C0005: Operation Spalax
Operation Spalax was a campaign that primarily targeted Colombian government organizations and private companies, particularly those associated with the energy and metallurgical industries. The Operation Spalax threat actors distributed commodity malware and tools using generic phishing topics related to COVID-19, banking, and law enforcement action. Security researchers noted indicators of compromise and some infrastructure overlaps with other campaigns dating back to April 2018, including at least one separately attributed to APT-C-36, however identified enough differences to report this as separate, unattributed activity.[1]
Analyst context for executives and security teams
Operation Spalax matters because it shows how a campaign can use ordinary phishing themes and commodity remote access tooling to create targeted business risk, especially for Colombian government entities and private organizations in energy and metallurgical sectors. For leaders, the value is not attribution; MITRE lists it as separate, unattributed activity. The value is validating whether email security, endpoint visibility, DNS/web monitoring, and incident response playbooks can handle common malware delivered through believable lures and obfuscated payloads.
Executive priority
Prioritize this as a resilience and readiness check for organizations with Colombian exposure, public-sector dependencies, or energy/metallurgical operations. Ask whether the organization can prove coverage for phishing attachments and links, Windows RAT activity such as Remcos and njRAT where applicable, suspicious command/script execution, rundll32 proxy execution, obfuscated or packed files, and command-and-control over web services or dynamically resolved infrastructure. This is also useful audit evidence: controls should demonstrate not just user training, but telemetry retention, triage workflow, and containment capability for commodity-malware intrusions.
Technical view
MITRE does not provide a campaign-specific detection section or campaign platform list, so defenders should pivot from the relationships. Validate controls across initial access via spearphishing attachments and links, user execution of malicious files or links, execution through command/script interpreters, rundll32 abuse on Windows, obfuscation including packing, steganography, encrypted/encoded files, deobfuscation behavior, sandbox/virtualization evasion, and C2 via web services and dynamic resolution. Relationship context also includes resource-development behaviors such as acquiring domains, malware, tools, and uploading malware, which should inform threat-intelligence monitoring and pre-delivery blocking rather than endpoint-only detection.
Likely telemetry
- Email gateway and mail security logs for attachments, links, sender infrastructure, and phishing themes
- Endpoint process creation telemetry, especially script interpreters and rundll32.exe activity
- Endpoint file telemetry for downloaded attachments, executables, DLLs, packed files, encoded/encrypted content, and unusual media files used as carriers
- EDR or antivirus alerts related to Remcos, njRAT, commodity RAT behavior, or suspicious remote-control tooling
- DNS logs, passive DNS, and domain registration/intelligence data for dynamic or newly observed infrastructure
Detection direction
- Tune detections around the full chain: phishing delivery, user execution, payload staging, obfuscated file handling, process execution, and outbound C2, rather than relying only on known indicators.
- For Windows environments, validate monitoring for rundll32.exe executing unusual DLL paths or command lines and for RAT-like child processes or network connections.
- Review false positives carefully for command/script interpreters and web-service traffic, because both can be common in normal operations; prioritize correlation with recent email delivery, file download, or new external destinations.
- Do not assume sandbox verdicts are complete; the related virtualization/sandbox evasion technique means static, behavioral, and post-delivery telemetry should be compared.
- Use the resource-development relationships to inform domain and malware intelligence workflows, but treat infrastructure overlaps cautiously because MITRE notes overlaps with other campaigns while reporting this as separate unattributed activity.
Mitigation priorities
- Strengthen phishing defenses first: attachment and link inspection, user reporting workflows, and rapid takedown or blocking of confirmed malicious messages.
- Ensure endpoint controls can inspect and contain commodity RAT payloads, packed or encoded files, and suspicious script or rundll32 execution.
- Harden outbound monitoring by reviewing DNS, proxy, and firewall policy for unusual dynamic resolution and external web-service C2 patterns while accounting for legitimate business use.
- Maintain incident response playbooks for phishing-led malware cases, including mailbox search, host isolation, credential review, and scoping of outbound connections.
- For higher-risk Colombian, government, energy, or metallurgical contexts, align threat-intelligence collection and tabletop scenarios to phishing themes and commodity-tool intrusion paths described by the campaign.
