APT28 GooseEgg: NTLM Relay and the NATO Targeting Campaign

Threat Intelligence

Forest Blizzard weaponized a Windows Print Spooler flaw to deploy GooseEgg, enabling NTLM relay attacks against NATO government networks throughout 2023 and into 2024.

By Arjun Raghavan, Security & Systems Lead, BIPI · September 17, 2024 · 10 min read

APT28, tracked by Microsoft as Forest Blizzard and widely attributed to Russia's GRU Unit 26165, has operated for over two decades against Western military and government targets. In early 2024, Microsoft Threat Intelligence published details on a previously undocumented post-exploitation tool, GooseEgg, that the group had been deploying since at least June 2020 to facilitate NTLM credential relay and privilege escalation inside NATO-affiliated networks.

The GooseEgg Exploit Chain

GooseEgg is a launcher application that exploits CVE-2022-38028, a Windows Print Spooler privilege escalation vulnerability. When executed, it modifies a JavaScript constraints file and executes it with SYSTEM privileges, allowing APT28 to establish a backdoor, harvest credentials, and move laterally without triggering standard EDR behavioral rules tied to known tooling like Mimikatz.

• CVE-2022-38028: Windows Print Spooler privilege escalation (CVSS 7.8), patched October 2022 but exploited by APT28 for months before disclosure
• GooseEgg drops a DLL launcher that spawns a child process with SYSTEM token, bypassing UAC entirely
• Credential material harvested via NTLM relay is forwarded to GRU-controlled infrastructure over encrypted channels
• The tool was observed alongside OwlProxy and CozyCar implants in at least three NATO member government networks

NTLM Relay as a Long-Game Technique

NTLM relay (MITRE ATT&CK T1557.001) remains one of the most durable active directory attack techniques precisely because it exploits protocol design, not a patchable memory corruption flaw. APT28 has combined NTLM relay with Responder-style poisoning across multiple campaigns, including the well-documented targeting of Norwegian, Lithuanian, and Polish government ministries observed between 2022 and 2024.

GooseEgg had been operating silently inside some target environments for nearly four years before Microsoft published indicators. Patch lag at the network perimeter is not a theoretical risk: it is the attack surface.

Attribution Evidence

• Infrastructure overlaps with X-Agent and Sofacy C2 domains, including shared TLS certificate fingerprints
• Code artifacts in GooseEgg contain Cyrillic error strings consistent with prior APT28 tooling
• Victimology aligns precisely with GRU Unit 26165 targeting mandates: defense ministries, transportation logistics, energy infrastructure in NATO member states
• Timing of operations correlates with Russian military operational cycles, particularly around Ukrainian front-line activity

MITRE ATT&CK Mapping

1. T1547.001: Boot or Logon Autostart Execution via registry run key persistence
2. T1557.001: LLMNR/NBT-NS Poisoning and SMB Relay for credential capture
3. T1068: Exploitation for Privilege Escalation (CVE-2022-38028)
4. T1003.001: OS Credential Dumping via LSASS Memory after SYSTEM escalation
5. T1071.001: Application Layer Protocol using HTTPS for C2 beaconing

Detection and Hunting Queries

Defenders hunting for GooseEgg activity should focus on anomalous Print Spooler child processes, unexpected JavaScript file modifications in system directories, and NTLM authentication events originating from non-standard hosts.

• Alert on Print Spooler spawning cmd.exe, powershell.exe, or wscript.exe as direct children
• Monitor for modifications to C:\Windows\System32\spool\PRINTERS\*.js
• Correlate NTLM relay events (Event ID 4624, LogonType 3) with subsequent privileged logons to domain controllers
• Baseline and alert on new scheduled tasks created by SYSTEM accounts outside patch windows

Recommended Mitigations

GooseEgg's longevity underscores a consistent APT28 tradecraft principle: prioritize durable, low-noise persistence over flashy zero-days. The group's patience and operational discipline make them one of the highest-fidelity nation-state threats targeting Western critical infrastructure today.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.