.
The encrypted data is then encoded using the Base64 encoding function. It trims Base64 "=" | "/" | ":" and adds spaces... The malware contains functions for encrypting, decrypting...
Credential Access
1 techniqueThese artifacts create detection opportunities for defenders, and include software versions deployed on the server, the login panel, TLS certificate patterns...
Discovery
5 techniquesThe content repeatedly describes actors and malware using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, netsh interface show, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking admin status, and enumerating user sessions.
Both collect the state of system privileges (disabled or enabled) from the infected system
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
The program is capable of encrypting, decrypting, uploading and downloading files... It performs functions based on the received commands: File upload File download
Lateral Movement
1 technique"...accept and execute shell scripts from a remote operator."; "...receive scripts compressed (tar files)... decompress them before executing the embedded script."
Command and Control
7 techniquesDisplayed below is sample communication traffic between this WellMess implant and its C2 server. —Begin Sample Network Traffic— POST / HTTP/1.1 ... Cookie: ... | These implants allow a remote operator to establish encrypted command and control (C2) sessions... The function appears to be the main export of the DLL, which initiates a C2 session with the implants remote C2 server at the Internet Protocol (IP) address, 85.93.2.116.
The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.
When the file is executed, it attempts to create a C2 connection to one of the following IP addresses: 141.98.212.55 over Transmission Control Protocol(TCP) Port 53 209.58.186.196 over TCP Port 443
Both versions also allow an operator to pass AES encrypted executable scripts to infected systems... The malware can receive and parse messages from the remote operator.
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
"communicate with C2 over mutual TLS"; "client and server mutually check certificates"; "can use mutual TLS and RSA cryptography to exchange a session key". | Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2").
Exfiltration
1 techniqueMany entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.
IOCs tracked for this family
47 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
26 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Their toolkit includes ... TrailBlazer, WellMail, WellMess, WINELOADER and Living off the Land.
Custom malware attributed to SVR, historically used to target COVID-19 vaccine development organizations; authorities also state it was used against energy sector companies.
SVR-linked backdoor associated with transient GRAVITYWELL infrastructure that shifted after public reporting.
Backdoor malware attributed to APT29, with both Windows and Linux variants, used for espionage.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.