Skip to main content
Mallory
Back to malware
MalwareUsed by 2 actorsExploits 1 CVE

GraphicalProton

GraphicalProton is a loader/backdoor malware associated with APT29/Cozy Bear/Midnight Blizzard and attributed in the provided content to Russia’s Foreign Intelligence Service (SVR). It is also referred to as GraphDrop and SPICYBEAT. The malware has been described as a loader capable of delivering second-stage malware and as a simplistic backdoor used by SVR operators for follow-on access. Reported command-and-control behavior includes abuse of legitimate cloud services, primarily Microsoft OneDrive and also Dropbox, to exchange data with operators. The content states that data transiting these services was obfuscated inside randomly generated BMP files using compression, encryption, and pixel-bit encoding. An HTTPS C2 variant is also mentioned, including the URL hxxps://matclick[.]com/wp-query[.]php reported in December 2023. In TeamCity-related intrusions exploiting CVE-2023-42793, GraphicalProton was reportedly wrapped in multiple layers of encryption, obfuscation, encoders, and stagers, and variants were observed using DLL hijacking via the open-source monitoring tool Zabbix or hiding activity within the vcperf build analysis tool. The malware was used after SVR exploitation of unpatched, internet-reachable JetBrains TeamCity servers beginning in late September 2023, where the actors used access for privilege escalation, lateral movement, persistence, credential theft, Active Directory enumeration, disabling antivirus/EDR, and planting additional backdoors. The content ties this activity to opportunistic compromise of organizations across the United States, Europe, Asia, and Australia, including software, IT, hosting, medical device, financial management, marketing, sales, video game, and energy-related entities.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2023-42793JetBrains TeamCity Authentication Bypass RCE

hxxps://matclick[.]com/wp-query[.]php GraphicalProton HTTPS C2 URL C&C December 2023 December 2023

via cyber njcyber.nj.gov
THREAT ACTORS

Groups observed using it

2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
APT29

Their toolkit includes ... GraphicalNeutrino, GraphicalProton, HammerDuke...

via cyble blogcyble.com
SVR

“GraphicalProton is a simplistic backdoor that uses OneDrive, Dropbox, and randomly generated BMPs … to exchange data with the SVR operator.”

via cisa advisoriescisa.gov
MITRE ATT&CK

Techniques & procedures

6 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1574.001DLLEvidence1
TacticsExecutionStealth

Windows Known GraphicalProton Loaded Modules ... DLL ... Windows Masquerading Explorer As Child Process ... DLL

Stealth

2 techniques
T1027Obfuscated Files or InformationEvidence1
TacticStealth

MITRE ATT&CK Mappings: APT29 Defense Evasion T1027: Obfuscated Files or Information .001: Binary Padding .002: Software Packing .003: Steganography .005: Indicator Removal from Tools .006: HTML Smuggling

T1574.001DLLEvidence1
TacticsExecutionStealth

Windows Known GraphicalProton Loaded Modules ... DLL ... Windows Masquerading Explorer As Child Process ... DLL

Command and Control

2 techniques
T1071.001Web ProtocolsEvidence1
TacticCommand and Control

MITRE ATT&CK Table... Command and control Application Layer Protocol Web Protocols Used HTTPs to communicate with C2 infrastructure, often over ports 443 to blend with normal traffic.

T1102Web ServiceEvidence1
TacticCommand and Control

Known Malware: APT29 GraphicalNeutrino - A backdoor used to target Windows devices that uses notion databases as a C2... ICEBEAT - A downloader malware that uses the open source Zulip messaging platform for C2.

Exfiltration

2 techniques
T1041Exfiltration Over C2 ChannelEvidence1
TacticExfiltration

MITRE ATT&CK Table... Exfiltration Exfiltration over C2 channel... Data was exfiltrated over the same encrypted channel used for C2 to avoid detection.

T1567Exfiltration Over Web ServiceEvidence1
TacticExfiltration

MITRE ATT&CK Mappings: APT29 Exfiltration T1567: Exfiltration Over Web Service .001: Exfiltration to Code Repository .002: Exfiltration to Cloud Storage

INDICATORS OF COMPROMISE

IOCs tracked for this family

25 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app
Network
4 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes
20 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other
1 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting
domain●●●●●●●●●●●●View more in app2 years ago
hash.sha256●●●●●●●●●●●●View more in app2 years ago
hash.sha256●●●●●●●●●●●●View more in app2 years ago
hash.sha256●●●●●●●●●●●●View more in app2 years ago
hash.sha256●●●●●●●●●●●●View more in app2 years ago
ip.v4●●●●●●●●●●●●View more in app2 years ago
ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
cyble blogNews
Feb 20, 2025
Threat Actor Profile: APT29 - Cyble

Their toolkit includes ... GraphicalNeutrino, GraphicalProton, HammerDuke...

Read more
register securityNews
Feb 7, 2024
JetBrains issues urgent patches for critical TeamCity vuln • The Register

A backdoor used by Russia's SVR to maintain access and facilitate follow-on operations after exploiting TeamCity, including enabling lateral movement and persistence within victim networks.

Read more
register securityNews
Dec 14, 2023
Russia is exploiting JetBrains TeamCity users at large scale • The Register

A backdoor used by SVR in post-exploitation activity following TeamCity (CVE-2023-42793) compromise, leveraging heavy obfuscation/encryption and using legitimate cloud services (e.g., Dropbox/OneDrive) to mask C2 and data transfer, including obfuscation inside randomly generated BMP files. Variants were observed packaged to execute via DLL hijacking (e.g., using Zabbix) and to hide activity within vcperf.

Read more
cyber njNews
Jan 1, 2008
Russia - APT29 | NJCCIC

Backdoor used with HTTPS C2 and tunnel endpoints for command-and-control and lateral movement in APT29-linked activity.

Read more
+1 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching25

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution2

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping6

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.