S0011: Taidoor
Analyst context for executives and security teams
Taidoor is a Windows remote access trojan associated in ATT&CK with long-running access operations, including use against Taiwanese government organizations and reporting by CISA/FBI/DOD. Its mapped behaviors matter because they span the full defender problem: phishing-based entry, user-driven malicious file execution, persistence through Registry Run Keys, discovery of systems/files/processes/network settings, local data collection, command execution, tool transfer, encrypted or nonstandard command-and-control, DLL injection, and file deletion. For leaders, this is a good test case for whether Windows endpoint, email, network, and incident response evidence can be joined quickly enough to prove or disprove compromise.
Executive priority
Prioritize Taidoor as a resilience and assurance scenario rather than a single indicator problem. The business questions are: can the organization prevent or contain malicious attachments, detect persistence and stealthy Windows execution, identify suspicious outbound C2 over web or non-application-layer protocols, and produce audit-ready evidence showing what data was accessed locally. This object is especially relevant to government-facing, regulated, or high-sensitivity environments where remote access, data collection, and long-dwell persistence would affect continuity, reporting obligations, and incident decision-making.
Technical view
ATT&CK provides no dedicated detection text for Taidoor, so SOC and IR validation should be built from the mapped techniques. On Windows, validate visibility for Registry query and modification, Run Key or Startup Folder persistence, cmd.exe execution, Native API/process activity, DLL injection indicators, process discovery, file and directory enumeration, local data access, file deletion, decoding/deobfuscation activity, ingress file transfer, and outbound C2 using web protocols, non-application-layer protocols, and symmetric cryptography. Detection engineering should correlate initial email or malicious file execution with later host discovery, persistence, and network egress rather than relying on any single behavior.
Likely telemetry
- Email security logs and attachment metadata for spearphishing attachment and malicious file delivery patterns
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and administrative discovery utilities
- Windows Registry auditing or EDR telemetry for Registry queries, Registry modification, and Run Key or Startup Folder persistence
- Endpoint file telemetry for file and directory enumeration, local data access, tool drops, decoded/deobfuscated files, and file deletion
- Process and memory telemetry capable of surfacing DLL injection or unusual cross-process activity
Detection direction
- Build correlation around the relationship chain: phishing or malicious file execution followed by discovery, Registry persistence, local data collection, command execution, tool transfer, and outbound C2.
- Tune Windows Registry detections for suspicious Run Key or Startup Folder changes, while accounting for legitimate software installers and enterprise management tools as common false positives.
- Review command shell and discovery detections for unusual combinations of process, network, file, and Registry activity rather than treating common Windows commands as malicious in isolation.
- Validate whether endpoint tooling can detect or investigate DLL injection and Native API-based execution; many environments collect process starts but not sufficient memory or cross-process detail.
- Use network analytics to baseline normal HTTP/S and other egress, then hunt for rare destinations, unusual timing, encrypted payload patterns, and protocol use inconsistent with business applications.
Mitigation priorities
- Strengthen email and attachment controls first, including policies and technical controls that reduce execution of malicious attachments and risky file types.
- Harden Windows endpoints against unauthorized persistence by monitoring and controlling Registry Run Keys, Startup Folders, and unnecessary user write paths.
- Limit user privileges and administrative access so Registry modification, tool installation, and sensitive local data access require appropriate authorization.
- Improve endpoint detection and response coverage for process creation, command shell use, Registry activity, file operations, and injection-related behavior.
- Restrict and monitor outbound traffic, including web egress and nonstandard or non-application-layer protocols, so command-and-control paths are harder to establish and easier to investigate.
Analyst notes and limits
This take is based only on the supplied ATT&CK STIX fields, external references, and relationships for malware S0011 Taidoor. MITRE identifies Taidoor as a Windows RAT and cites CISA/FBI/DOD and Trend Micro reporting. The relationship set provides useful defensive context even though the object itself has no ATT&CK tactics listed and no official detection narrative.
No active exploitation status, current targeting, indicators, hashes, infrastructure, or guaranteed detection logic are provided in the supplied fields. Technique relationships describe observed or associated behaviors but do not prove every Taidoor intrusion will exhibit every behavior. Local telemetry quality, retention, endpoint configuration, and business baselines are required to turn this into reliable detection or risk evidence.
Taidoor
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1124 | System Time Discovery | Taidoor can use |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Taidoor can copy cmd.exe into the system temp folder.CitationCISA MAR-10292089-1.v2 TAIDOOR August 2021 |
| Enterprise | T1112 | Modify Registry | Taidoor has the ability to modify the Registry on compromised hosts using |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Taidoor has used HTTP GET and POST requests for C2.CitationTrendMicro Taidoor |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Taidoor uses RC4 to encrypt the message body of HTTP content.CitationTrendMicro TaidoorCitationCISA MAR-10292089-1.v2 TAIDOOR August 2021 |
| Enterprise | T1106 | Native API | Taidoor has the ability to use native APIs for execution including |
| Enterprise | T1070.004 | File Deletion Sub-technique | Taidoor can use |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Taidoor has been delivered through spearphishing emails.CitationTrendMicro Taidoor |
| Enterprise | T1016 | System Network Configuration Discovery | Taidoor has collected the MAC address of a compromised host; it can also use |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Taidoor can use a stream cipher to decrypt stings used by the malware.CitationCISA MAR-10292089-1.v2 TAIDOOR August 2021 |
| Enterprise | T1012 | Query Registry | Taidoor can query the Registry on compromised hosts using |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Taidoor can perform DLL loading.CitationTrendMicro TaidoorCitationCISA MAR-10292089-1.v2 TAIDOOR August 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Taidoor has downloaded additional files onto a compromised host.CitationTrendMicro Taidoor |
| Enterprise | T1005 | Data from Local System | Taidoor can upload data and files from a victim's machine.CitationTrendMicro Taidoor |
| Enterprise | T1083 | File and Directory Discovery | Taidoor can search for specific files.CitationCISA MAR-10292089-1.v2 TAIDOOR August 2021 |
| Enterprise | T1057 | Process Discovery | Taidoor can use |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Taidoor can use encrypted string blocks for obfuscation.CitationCISA MAR-10292089-1.v2 TAIDOOR August 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Taidoor has relied upon a victim to click on a malicious email attachment.CitationTrendMicro Taidoor |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Taidoor has modified the |
| Enterprise | T1095 | Non-Application Layer Protocol | Taidoor can use TCP for C2 communications.CitationCISA MAR-10292089-1.v2 TAIDOOR August 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | b024d003d908… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA MAR-10292089-1.v2 TAIDOOR August 2021
CISA, FBI, DOD. (2021, August). MAR-10292089-1.v2 – Chinese Remote Access Trojan: TAIDOOR. Retrieved August 24, 2021.
Open source URL -
[2]
TrendMicro Taidoor
Trend Micro. (2012). The Taidoor Campaign. Retrieved November 12, 2014.
Open source URL -
[3]
mitre-attack S0011Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.