Despite the WellMess malware being exposed by Western governments and cybersecurity firms, the cyberespionage group APT29 is still actively using it, researchers at RiskIQ found. They said they discovered more than 30 command-and-control (C2) servers under control of APT29 that were delivering WellMess (aka WellMail).

APT29, which is also tracked as Cozy Bear, Yttrium, and The Dukes, is believed to be an extension of the Russian intelligence services (SVR). It is also believed to have orchestrated a series of cyberattacks, including the breach of the IT management company SolarWinds last year.

WellMess was first spotted in attacks against Linux and Windows servers in 2018, although at the time the malware was not attributed to any specific hacker group. However, in 2020 the malware was linked to APT29 in a joint report released by security agencies from the US, the UK and Canada describing a cyberespionage campaign targeting organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom.

“Because APT29 uses WellMess in a highly targeted fashion, signs of the malware and its command-and-control servers are relatively rare,” RiskIQ said.

The researchers noted that while much of the discovered APT29’s command and control infrastructure is still in active use they do not have enough information to determine how the infrastructure is being used or whom it has been used to target.

“RiskIQ’s Team Atlas assesses with high confidence that these IP addresses and certificates are in active use by APT29 at the time of this writeup. We were unable to locate any malware which communicated with this infrastructure, but we suspect it is likely similar to previously identified samples,” the researchers said.

Their report also provides Indicators of Compromise associated with APT29 activities.