SYMBOLCOMMON_NAMEaka. SYNONYMS
win.beatdrop (Back to overview)

BEATDROP

Actor(s): APT29

VTCollection    

According to Mandiant, BEATDROP is a downloader written in C that uses Atlassian's project management service Trello for C&C. BEATDROP uses Trello to store victim information and retrieve AES-encrypted shellcode payloads to be executed. BEATDROP then injects and executes downloaded payloads into a suspended process. Upon execution, BEATDROP maps a copy of ntdll.dll into memory to execute shellcode in its own process. The sample then creates a suspended thread with RtlCreateUserThread the thread points to NtCreateFile. The sample changes execution to shellcode and resumes the thread. The shellcode payload is retrieved from Trello and is targeted per victim. Once the payload has been retrieved, it is deleted from Trello.

References
2023-07-26WeixinAnheng Threat Intelligence Center
APT29 recently faked the German embassy and issued a malicious PDF file
BEATDROP Unidentified 107 (APT29)
2023-03-10MrtiepoloGianluca Tiepolo
Sophisticated APT29 Campaign Abuses Notion API to Target the European Commission
BEATDROP EnvyScout GraphicalNeutrino tDiscoverer VaporRage
2022-09-06INCIBE-CERTINCIBE
Estudio del análisis de Nobelium
BEATDROP BOOMBOX Cobalt Strike EnvyScout Unidentified 099 (APT29 Dropbox Loader) VaporRage
2022-07-19R136a1Dominik Reichel
A look into APT29's new early-stage Google Drive downloader
BEATDROP BOOMBOX Gdrive Unidentified 098 (APT29 Slack Downloader)
2022-04-29MandiantAnders Vejlby, John Wolfram, Nick Simonian, Sarah Hawley, Tyler McLellan
Trello From the Other Side: Tracking APT29 Phishing Campaigns
BEATDROP VaporRage
Yara Rules
[TLP:WHITE] win_beatdrop_auto (20260504 | Detects win.beatdrop.)
rule win_beatdrop_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2026-05-04"
        version = "1"
        description = "Detects win.beatdrop."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.beatdrop"
        malpedia_rule_date = "20260422"
        malpedia_hash = "a182e35da64e6d71cb55f125c4d4225196523f14"
        malpedia_version = "20260504"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 41c1e910 0fb6c9 890c24 4489f9 }
            // n = 4, score = 400
            //   41c1e910             | mov                 esi, dword ptr [esp + 0x1c]
            //   0fb6c9               | and                 ecx, 0xff0000
            //   890c24               | inc                 ecx
            //   4489f9               | mov                 edx, dword ptr [esp + edx*4 + 0xc00]

        $sequence_1 = { 413384bd000c0000 4489cf 334538 41c1eb18 c1ef10 4133949d00040000 478b5c9d00 }
            // n = 7, score = 400
            //   413384bd000c0000     | mov                 eax, 1
            //   4489cf               | xor                 edx, edx
            //   334538               | dec                 eax
            //   41c1eb18             | mov                 dword ptr [esp + 0x30], eax
            //   c1ef10               | dec                 eax
            //   4133949d00040000     | lea                 eax, [ebp - 0x18]
            //   478b5c9d00           | dec                 eax

        $sequence_2 = { 334650 450fb6d2 4333849400040000 440fb6d1 4133849c00080000 438b1c9c 43339c94000c0000 }
            // n = 7, score = 400
            //   334650               | dec                 ecx
            //   450fb6d2             | mov                 esp, ecx
            //   4333849400040000     | dec                 eax
            //   440fb6d1             | mov                 ecx, dword ptr [ecx + 8]
            //   4133849c00080000     | dec                 eax
            //   438b1c9c             | sub                 esp, 0x30
            //   43339c94000c0000     | dec                 eax

        $sequence_3 = { 453384ac00080000 41c1e918 0fb6ec c1e810 450fb6d2 478b0c8c }
            // n = 6, score = 400
            //   453384ac00080000     | lea                 edx, [0xd9af]
            //   41c1e918             | dec                 esp
            //   0fb6ec               | mov                 ecx, esi
            //   c1e810               | dec                 esp
            //   450fb6d2             | lea                 edi, [esp + 0x50]
            //   478b0c8c             | dec                 ecx

        $sequence_4 = { c1e810 418b549500 0fb6c0 413394b5000c0000 c1eb18 }
            // n = 5, score = 400
            //   c1e810               | mov                 edx, esi
            //   418b549500           | dec                 esp
            //   0fb6c0               | mov                 ecx, edi
            //   413394b5000c0000     | dec                 eax
            //   c1eb18               | mov                 edx, eax

        $sequence_5 = { 4189cf 3396b0000000 41c1ef18 440fb6d3 4133948400040000 4489c0 0fb6c4 }
            // n = 7, score = 400
            //   4189cf               | lea                 edx, [0x2f0d2]
            //   3396b0000000         | dec                 eax
            //   41c1ef18             | mov                 ecx, eax
            //   440fb6d3             | dec                 ecx
            //   4133948400040000     | mov                 edi, eax
            //   4489c0               | dec                 eax
            //   0fb6c4               | mov                 ecx, edi

        $sequence_6 = { 440fb6da 458b3484 4489c0 4733b494000c0000 440fb6d1 }
            // n = 5, score = 400
            //   440fb6da             | jl                  0x12f6
            //   458b3484             | dec                 eax
            //   4489c0               | lea                 eax, [0x11113]
            //   4733b494000c0000     | jg                  0x12fe
            //   440fb6d1             | inc                 eax

        $sequence_7 = { 418b549500 0fb6c0 413394b5000c0000 c1eb18 33552c }
            // n = 5, score = 400
            //   418b549500           | dec                 ebp
            //   0fb6c0               | mov                 eax, ebp
            //   413394b5000c0000     | dec                 eax
            //   c1eb18               | lea                 edx, [0xced1]
            //   33552c               | dec                 eax

        $sequence_8 = { 4883ec28 448b4204 442b02 4989d3 4183f8ff }
            // n = 5, score = 400
            //   4883ec28             | mov                 eax, ebx
            //   448b4204             | dec                 eax
            //   442b02               | lea                 edx, [0xdd64]
            //   4989d3               | dec                 esp
            //   4183f8ff             | mov                 ecx, esi

        $sequence_9 = { 895481fc 483de3000000 75bf 448b0481 48ffc0 8b1481 }
            // n = 6, score = 400
            //   895481fc             | jne                 0x1e82
            //   483de3000000         | inc                 ecx
            //   75bf                 | mov                 eax, 0x184d
            //   448b0481             | dec                 eax
            //   48ffc0               | lea                 edx, [0x11f05]
            //   8b1481               | dec                 eax

    condition:
        7 of them and filesize < 584704
}
Download all Yara Rules