Cozy Bear is a Cybercriminal organization suspected to be linked to one or more Russian intelligence services. It is classified as an advanced persistent threat APT29 by the US federal government. CozyCar, CozyDuke, Dark Halo, The Dukes, NOBELIUM, Office Monkeys, StellarParticle, UNC2452, and YTTRIUM are some of the nicknames given to the group by different cybersecurity organizations.
It’s intended to assist attackers in remotely exfiltrating sensitive data from compromised AD FS servers by installing HTTP listeners for actor-defined URIs to intercept GET/POST requests delivered to the AD FS server matching the custom URI patterns.
token-signing certificatetoken-decryption certificate, as well as to download and execute additional components. It can also receive additional malicious components from a command-and-control (C2) server and execute them on the compromised server.