Analysis of the MITRE ATT&CK Evaluations APT29 dataset found an intrusion chain centered on the DMEVALS\pbeesly account, where cod.3aka3.scr executed from C:\ProgramData\victim and quickly spawned cmd.exe and powershell.exe, indicating automated malware launch. Investigators traced PowerShell loading monkey.png, extracting hidden payload data from image pixels, and compiling it in memory through Microsoft-signed binaries csc.exe and cvtres.exe, while the broader telemetry showed far heavier memory-access and registry activity than process-creation events, consistent with an effort to minimize obvious execution artifacts.
A second pivot from a timestomped .tmp file exposed a dense burst of implant behavior tied to a PowerShell-related ProcessGuid, including DLL loads, registry changes, named pipe creation, and rapid file creation and deletion. The same activity chain included an unsigned .pyd module loaded from a Temp directory, creation of rar.exe and sdelete.exe, and hundreds of outbound network connections; Sysmon Event ID 10 then showed PowerShell requesting full access (0x1fffff) to lsass.exe, a strong sign of credential theft, followed roughly 12 minutes later by PsExec connections to a second internal host, indicating lateral movement with stolen credentials.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
4 events from the most recent confirmed update back to the earliest known activity.
About 12 minutes after the LSASS access, PsExec activity connected to a second internal machine, suggesting the operators used stolen credentials for lateral movement. This indicates the intrusion progressed beyond the initial host into another system in the DMEVALS environment.
Review of Sysmon Event ID 10 showed PowerShell requesting full access (0x1fffff) to lsass.exe, indicating credentials were likely harvested directly from memory. This represented a clear escalation from initial execution to credential theft on the compromised host.
A timestomped .tmp file tied to a PowerShell-related ProcessGuid led to a burst of activity consistent with implant setup, including DLL loads, registry changes, named pipe creation, and rapid file creation and deletion. The same process chain also involved an unsigned .pyd module from a Temp directory and spawned cmd.exe, powershell.exe, rar.exe, and sdelete.exe while generating heavy outbound network traffic.
In the MITRE ATT&CK Evaluations APT29 Day 1 dataset, the account DMEVALS\pbeesly appears to be the initial victim as cod.3aka3.scr executes from C:\ProgramData\victim and quickly spawns cmd.exe and powershell.exe. PowerShell then loads monkey.png, extracts hidden payload data from image pixels, and uses Microsoft-signed binaries csc.exe and cvtres.exe to compile and run the payload in memory.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
osintteam.blog
Open sourceosintteam.blog
Open sourceosintteam.blog
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.