Dissecting One of APT29's Fileless WMI and PowerShell Backdoors (POSHSPY) Written by: Matthew Dunwoody Mandiant has observed APT29 using a stealthy backdoor that we call POSHSPY. POSHSPY leverages two of the tools the group frequently uses: PowerShell and Windows Management Instrumentation (WMI). In the investigations Mandiant has conducted, it appeared that APT29 deployed POSHSPY as a secondary b
![Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY) « Threat Research Blog | FireEye Inc](https://cdn-ak-scissors.b.st-hatena.com/image/square/055f96975d0bb5dcb80628c3fc26da1b1b2c9a5f/height=288;version=1;width=512/https%3A%2F%2Fstorage.googleapis.com%2Fgweb-cloudblog-publish%2Fimages%2Fthreat-intelligence-default-banner-simplif.max-2600x2600.png)