C0013: Operation Sharpshooter
Operation Sharpshooter was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous Lazarus Group operations, including fake job recruitment lures and shared malware code.[1][2][3]
Analyst context for executives and security teams
Operation Sharpshooter matters because ATT&CK describes it as a global cyber espionage campaign against nuclear, defense, government, energy, and financial organizations. For leaders, the practical lesson is not a single indicator, but whether the organization can recognize a targeted intrusion path that starts with social engineering and malicious files, then uses stealth, persistence, tooling transfer, and command-and-control techniques.
Executive priority
Prioritize this as a resilience and readiness benchmark for high-value environments, especially where critical infrastructure, defense, government, energy, or financial operations are in scope. Executives should ask whether email/user-execution controls, endpoint visibility, registry persistence monitoring, egress control, and incident response playbooks produce usable evidence quickly enough to support containment and audit/compliance reporting. The supplied ATT&CK object does not establish current activity or local exposure, so priority should be driven by sector relevance, Crown Jewel systems, and observed telemetry gaps.
Technical view
ATT&CK provides no campaign-level detection text and no campaign platforms, but relationships show behaviors across resource development, execution, persistence, stealth, and command-and-control. Validate coverage for malicious file execution, Visual Basic and DDE abuse, native API use, process injection, masquerading through legitimate-looking names or locations, Registry Run Keys/Startup Folder persistence, ingress tool transfer, proxy-based C2, and the related Rising Sun backdoor, which ATT&CK identifies as Windows software used extensively in the campaign.
Likely telemetry
- Email security, attachment, sandbox, and user-reporting records for malicious files and recruitment-themed lures where available
- Endpoint process creation and parent/child process telemetry, especially Office/script/interpreter-driven execution patterns
- Windows Registry and Startup Folder change events for Run Key persistence
- EDR memory/process telemetry relevant to process injection and native API abuse
- File creation, rename, and path metadata to identify legitimate-looking names or locations used for masquerading
Detection direction
- Treat the campaign relationships as a validation map rather than a ready-made analytic: ATT&CK does not provide official detection logic for this campaign.
- Correlate malicious file execution with follow-on behaviors such as VB/DDE execution, unusual child processes, registry persistence, file drops, and outbound network connections.
- Tune masquerading detections against local baselines; legitimate administrative tools and standard software paths can otherwise create false positives.
- Confirm whether endpoint tooling can see memory-oriented behavior such as process injection and native API-heavy execution, not just files on disk.
- Use network analytics to look for unusual proxying, external staging/downloads, and command-and-control patterns, but avoid relying only on blocklists because the object emphasizes infrastructure/resource-development behaviors.
Mitigation priorities
- Reduce user-execution risk with attachment controls, detonation/sandboxing, user reporting workflows, and targeted awareness for recruitment-themed lures where applicable.
- Harden or restrict unnecessary Office automation, DDE, scripting, and Visual Basic execution paths based on business need.
- Use application control and least privilege to limit unapproved payload execution and persistence under user context.
- Monitor and control Registry Run Keys and Startup Folder changes, especially on sensitive endpoints and administrator workstations.
- Strengthen endpoint detection and response coverage for process injection, suspicious native API use, and masquerading behavior.
Analyst notes and limits
The strongest decision value is to use Operation Sharpshooter as a scenario for targeted espionage readiness: lure-driven initial execution, stealthy endpoint behavior, persistence, tool transfer, and C2. ATT&CK notes similarities to Lazarus Group operations, but this take does not assert attribution beyond the supplied wording.
Campaign-level platforms, tactics, and official detection are not specified in the supplied ATT&CK object. Platform references come from related software and techniques, including Windows-specific relationships, not from the campaign object itself. Local telemetry, baselines, business processes, and asset criticality are required to determine actual coverage or risk.
Operation Sharpshooter
Operation Sharpshooter was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous Lazarus Group operations, including fake job recruitment lures and shared malware code.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | During Operation Sharpshooter, threat actors sent malicious Word OLE documents to victims.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1584.004 | Server Sub-technique | For Operation Sharpshooter, the threat actors compromised a server they used as part of the campaign's infrastructure.CitationBleeping Computer Op Sharpshooter March 2019 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | For Operation Sharpshooter, the threat actors staged malicious files on Dropbox and other websites.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1583.006 | Web Services Sub-technique | For Operation Sharpshooter, the threat actors used Dropbox to host lure documents and their first-stage downloader.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1106 | Native API | During Operation Sharpshooter, the first stage downloader resolved various Windows libraries and APIs, including `LoadLibraryA()`, `GetProcAddress()`, and `CreateProcessA()`.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1055 | Process Injection | During Operation Sharpshooter, threat actors leveraged embedded shellcode to inject a downloader into the memory of Word.CitationThreatpost New Op Sharpshooter Data March 2019 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | During Operation Sharpshooter, the threat actors used a VBA macro to execute a simple downloader that installed Rising Sun.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | During Operation Sharpshooter, a first-stage downloader installed Rising Sun to `%Startup%\mssync.exe` on a compromised host.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | During Operation Sharpshooter, additional payloads were downloaded after a target was infected with a first-stage downloader.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1587.001 | Malware Sub-technique | For Operation Sharpshooter, the threat actors used the Rising Sun modular backdoor.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1204.002 | Malicious File Sub-technique | During Operation Sharpshooter, the threat actors relied on victims executing malicious Microsoft Word or PDF files.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | During Operation Sharpshooter, threat actors installed Rising Sun in the Startup folder and disguised it as `mssync.exe`.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1090 | Proxy | For Operation Sharpshooter, the threat actors used the ExpressVPN service to hide their location.CitationBleeping Computer Op Sharpshooter March 2019 |
Groups, software, and campaigns
S0448: Rising Sun
Rising Sun is a modular backdoor that was used extensively in Operation Sharpshooter between 2017 and 2019. Rising Sun infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed Rising Sun included some source code from Lazarus Group's Trojan Duuzer.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ec8283b7b5b9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
McAfee Sharpshooter December 2018
Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
Open source URL -
[2]
Bleeping Computer Op Sharpshooter March 2019
I. Ilascu. (2019, March 3). Op 'Sharpshooter' Connected to North Korea's Lazarus Group. Retrieved September 26, 2022.
Open source URL -
[3]
Threatpost New Op Sharpshooter Data March 2019
L. O'Donnell. (2019, March 3). RSAC 2019: New Operation Sharpshooter Data Reveals Higher Complexity, Scope. Retrieved September 26, 2022.
Open source URL -
[4]
mitre-attack C0013Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.