GooseEgg
GooseEgg is a custom post-compromise privilege-escalation tool used by the Russia-linked threat actor Forest Blizzard, also tracked as APT28, Fancy Bear, Sofacy, Sednit, and STRONTIUM, and linked by US and UK authorities to GRU Unit 26165. Microsoft reported that Forest Blizzard used GooseEgg since at least June 2020, and possibly as early as April 2019, against organizations in Ukraine, Western Europe, and North America, including government, non-governmental, education, and transportation targets. GooseEgg exploits CVE-2022-38028 in the Windows Print Spooler service to obtain SYSTEM-level execution by modifying a JavaScript constraints file and abusing a rogue protocol handler so that a malicious DLL executes in the Print Spooler context. Microsoft described GooseEgg as a launcher application that can spawn command-line-specified applications with elevated permissions. Reported follow-on uses include credential and information theft, remote code execution, persistence, backdoor installation, and lateral movement. Observed tradecraft included deployment via batch scripts such as execute.bat and doit.bat, creation of servtask.bat, persistence through a scheduled task, and use of executable names including justice.exe and DefragmentSrv.exe. Embedded DLL names commonly contained the string "wayzgoose," such as wayzgoose23.dll. Installation directories were created under C:\ProgramData using names such as Microsoft, Adobe, Comms, Intel, Kaspersky Lab, Bitdefender, ESET, NVIDIA, UbiSoft, and Steam, or version-like random directory names. Additional observed artifacts included copying driver store files from pnms003.inf_* and pnms009.inf_*, creation of registry keys for a custom protocol handler and CLSID COM server, hijacking of the C: drive symbolic link in the object manager, and loading of a modified MPDW-constraints.js file during RpcEndDocPrinter execution. Microsoft Defender Antivirus detects this capability as HackTool:Win64/GooseEgg.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
GooseEgg weaponises CVE-2022-38028 in the Windows Print Spooler service to obtain SYSTEM-level execution.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GooseEgg weaponises CVE-2022-38028 in the Windows Print Spooler service to obtain SYSTEM-level execution.
Since at least June 2020 and possibly as early as April 2019, Forest Blizzard has used the tool, which we refer to as GooseEgg, to exploit the CVE-2022-38028 vulnerability in Windows Print Spooler service by modifying a JavaScript constraints file and executing it with SYSTEM-level permissions.
...APT28 (Forrest Blizzard) using a previously unknown hacking tool called GooseEgg.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Execution
4 techniques
Execution
This batch script writes the file servtask.bat... The batch script invokes the paired GooseEgg executable and sets up persistence as a scheduled task designed to run servtask.bat.
GooseEgg is typically deployed with a batch script, which we have observed using the name execute.bat and doit.bat. This batch script writes the file servtask.bat...
The malicious activity involves “modifying a JavaScript constraints file and executing it with SYSTEM-level permissions,” according to Microsoft researchers.
The exploit replaces the C: drive symbolic link in the object manager to point to the newly created directory. When the PrintSpooler attempts to load ... MPDW-Constraints.js, it instead is redirected to the actor-controlled directory containing the copied driver packages.
Persistence
2 techniques
Persistence
Privilege Escalation
2 techniques
Privilege Escalation
Stealth
1 technique
Stealth
The exploit replaces the C: drive symbolic link in the object manager to point to the newly created directory. When the PrintSpooler attempts to load ... MPDW-Constraints.js, it instead is redirected to the actor-controlled directory containing the copied driver packages.
Defense Impairment
1 technique
Defense Impairment
Credential Access
1 technique
Credential Access
Lateral Movement
2 techniques
Lateral Movement
While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks.
wayzgoose.dll is a basic launcher application capable of spawning other applications specified at the command line with SYSTEM-level permissions, enabling threat actors to perform other malicious activities such as installing a backdoor, moving laterally through compromised networks, and remotely executing code.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A custom Windows privilege-escalation utility used post-compromise to gain SYSTEM-level execution on victim hosts.
A custom-made tool used to exploit a Windows Print Spooler privilege escalation vulnerability, allowing attackers to escalate privileges, steal credentials, enable remote code execution, install backdoors, and move laterally through compromised networks.
A custom Forest Blizzard tool used post-compromise to exploit the Windows Print Spooler vulnerability CVE-2022-38028 for privilege escalation. It launches DLLs or executables with SYSTEM-level permissions, enabling credential theft, remote code execution, persistence, backdoor installation, and lateral movement.
Custom Forest Blizzard tool used post-compromise to exploit the Windows Print Spooler vulnerability CVE-2022-38028 for privilege escalation. It launches DLLs or executables with SYSTEM permissions, enabling credential theft, remote code execution, backdoor installation, and lateral movement.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.