When State Actors Go Mobile:

APT29’s Use of Commodity Malware

As part of Meta’s ongoing work to track and disrupt cyber espionage targeting by various APTs, we detected attempts by the Russian cyber threat actor Midnight Blizzard (APT29) to leverage Android malware. This was a variant of the Octo2 family—traditionally associated with financially motivated actors, but here repurposed by an APT actor.

Technical analysis of the malware revealed advanced capabilities, such as device takeover via abuse of accessibility features, and highlighted the use of commodity malware typically seen in criminal cyber activities by APTs known for its cyber espionage efforts. This TTP offers new insights into APT29’s evolving tradecraft and the broader threat landscape.

This talk will detail in-depth malware analysis and key lessons for defenders. It will also explore the implications of advanced persistent threats leveraging commodity malware.