S0004: TinyZBot
Analyst context for executives and security teams
TinyZBot matters because ATT&CK describes it as a Windows bot associated with Cleaver reporting and links it to behaviors that support credential theft, user activity collection, command execution, persistence, and possible defense impairment. For leaders, the value is not the malware name alone; it is whether Windows endpoint visibility can prove what happened when a bot captures keystrokes, screenshots, clipboard data, or survives reboot.
Executive priority
Prioritize this as a Windows endpoint resilience and incident-readiness use case. Executives should ask whether the organization can rapidly answer: which hosts executed suspicious command shell activity, which persistence mechanisms were created, whether user data or credentials may have been collected, and whether security tooling was impaired. This supports business continuity, credential-risk decisions, audit evidence for monitoring controls, and IR scoping.
Technical view
Validate coverage against the ATT&CK relationships for TinyZBot: T1056.001 Keylogging, T1059.003 Windows Command Shell, T1113 Screen Capture, T1115 Clipboard Data, T1543.003 Windows Service, T1547.001 Registry Run Keys / Startup Folder, T1547.009 Shortcut Modification, and T1685 Disable or Modify Tools. SOC and IR teams should focus on Windows host evidence for process execution, persistence creation or modification, and user-data collection behaviors. Because the TinyZBot object has no official ATT&CK detection text and no object-level tactics, detection engineering should be relationship-driven and validated with local telemetry rather than assumed from the software name.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe activity
- Windows service creation, modification, configuration, and service binary path changes
- Registry autorun key monitoring and Startup folder file creation or modification
- Shortcut file creation or modification in startup or user-accessible locations
- Endpoint behavioral telemetry related to screen capture, clipboard access, and keystroke collection
Detection direction
- Build detections around the related techniques rather than the malware name alone, since no official detection guidance is supplied.
- Correlate command shell execution with new or modified persistence artifacts such as services, Run keys, Startup folder entries, and shortcut changes.
- Treat clipboard, screenshot, and keylogging signals as high-value but potentially noisy; tune around unusual processes, persistence context, and affected user roles.
- Validate whether security-tool impairment logic is applicable in the local environment; the supplied T1685 relationship exists, but its related platform list does not include Windows in the provided text.
- Use Cleaver relationship context for threat intelligence enrichment, not as proof of current activity or attribution in local incidents.
Mitigation priorities
- Confirm Windows endpoint logging and EDR/AV health monitoring are consistently deployed before relying on detections.
- Harden and monitor common persistence locations: Windows services, Registry Run keys, Startup folders, and shortcut-based startup paths.
- Apply least privilege and change-control review for service creation and autorun modifications.
- Strengthen credential-protection and incident playbooks for possible keylogging or clipboard/screen data collection events.
- Maintain tamper-resistance and alerting for security tools where supported, and test whether loss of endpoint telemetry is visible to the SOC.
Analyst notes and limits
TinyZBot is identified by ATT&CK as a C# bot developed by Cleaver, with one supplied external reference to the Cylance Operation Cleaver report. The most useful defensive interpretation comes from the linked techniques, which span collection, credential access, execution, persistence, privilege escalation, and defense impairment.
ATT&CK provides no official detection text, no aliases, no labels, and no object-level tactics for TinyZBot in the supplied fields. Platform support is Windows at the malware-object level; related techniques may list broader or different platforms. Local telemetry, asset criticality, and incident evidence are required before drawing conclusions about exposure, attribution, or compromise.
TinyZBot
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1685 | Disable or Modify Tools | TinyZBot can disable Avira anti-virus.CitationCylance Cleaver |
| Enterprise | T1115 | Clipboard Data | TinyZBot contains functionality to collect information from the clipboard.CitationCylance Cleaver |
| Enterprise | T1113 | Screen Capture | TinyZBot contains screen capture functionality.CitationCylance Cleaver |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | TinyZBot can create a shortcut in the Windows startup folder for persistence.CitationCylance Cleaver |
| Enterprise | T1543.003 | Windows Service Sub-technique | TinyZBot can install as a Windows service for persistence.CitationCylance Cleaver |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | TinyZBot can create a shortcut in the Windows startup folder for persistence.CitationCylance Cleaver |
| Enterprise | T1056.001 | Keylogging Sub-technique | TinyZBot contains keylogger functionality.CitationCylance Cleaver |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | TinyZBot supports execution from the command-line.CitationCylance Cleaver |
Groups, software, and campaigns
G0003: Cleaver
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | b2a1ab7bf993… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cylance Cleaver
Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
Open source URL -
[2]
mitre-attack S0004Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.