XTunnel

They also send emails purportedly containing links to news items, but instead linking to malware drop sites that install toolkits onto the target's computer.

Among other things, it uses zero-day exploits, spear phishing and malware to compromise targets.

For example: in late March the attackers registered a domain with a typo—misdepatrment[.]com—to look suspiciously like the company hired by the DNC to manage its network, MIS Department.

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

The content repeatedly describes malware and threat actors using obfuscated code, encrypted strings, Base64/XOR/RC4/AES encoding, VMProtect/ConfuserEx/SmartAssembly, stack strings, control-flow flattening, opaque predicates, and hidden payloads to evade analysis and detection.

The Command and Control (C2) IPs were hardcoded into the provided sample which also matched the Netzpolotik reporting.

AADInternals can gather unsecured credentials for Azure AD services, such as Azure AD Connect, from a local machine. Agent Tesla has the ability to extract credentials from configuration or support files. APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.

The content repeatedly describes threat actors and malware performing network scanning, port scanning, service enumeration, OS fingerprinting, and identifying open ports/services across victim environments.

The C&C server can then order Xtunnel to open a tunnel with a designated machine, so that any data coming from the C&C server will be forwarded to this machine... any kind of TCP data can be sent through the tunnel... UDP traffic tunneling was introduced.

CrowdStrike had prepared a technical report to go online later that morning. The security firm carefully outlined some of the allegedly “superb” tradecraft of both intrusions: the Russian software implants were stealthy, they could sense locally-installed virus scanners and other defenses, the tools were customizable through encrypted configuration files, they were persistent, and the intruders used an elaborate command-and-control infrastructure.

The source code contains two different channel implementations, one over HTTP and one over email... HttpChannel::getRawPacket() method is implemented as a HTTP GET request... sendRawPacket() is an HTTP POST request.

The Sednit group developed a network proxy tool, named Xtunnel, to effectively transform a compromised computer into a network pivot, in order to contact machines that are normally unreachable from the Internet

Xtunnel is a network proxy tool that can relay any kind of network traffic between a C&C server on the Internet and an endpoint computer inside a local network... An Xtunnel infected machine serves as a network pivot

Xtunnel first tries to retrieve the Internet Explorer proxy configuration... Once a proxy IP address has been chosen, Xtunnel uses the HTTP CONNECT method to reach its C&C server.

The Sednit group developed a network proxy tool, named Xtunnel, to effectively transform a compromised computer into a network pivot, in order to contact machines that are normally unreachable from the Internet... An Xtunnel infected machine serves as a network pivot to contact machines that are normally unreachable from the Internet.

The attackers then upgraded valuable targets to the X-Agent backdoor, often pairing it with the Sedreco loader and the X-Tunnel network pivot.

Xtunnel proxies network traffic between a C&C server on the Internet and a target computer, hence creating a “tunnel” between the two... UDP traffic tunneling was introduced

The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.

Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2"). | Examples include: "encrypt C2 messages with AES-256-CBC sent underneath TLS", "encrypts C2 traffic with AES and RSA", "uses SSL/TLS and RC4", and "BlowFish algorithm".

X-Tunnel for exfiltration

On April 28, they used additional malware known as X-Tunnel to create an encrypted connection between the DCCC computers and GRU-controlled proxy computers for secure, large-scale data transfers, and then exfiltrated the over-70 Gigabytes of compressed data to a remote, GRU-controlled server.