S0010: Lurid
Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006. [1] [2]
Analyst context for executives and security teams
Lurid is a Windows malware family documented by ATT&CK as used in targeted attacks dating back to 2006, including by the group PittyTiger. Its decision value is less about a single current campaign and more about validating whether the organization can recognize common targeted-intrusion behaviors associated with it: collected data being archived before exfiltration and command-and-control traffic protected with symmetric cryptography.
Executive priority
Treat this as a coverage validation item for Windows-focused targeted intrusion readiness. Leaders should ask whether SOC, IR, and audit teams can prove they collect the endpoint and network evidence needed to identify data staging, archive creation, and suspicious encrypted outbound communications. Because ATT&CK provides no official detection guidance for Lurid, confidence should come from local control validation, not from assuming named-malware coverage exists.
Technical view
For defenders, map Lurid-related validation to its supplied ATT&CK relationships: T1560 Archive Collected Data and T1573.001 Symmetric Cryptography. On Windows systems, confirm visibility into archive utility execution, unusual archive file creation, staging locations, process lineage, file access patterns, and outbound network sessions that may carry encrypted C2 content. Because the malware object has no ATT&CK tactics specified and no official detection text, detection engineering should focus on behavior and environment baselines rather than static family naming alone.
Likely telemetry
- Windows endpoint process execution and parent-child process lineage
- File creation, modification, and access events for archives and staged collections
- EDR or host telemetry showing command-line arguments for compression or archive utilities
- Network connection metadata from endpoints, proxies, firewalls, or network sensors
- TLS/encrypted-session metadata where available, without assuming payload inspection
Detection direction
- Validate behavioral analytics for archive creation after suspicious file collection activity on Windows endpoints.
- Tune detections for unusual compression or archive activity by user, host role, path, frequency, and process lineage to reduce false positives from legitimate backup, admin, and software packaging workflows.
- Review outbound encrypted communication patterns from Windows hosts, especially rare destinations, unusual processes initiating connections, or sessions inconsistent with normal business applications.
- Do not rely only on malware-family signatures; ATT&CK supplies no official Lurid detection guidance and the object has sparse tactic metadata.
- Use the PittyTiger relationship as threat-intelligence context, not as proof of attribution in any local incident.
Mitigation priorities
- Prioritize Windows endpoint visibility and retention for process, file, and network events before attempting high-confidence behavior detection.
- Apply least privilege and access controls to reduce unnecessary exposure of sensitive data that could be collected and archived.
- Use egress controls, proxy logging, and network monitoring to make suspicious outbound encrypted communications reviewable during investigations.
- Maintain IR playbooks for suspected data staging and C2 activity, including host isolation criteria and evidence preservation.
- Use threat-intelligence reviews to determine whether Lurid-related reporting is relevant to the organization’s geography, sector, or exposed Windows environment, without assuming current exposure from ATT&CK alone.
Analyst notes and limits
The strongest defensible takeaways come from the supplied relationships rather than the malware description itself: Lurid is associated with archive-before-exfiltration behavior and symmetric cryptography for C2. PittyTiger is listed as using Lurid, but attribution should not be inferred from telemetry without additional evidence.
ATT&CK provides no official detection text, no aliases, no labels, and no tactics directly on the Lurid malware object. The supplied platform is Windows, while one related technique has broader platform metadata; local validation is required to determine actual relevance, telemetry availability, and detection quality.
Lurid
Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006. [1] [2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Lurid performs XOR encryption.CitationVilleneuve 2011 |
| Enterprise | T1560 | Archive Collected Data | Lurid can compress data before sending it.CitationVilleneuve 2011 |
Groups, software, and campaigns
G0011: PittyTiger
PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 0d77ef1a5b55… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Villeneuve 2014
Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.
Open source URL -
[2]
Villeneuve 2011
Villeneuve, N., Sancho, D. (2011). THE “LURID” DOWNLOADER. Retrieved November 12, 2014.
Open source URL -
[3]
mitre-attack S0010Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.