WellMail is a lightweight Golang malware implant associated with APT29, also known as Cozy Bear, and has been publicly linked to Russian state-sponsored cyberespionage activity. It was used alongside WellMess in operations targeting organizations involved in COVID-19 vaccine research and development, as well as other intelligence-focused intrusions. The malware has been observed on Linux systems as an ELF x86-64 implant and is structurally similar to WellMess.
WellMail provides encrypted command-and-control communications, including the use of mutual TLS with embedded client and certificate authority material, and has also been observed communicating over raw TCP. It supports remote operator tasking to execute commands and operational scripts on compromised hosts, including the ability to receive compressed script content, unpack it, and run it dynamically. Reported functionality includes identifying the current username, collecting basic host information, archiving files on the victim system, uploading and downloading files, and exfiltrating collected data to command-and-control infrastructure.
The malware’s tradecraft is consistent with espionage-oriented post-compromise tooling rather than broad self-propagating or destructive behavior. Public reporting has tied WellMail to APT29 campaigns against government, diplomatic, healthcare, energy, and research-related targets, with particular prominence in intrusions against entities connected to COVID-19 vaccine development. Later reporting also noted incorporation of Sliver into WellMail-related campaigns, indicating continued evolution of the surrounding intrusion toolkit.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
APT29 (Cozy Bear) атаковала организации, связанные с разработкой вакцины от COVID-19, через малварь WellMess и WellMail.
Their toolkit includes ... TEARDROP, TrailBlazer, WellMail, WellMess, WINELOADER...
“…deployment of custom malware known as WellMess, WellMail, and Sorefang…”
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Repeated examples across many families: e.g., “APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload.”; “Action RAT can use Base64 to decode actor-controlled C2 server communications.”; “Smoke Loader deobfuscates its code.”
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
Examples in the content include malware extracting or unpacking ZIP, RAR, CAB, tar.gz, and other archived content, such as 'Emotet has used a self-extracting RAR file to deliver modules to victims' and 'Rocke has extracted tar.gz files after downloading them from a C2 server.'
"...capable of ... sending and receiving files and messages."; "...receive scripts compressed (tar files). The malware will then decompress them before executing"
"...send the above data to its C2 server at the IP address, 119.81.184.11:25 over TCP port 25..."; "Note: TCP port 25 is commonly used for email (SMTP), however, the malware is only using the port for secure communications"
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2"). | "communicate with C2 over mutual TLS"; "client and server mutually check certificates"; "can use mutual TLS and RSA cryptography to exchange a session key".
26 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
19 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
WellMail is cited alongside WellMess as malware used by APT29 in a certificate-based infrastructure tracking example.
Their toolkit includes ... TEARDROP, TrailBlazer, WellMail, WellMess, WINELOADER...
Custom malware attributed to SVR, referenced in the context of targeting COVID-19 vaccine development organizations; also stated to have been used against energy sector companies.
Custom malware used by APT29 in campaigns targeting organizations involved in COVID-19 vaccine research and development.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.