G0048: RTM
Analyst context for executives and security teams
RTM matters because it represents financially motivated intrusion activity focused on remote banking users, with documented use of the RTM banking Trojan and related behaviors spanning phishing or drive-by access, user-executed malicious files, Windows persistence, DLL abuse, legitimate remote desktop software, and web-based C2 redirection. For leaders, the decision value is not “track a named group” in isolation; it is whether banking, finance, and payment-adjacent workflows have enough email, endpoint, web, and remote-access visibility to detect and contain credential or remote-control activity before it affects fraud risk and business continuity.
Executive priority
Prioritize RTM-relevant coverage where users interact with remote banking systems or sensitive financial operations. Executives should ask whether controls can prove: suspicious attachments are filtered and investigated, browser/web exposure is monitored, unauthorized remote desktop tools are governed, Windows startup persistence is visible, and incident responders can quickly determine whether a banking Trojan or remote-control channel is present. This object has no official ATT&CK detection text and no group-level platform list, so risk decisions should be based on the related techniques and the organization’s own exposure to remote banking processes.
Technical view
SOC and IR teams should validate coverage against the documented relationships: S0148 RTM malware, T1566.001 Spearphishing Attachment, T1189 Drive-by Compromise, T1204.002 Malicious File, T1547.001 Registry Run Keys / Startup Folder, T1574.001 DLL abuse, T1219.002 Remote Desktop Software, and T1102.001 Dead Drop Resolver. Because the related malware and several techniques include Windows, prioritize Windows endpoint evidence for process execution, file creation, DLL loading, registry run key or startup folder changes, and remote desktop software execution. Network teams should validate visibility into outbound connections to legitimate external web services that may act as dead drop resolvers, while email and web teams should confirm retention and investigation workflows for attachments, links, and browsing events associated with suspicious execution.
Likely telemetry
- Email security logs and message metadata for attachments delivered to targeted users
- Endpoint process execution, file creation, and command-line telemetry
- Windows registry monitoring for Run keys and startup folder changes
- DLL load and suspicious library path telemetry where available
- Web proxy, DNS, and network egress logs for browsing, drive-by exposure, and outbound C2 discovery patterns
Detection direction
- Do not rely only on malware names; map detections to the related behaviors because RTM activity may be observed through phishing, malicious file execution, persistence, remote access tooling, or C2 redirection.
- Tune phishing and malicious attachment detections around user execution outcomes, not just message delivery, to reduce false positives and identify successful compromise paths.
- Baseline approved remote desktop and support tools, then alert on unexpected installation, execution, or outbound sessions from finance or banking-related endpoints.
- Validate Windows persistence detections for Run keys and startup folders, including user-context persistence that may be missed by privilege-focused monitoring.
- Review network monitoring assumptions for T1102.001: legitimate web services can mask C2 resolver behavior, so detections may require correlation with endpoint compromise signals rather than simple domain blocking.
Mitigation priorities
- Start with business-process scoping: identify users and endpoints that access remote banking systems and ensure they receive stronger monitoring and response prioritization.
- Harden email and web controls against suspicious attachments, social engineering, and drive-by exposure, while maintaining evidence retention for investigations.
- Enforce application control or software governance for remote desktop/support tools so approved use is distinguishable from adversary use.
- Improve Windows endpoint hardening and monitoring for startup persistence and DLL abuse, especially on finance-related workstations.
- Maintain incident response playbooks for suspected banking Trojan activity that include credential protection, remote access review, endpoint isolation, and validation of financial transaction workflows.
Analyst notes and limits
ATT&CK describes RTM as a cybercriminal group active since at least 2015 and primarily interested in users of remote banking systems in Russia and neighboring countries, using the RTM Trojan. The most useful defensive context comes from the supplied relationships to RTM malware and techniques for initial access, execution, persistence, C2, and remote desktop software. This take intentionally frames RTM as a coverage-validation scenario for financial workflows rather than asserting current targeting of any organization.
The supplied group object has no official ATT&CK detection guidance, no group-level tactics, and no group-level platforms. Platform and tactic context is inferred only from the supplied related software and technique relationships. The source set is limited to MITRE’s object data and cited external references; local exposure, telemetry quality, and control effectiveness must be confirmed by the organization.
RTM
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1189 | Drive-by Compromise | RTM has distributed its malware via the RIG and SUNDOWN exploit kits, as well as online advertising network |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | |
| Enterprise | T1574.001 | DLL Sub-technique | RTM has used search order hijacking to force TeamViewer to load a malicious DLL.CitationGroup IB RTM August 2019 |
| Enterprise | T1204.002 | Malicious File Sub-technique | RTM has attempted to lure victims into opening e-mail attachments to execute malicious code.CitationGroup IB RTM August 2019 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | RTM has used spearphishing attachments to distribute its malware.CitationGroup IB RTM August 2019 |
| Enterprise | T1219.002 | Remote Desktop Software Sub-technique | RTM has used a modified version of TeamViewer and Remote Utilities for remote access.CitationGroup IB RTM August 2019 |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names.CitationESET RTM Feb 2017 |
Groups, software, and campaigns
S0148: RTM
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 6e23f5d998ab… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET RTM Feb 2017
Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
Open source URL -
[2]
RTM
(Citation: ESET RTM Feb 2017)
-
[3]
mitre-attack G0048Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.