Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actorsExploits 2 CVEs

MASEPIE

MASEPIE is a malware family used in Russian GRU Unit 26165 operations, commonly tracked as APT28/Fancy Bear/Forest Blizzard/BlueDelta. Public reporting describes it as a malicious Python script/backdoor used for persistence, data exfiltration, elementary remote command execution, and file exchange on infected Windows systems. It has been observed in espionage campaigns targeting Western logistics entities and technology companies involved in supporting aid delivery to Ukraine, as well as Ukrainian government organizations and other European victims including Poland; broader reporting also places it in APT28 activity affecting government, defense, logistics, aerospace, research, and related sectors.

Observed delivery methods include spearphishing emails, including messages sent from previously compromised accounts, and exploitation chains using malicious landing pages that trigger Microsoft search: URI handling and remote WebDAV-hosted .search-ms files to expose victims to LNK or ZIP payloads. In one documented chain, opening a malicious Windows shortcut downloaded a Python interpreter and executed the MASEPIE payload while displaying a decoy document. Joint government advisories also state APT28 used spearphishing to deliver MASEPIE and leveraged vulnerabilities such as CVE-2023-38831 (WinRAR) in related logistics-sector campaigns.

Documented MASEPIE functionality includes arbitrary shell command execution via Python os.popen, file upload/download using commands such as send_file and get_file, and a check/check-ok command for operator control. Reported samples communicated with command-and-control over two raw TCP channels on high or non-standard ports such as 54763 and 55555. Traffic was encrypted with AES-128-CBC using a randomly generated 16-character ASCII key transmitted in cleartext at session start. Some samples also performed HTTP beaconing to oast[.]fun domains associated with Interactsh. A referenced sample was Client.py with SHA-256 18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6; another related sample had SHA-256 a333243927bb6956dc051ecea5f91b26a6c233b8164fafb9202e1f1e70ce045f. Additional campaign artifacts tied to delivery included a malicious LNK with SHA-256 19d0c55ac466e4188c4370e204808ca0bc02bba480ec641da8190cb8aee92bdc, .search-ms files such as mod.search-ms, calendar.search-ms, wody.search-ms, and pol.search-ms, and infrastructure including 194.126.178[.]8, 124.168.91[.]178, 159.196.128[.]120, and 172.114.170[.]18.

MASEPIE is also reported alongside other APT28 tooling including HEADLACE, STEELHOOK, and OCEANMAP. ANSSI reporting states OceanMap was reportedly deployed via SteelHook and MasePie, and multiple advisories explicitly identify MASEPIE as part of APT28/GRU campaigns against logistics and government-related targets.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

2 CVES
CVE-2023-23397Microsoft Outlook Net-NTLMv2 Hash Leak via Reminder Sound UNC Path

The Russian GRU cyber campaign also involves malware such as HEADLACE and MASEPIE, which are used for persistence and data exfiltration.

via thecyberexpress com vulnerabilitiesthecyberexpress.com
CVE-2023-38831Arbitrary Code Execution in WinRAR Archive File Handling

The Russian GRU cyber campaign also involves malware such as HEADLACE and MASEPIE, which are used for persistence and data exfiltration.

via thecyberexpress com vulnerabilitiesthecyberexpress.com
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT28

The Russian GRU cyber campaign also involves malware such as HEADLACE and MASEPIE, which are used for persistence and data exfiltration.

via thecyberexpress com vulnerabilitiesthecyberexpress.com
GRU Unit 26165

The Russian GRU cyber campaign also involves malware such as HEADLACE and MASEPIE, which are used for persistence and data exfiltration.

via thecyberexpress com vulnerabilitiesthecyberexpress.com
MITRE ATT&CK

Techniques & procedures

17 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

5 techniques
T1133External Remote ServicesEvidence1
TacticsInitial AccessPersistence

"those protocol handlers can be leveraged to trigger the display of remote files made available through a WebDAV server"

T1190Exploit Public-Facing ApplicationEvidence1
TacticInitial Access

A significant aspect of the campaign involves the exploitation of known vulnerabilities. The actors have weaponized multiple CVEs, including: CVE-2023-23397 in Microsoft Outlook to harvest credentials Roundcube vulnerabilities for email server access CVE-2023-38831 in WinRAR for remote code execution

