MAPIGET
MAPIGET is a malware utility used by APT1 to steal email from Microsoft Exchange environments. The provided content states that APT1 uses two utilities, GETMAIL and MAPIGET, to steal email, and specifically that MAPIGET steals email still resident on Exchange servers that has not yet been archived. Its role is therefore distinct from GETMAIL, which is described separately as extracting emails from archived Outlook .pst files. High-confidence information in the content ties MAPIGET to email collection from Exchange servers and to APT1 operations; no additional infection vector, platform details beyond Exchange email theft, or specific indicators of compromise are provided in the source material.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
MAPIGET steals email still on Exchange servers that has not yet been archived.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Utility used by APT1 to steal email (likely via MAPI-based collection).
Utility that steals email directly from Microsoft Exchange servers, including unarchived messages.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.