Analyst notes and limits
This take is based on the official ATT&CK campaign description, external ESET reference, and listed ATT&CK relationships. The campaign is described as primarily targeting Colombian government organizations and private companies, particularly energy and metallurgical industries, using generic COVID-19, banking, and law-enforcement phishing topics to distribute commodity malware and tools. MITRE notes infrastructure and IOC overlaps with earlier campaigns, including one attributed to APT-C-36, but describes Operation Spalax as separate, unattributed activity.
MITRE provides no official detection text, no campaign-level platforms, and no direct victim-specific telemetry. The related techniques and software provide defensive direction, but local validation is required to determine actual exposure, control coverage, and detection quality. Do not infer current activity or attribution from this object alone.
Operation Spalax
Operation Spalax was a campaign that primarily targeted Colombian government organizations and private companies, particularly those associated with the energy and metallurgical industries. The Operation Spalax threat actors distributed commodity malware and tools using generic phishing topics related to COVID-19, banking, and law enforcement action. Security researchers noted indicators of compromise and some infrastructure overlaps with other campaigns dating back to April 2018, including at least one separately attributed to APT-C-36, however identified enough differences to report this as separate, unattributed activity.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1588.002 | Tool Sub-technique | For Operation Spalax, the threat actors obtained packers such as CyaX.CitationESET Operation Spalax Jan 2021 |
| Enterprise | T1583.001 | Domains Sub-technique | For Operation Spalax, the threat actors registered hundreds of domains using Duck DNS and DNS Exit.CitationESET Operation Spalax Jan 2021 |
| Enterprise | T1027.003 | Steganography Sub-technique | For Operation Spalax, the threat actors used packers that read pixel data from images contained in PE files' resource sections and build the next layer of execution from the data.CitationESET Operation Spalax Jan 2021 |
| Enterprise | T1588.001 | Malware Sub-technique | For Operation Spalax, the threat actors obtained malware, including Remcos, njRAT, and AsyncRAT.CitationESET Operation Spalax Jan 2021 |
| Enterprise | T1568 | Dynamic Resolution | For Operation Spalax, the threat actors used dynamic DNS services, including Duck DNS and DNS Exit, as part of their C2 infrastructure.CitationESET Operation Spalax Jan 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | For Operation Spalax, the threat actors used a variety of packers and droppers to decrypt malicious payloads.CitationESET Operation Spalax Jan 2021 |
| Enterprise | T1059 | Command and Scripting Interpreter | For Operation Spalax, the threat actors used Nullsoft Scriptable Install System (NSIS) scripts to install malware.CitationESET Operation Spalax Jan 2021 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | During Operation Spalax, the threat actors relied on a victim to click on a malicious link distributed via phishing emails.CitationESET Operation Spalax Jan 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | During Operation Spalax, the threat actors sent phishing emails to victims that contained a malicious link.CitationESET Operation Spalax Jan 2021 |
| Enterprise | T1102 | Web Service | During Operation Spalax, the threat actors used OneDrive and MediaFire to host payloads.CitationESET Operation Spalax Jan 2021 |
| Enterprise | T1027.002 | Software Packing Sub-technique | For Operation Spalax, the threat actors used a variety of packers, including CyaX, to obfuscate malicious executables.CitationESET Operation Spalax Jan 2021 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | For Operation Spalax, the threat actors staged malware and malicious files in legitimate hosting services such as OneDrive or MediaFire.CitationESET Operation Spalax Jan 2021 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | During Operation Spalax, the threat actors used droppers that would run anti-analysis checks before executing malware on a compromised host.CitationESET Operation Spalax Jan 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | During Operation Spalax, the threat actors relied on a victim to open a PDF document and click on an embedded malicious link to download malware.CitationESET Operation Spalax Jan 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | During Operation Spalax, the threat actors sent phishing emails that included a PDF document that in some cases led to the download and execution of malware.CitationESET Operation Spalax Jan 2021 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | During Operation Spalax, the threat actors used `rundll32.exe` to execute malicious installers.CitationESET Operation Spalax Jan 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | For Operation Spalax, the threat actors used XOR-encrypted payloads.CitationESET Operation Spalax Jan 2021 |
Groups, software, and campaigns
S0385: njRAT
S0332: Remcos
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 2957287bf4de… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Operation Spalax Jan 2021
M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
Open source URL -
[2]
mitre-attack C0005Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.