T1566PhishingEvidence1
TacticInitial Access

“At the beginning of the infection chain, operators of the APT28 intrusion set are conducting phishing campaigns…”

T1566.002Spearphishing LinkEvidence1
TacticInitial Access

"The phishing emails contained links to malicious webpages (e.g. e-wody.firstcloudit[.]com )"

T1566.003Spearphishing via ServiceEvidence1
TacticInitial Access

"The threat actor sent phishing emails to targeted recipients using previously compromised email accounts."

Execution

6 techniques
T1059.001PowerShellEvidence1
TacticExecution

"KFP.311.152.2023.pdf ... .lnk ... is aimed at running the following Powershell line"

T1059.006PythonEvidence1
TacticExecution

"a Python interpreter and a malicious payload script (MASEPIE) would be downloaded and executed"

T1203Exploitation for Client ExecutionEvidence1
TacticExecution

The actors have weaponized multiple CVEs, including: CVE-2023-23397 in Microsoft Outlook to harvest credentials ... CVE-2023-38831 in WinRAR for remote code execution

T1204.001Malicious LinkEvidence1
TacticExecution

"following the click on a link in a phishing email and then on the landing page"

T1204.002Malicious FileEvidence1
TacticExecution

"Should the target open the displayed LNK..."

T1559.001Component Object ModelEvidence1
TacticExecution

"the JavaScript execution will ... [do] a page location redirection to a URI of type search:"

Persistence

1 technique
T1133External Remote ServicesEvidence1
TacticsInitial AccessPersistence

"those protocol handlers can be leveraged to trigger the display of remote files made available through a WebDAV server"

Credential Access

1 technique
T1555.003Credentials from Web BrowsersEvidence1
TacticCredential Access

“…OceanMap stealer… relies on the IMAP protocol to exfiltrate the credentials stored on web browsers.”

Command and Control

5 techniques
T1071.001Web ProtocolsEvidence1
TacticCommand and Control

"trigger the display of remote files made available through a WebDAV server"

T1090ProxyEvidence1
TacticCommand and Control

"Ubiquiti networks devices are being used as malicious infrastructure to stage infection files, and as command and control servers or reverse-proxies."

T1095Non-Application Layer ProtocolEvidence1
TacticCommand and Control

"MASEPIE uses two raw TCP connections to a command and control (C2) server on non-standard and high TCP ports"

T1105Ingress Tool TransferEvidence1
TacticCommand and Control

"Should the target open the displayed LNK, a Python interpreter and a malicious payload script (MASEPIE) would be downloaded and executed"

T1573Encrypted ChannelEvidence1
TacticCommand and Control

"Data over TCP connections is further encrypted (AES-128 with CBC mode)"

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
thecyberexpress com vulnerabilitiesNews
Apr 17, 2026
Russian GRU Cyber Campaign Targets Western Logistics Firms

Malware used in the campaign for persistence and data exfiltration.

Read more
alphahunt blogNews
May 15, 2025
LOSTKEYS: COLDRIVER’s Next-Gen Social Engineering Malware and the Evolution of Russian State Espionage Tactics

MASEPIE is a malware used by APT28, designed for espionage and data exfiltration from targeted organizations.

Read more
harfanglab insidethelabNews
Mar 6, 2025
Compromised routers are still leveraged as malicious infrastructure to target government organizations in Europe and Caucasus - HarfangLab

Python backdoor executed via malicious LNK that downloads a Python interpreter and script from attacker WebDAV. Provides remote command execution (arbitrary shell commands via os.popen), file upload/download via a second TCP channel, and encrypted C2 (AES-128-CBC) over raw TCP on high/non-standard ports; also uses Interactsh/oast.fun beacons in some samples.

Read more
malpediaNews
Feb 1, 2026
APT28 (Threat Actor)

Russian GRU Targeting Western Logistics Entities and Technology Companies STEELHOOK MASEPIE Headlace

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities2

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping17

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.