Skip to main content

Threat Profile (BLUEHEART)


This example can be used as a reference and would generate as part of threat decomposition and threat profile design.


BLUEHEART was inspired on APT28 malware using CobaltStrike malleable C2 profiles, custom metadata, and TTPs.

Goal and Intent

Emulate TTPs of a realistic adversary to exist on a target network and provide a blue team the opportunity to exercise defensive TTPs.

Key IOCs

  • User level C2 Agent
  • Custom CobaltStrike Malleable C2 profile to mimic CHOPSTICK IOCs
  • Persistence: COM Object Hijacking
  • File: C:\Users\Public\Libraries\apphelp.dll
  • HTTP Traffic to
  • Beacons every 60 seconds - 30% jitter User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
  • Modified Date/Time Stamp (Using MetaTwin)
  • Custom Binary metadata using valid Microsoft signature
  • Modified SubjectInterfacePackage (SIP) for Signature Verification Bypass

Disk Indicators



File: C:\windows\system32\apphelp.dll
InternalName: Apphelp
OriginalFilename: Apphelp
FileVersion: 10.0.10586.0(rs1_release.151029-
FileDescription:ApplicationCompatibility Client Library
Product: Microsoft® Windows® Operating System
ProductVersion: 10.0.10586.0
Debug: False
Patched: False
PreRelease: False
PrivateBuild: False
SpecialBuild: False
Language: English (United States)

Digital Signature: Stolen from c: \windows\system32\taskhostw.exe

Time Stamp: 10/30/2015 02:17 AM

File Size: 427960

MD5 Hash: A31B0124152CBB60C68DCFEBC9C4909C

Registry Modifications

COM Object Hijack

Key: HKCU:\Software\Classes\CLSID\{2DEA658F-54C1-4227-AF9B-260AB5FC3543}\InProcServer32'    
Property: (Default)
Property: ThreadingModel

SIP Hijack

Key: HKLM:\SOFTWARE\Microsoft\Cryptography\OID\EncodingType0\CryptSIPDllVerifyIndirectData\{C689AAB8-8E78-11D0-8C47-00C04FC295EE}

Network Indicators

HTTP Traffic C2 commands through

Sample HTTP GET Request

GET /index.html HTTP/1.1
Accept-Language: en-US,en;q=0.5
Proxy-Connection: Keep-Alive
Cookie: session=sE5QGSAMTumuA/3mNmqe5g==
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64;
Trident/7.0; rv:11.0) like Gecko
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/html
Vary: Accept-Encoding
Server: IIS 5.0
Connection: close
Content-Length: 218
<html><head><meta http-equiv="refresh" content=0
url=""><title>Bad Guy Website</title></html>fylWlO

Sample HTTP POST Request

POST /contact HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Content-Type: application/x-www-form-urlencoded
Cookie: session=NzQ4NTU=
Content-Length: 41
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64;Trident/7.0; rv:11.0) like Gecko

HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: application/octet-stream
Server: IIS 5.0
Connection: close
Content-Length: 40

C2 Overview

HTTP Traffic on TCP port 80 connecting to every 60 seconds.

TTPs (Enumeration, Delivery, Lateral Movement, Privilege Escalation, etc.)

POST-exploitation via Cobalt Strike commands. Enumeration and lateral movement via Cobalt Strike and native Windows commands. Privilege escalation limited and determined POST-exploitation.


Nothing specific. Operator deploys during after initial access.


User Level persistence where COM Object Handler loads DLL at user logon under taskhostw.exe

$Description = "SystemSoundsService"
$CLSID = '{2DEA658F-54C1-4227-AF9B-260AB5FC3543}'