The Russian cyberespionage group known as APT29 and Cozy Bear is still actively delivering a piece of malware named WellMess also known as WellMail, is a lightweight piece of malware that enables its operators to execute shell commands, as well as to upload and download files on the compromised system.

WellMess was attributed to Russia’s APT29 in 2020, when the United States, the United Kingdom and Canada said it had been used by Russian hackers in attacks aimed at academic and pharmaceutical research institutions involved in COVID-19 vaccine development.

The malware was again mentioned this year, when agencies in the US and UK published a report describing the activities of APT29, which is also believed to be behind the attack on IT management company SolarWinds.

WellMess was mentioned in the report because apparently in response to the exposure of their operation targeting vaccine makers the hackers started using an open-source adversary simulation framework named Sliver to maintain access to existing WellMess victims.

While the company is confident that the servers belong to APT29 and they are still actively used to deliver the malware, it does not have enough information to determine how the infrastructure is being used or whom it has been used to target.