During 2019, as part of the results of S2 Grupo’s incident management service, LAB52 gained access to a set of artifacts—and a large amount of evidence collected during the incident—which made it possible to conduct an exhaustive investigation linking the highly sophisticated campaign to APT29.

Starting in November 2025, the information about these artifacts was finally declassified, and the results were compiled into a detailed report that can be downloaded below.

Even today, the campaign still provides very interesting insights into malware deployment in targeted attacks, which we hope will contribute to the community.

Download the full report from here.

Intelligence Availability Notice

This article presents selected insights derived from our broader threat intelligence operations and coverage. Additional details related to this campaign, as well as other investigations and ongoing intelligence activities, are enriched and available through our private intelligence feed.