“While a simple launcher application, GooseEgg is capable of spawning other applications specified at the command line with elevated permissions, allowing threat actors to support any follow-on objectives such as remote code execution, installing a backdoor, and moving laterally through compromised networks,” the company said.

Forest Blizzard has used GooseEgg as part of post-compromise activities against targets including Ukrainian, Western European, and North American governments, non-governmental, education, and transportation sector organizations, according to the report.

Exploits as early as April 2019

Forest Blizzard, also tracked as Fancy Bear, GRU Unit 26165, APT28, Sednit, Sofacy, and STROTIUM, is reportedly active since 2010, collecting intelligence in support of Russian government foreign policy initiatives. The threat actor has been linked to GRU Military Unit 26165, with global targets but a predominant focus on entities in the US and Europe.

“Forest Blizzard primarily focuses on strategic intelligence targets and differs from other GRU-affiliated and sponsored groups, which Microsoft has tied to destructive attacks, such as Seashell Blizzard (IRIDIUM) and Cadet Blizzard (DEV-0586),” the company said.

Microsoft Threat Intelligence assessed Forest Blizzard’s objective in deploying GooseEgg is to gain access to target systems and steal information, since at least June 2020 and possibly as early as April 2019.

Apart from the October 2022 patches, Microsoft has recommended that users disable Windows Print Spooler service for domain controller operations, run endpoint detection and response (EDR) in block mode, fully automate investigation and remediation mode on Microsoft Defender, and turn on cloud-delivered protection on the Defender Antivirus.