WellMess
WellMess is a lightweight backdoor malware family written in .NET and Golang, with both Windows and Linux/ELF variants observed. It enables a remote operator to establish encrypted command-and-control sessions and securely pass and execute scripts or commands on infected systems. Reported capabilities include executing PowerShell and batch or shell scripts received from C2, uploading and downloading files, command execution, exfiltrating data, collecting host and system information, collecting the current username, identifying domain group membership for the current user, and generating unique victim identifiers from host metadata. The malware has used Base64 encoding, including additional junk-data obfuscation, to uniquely identify communications and place victim metadata in HTTP Cookie headers. Communications have been protected with RC6-encrypted state data, dynamically generated AES session keys exchanged with RSA, and in some cases mutual TLS where client and server validate certificates; reporting also notes DNS tunneling support for C2. High-confidence indicators from CISA analysis of sampled variants include C2 IPs 85.93.2.116, 103.73.188.101, 141.98.212.55, 192.48.88.107, and 209.58.186.196. WellMess has been publicly associated with APT29/Cozy Bear, assessed as linked to Russia’s SVR, including operations targeting organizations involved in COVID-19 vaccine research and development in the US, UK, and Canada. Recorded Future also tracked related SVR-linked hosting patterns under the designation GRAVITYWELL.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GRAVITYWELL, the Recorded Future designation for server technology and TLS certificate configuration commonly used to host the Russian Foreign Intelligence Service (SVR)-linked WellMess backdoor...
“…deployment of custom malware known as WellMess, WellMail, and Sorefang to target organizations involved in COVID-19 vaccine development.”
NCSC published an advisory describing malicious activity targeting institutions related to research to find a vaccine for COVID-19. In this case, the malware used in the attacks belongs to a family called WellMess...
Techniques & procedures
22 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
3 techniques
Execution
The program is capable of encrypting, decrypting, uploading and downloading files. The malware can also execute commands and send and receive encrypted communications.
The content repeatedly describes threat actors and malware using PowerShell scripts/commands for execution, download, staging, reconnaissance, persistence, credential access, lateral movement, and defense evasion; e.g., "Sandworm Team used PowerShell scripts to run a credential harvesting tool in memory to evade defenses."
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Stealth
3 techniques
Stealth
Company Name Microsoft Corporation File Description Power Settings Command-Line Tool Internal Name powercfg.exe Original Filename powercfg.exe
Credential Access
1 technique
Credential Access
Discovery
5 techniques
Discovery
The content repeatedly describes malware and threat actors using commands and APIs such as ipconfig /all, ifconfig, arp -a, route print, nbtstat, netsh, GetAdaptersInfo, and GetIpNetTable to gather IP addresses, MAC addresses, DNS, DHCP, gateways, routing tables, ARP cache, proxy settings, domains, and network adapter/interface details.
The content repeatedly describes malware and threat actors collecting usernames, identifying logged-in users, running whoami/query user/quser, checking whether the current user is an administrator, enumerating user sessions, and gathering account details from compromised hosts.
Both collect the state of system privileges (disabled or enabled) from the infected system
The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."
Command and Control
7 techniques
Command and Control
Displayed below is sample communication traffic between this WellMess implant and its C2 server. —Begin Sample Network Traffic— POST / HTTP/1.1 ... Cookie: ... | These implants allow a remote operator to establish encrypted command and control (C2) sessions... The function appears to be the main export of the DLL, which initiates a C2 session with the implants remote C2 server at the Internet Protocol (IP) address, 85.93.2.116.
The content repeatedly describes threat actors and malware using HTTP and HTTPS for command and control, such as: "Sandworm Team used BlackEnergy to communicate between compromised hosts and their command-and-control servers via HTTP post requests."
When the file is executed, it attempts to create a C2 connection to one of the following IP addresses: 141.98.212.55 over Transmission Control Protocol(TCP) Port 53 209.58.186.196 over TCP Port 443
Both versions also allow an operator to pass AES encrypted executable scripts to infected systems... The malware can receive and parse messages from the remote operator.
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
The content repeatedly describes malware and threat actors using SSL, TLS, HTTPS, RSA, AES, Blowfish, RC4, ECIES, Diffie-Hellman, OpenSSL, WolfSSL, and mutual TLS to protect command and control traffic.
"communicate with C2 over mutual TLS"; "client and server mutually check certificates"; "can use mutual TLS and RSA cryptography to exchange a session key". | Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2").
IOCs tracked for this family
47 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
27 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Their toolkit includes ... TrailBlazer, WellMail, WellMess, WINELOADER and Living off the Land.
Custom malware attributed to SVR, historically used to target COVID-19 vaccine development organizations; authorities also state it was used against energy sector companies.
SVR-linked backdoor associated with transient GRAVITYWELL infrastructure that shifted after public reporting.
Backdoor malware attributed to APT29, with both Windows and Linux variants, used for espionage.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.