S0012: PoisonIvy
Analyst context for executives and security teams
PoisonIvy is a Windows remote access tool identified by ATT&CK as widely used by many groups. Its business significance is not the name alone; it represents a mature RAT capability set that can support hands-on intrusion activity, including command execution, credential collection through keylogging, local data discovery and staging, tool transfer, obfuscation, DLL injection, and rootkit-style hiding. Leaders should treat coverage for PoisonIvy-like behavior as a test of whether Windows endpoint, identity, SOC, and incident response programs can see and contain an interactive compromise rather than only block known malware files.
Executive priority
Prioritize this as a resilience and evidence question: can the organization prove it collects and reviews the Windows endpoint, command execution, file activity, credential-access, and network-transfer evidence needed to investigate a RAT intrusion? ATT&CK relationships connect PoisonIvy to multiple espionage groups and Operation Dust Storm, so intelligence teams may use it for threat-informed prioritization; however, those relationships should not be interpreted as proof of current targeting or exposure. For budget and control planning, focus on closing blind spots around endpoint visibility, privileged account monitoring, data staging detection, and IR readiness for remote-access malware.
Technical view
For SOC and detection engineering, validate behavior coverage against the ATT&CK techniques linked to PoisonIvy: Data from Local System, Application Window Discovery, Rootkit, Obfuscated Files or Information, DLL Injection, Keylogging, Windows Command Shell, Local Data Staging, and Ingress Tool Transfer. Because the object’s platform is Windows and ATT&CK provides no official detection text, detection should be built from local telemetry: suspicious cmd.exe activity, abnormal process injection indicators, unexpected DLL loads, unusual file collection or staging patterns, keylogging-like input capture indicators where available, hidden or tampered services/drivers, and inbound tool transfer over command-and-control channels. Incident responders should be prepared to scope beyond the initial host because a RAT with tool-transfer and data-staging behaviors can indicate broader operator access.
Likely telemetry
- Windows endpoint process creation and command-line events, especially cmd.exe execution patterns
- Endpoint file creation, modification, access, and staging-directory activity
- DLL load, memory, process injection, and cross-process access telemetry
- Security product, driver, service, and kernel-level integrity signals relevant to rootkit-style hiding
- Keyboard/input monitoring indicators where endpoint tooling supports them
Detection direction
- Do not rely only on signatures for the PoisonIvy name; validate behavior analytics mapped to the related ATT&CK techniques.
- Tune Windows command-shell detections to distinguish administrative scripts from unusual remote or malware-driven execution.
- Correlate data discovery, local staging, and outbound or ingress file-transfer events instead of treating each as isolated low-severity activity.
- Review process injection and DLL injection detections for both coverage and false positives from legitimate software that injects into other processes.
- Assess whether endpoint controls can surface tampering, hidden components, or rootkit-like activity; absence of visibility here is a material blind spot.
Mitigation priorities
- Ensure broad Windows endpoint visibility and retention before relying on advanced detections.
- Harden and monitor privileged and high-value workstations where keylogging or command execution would create disproportionate business risk.
- Limit unnecessary command-shell, scripting, and file-transfer paths through least privilege and administrative control review.
- Apply application control and execution prevention where operationally feasible to reduce unauthorized RAT and tool execution.
- Strengthen credential protections and monitoring because the linked behaviors include keylogging and credential-access activity.
Analyst notes and limits
ATT&CK describes PoisonIvy as a popular RAT used by many groups and provides relationships to several groups and one campaign, plus technique relationships that define the defensive validation scope. Darkmoon S0209 is revoked by this object, so historical references may appear under either naming lineage. The strongest practical use of this object is as a control-validation bundle for Windows RAT behavior rather than a single malware signature.
The supplied ATT&CK object has no official detection guidance, no object-level tactics, no aliases listed, and only Windows as the malware platform. Related technique descriptions include platforms beyond Windows, but those should not expand the assessed PoisonIvy platform without additional evidence. Local environment logs, asset criticality, and confirmed telemetry coverage are required to determine actual detection readiness or exposure.
PoisonIvy
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1543.003 | Windows Service Sub-technique | |
| Enterprise | T1112 | Modify Registry | PoisonIvy creates a Registry subkey that registers a new system device.CitationSymantec Darkmoon Aug 2005 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | PoisonIvy creates run key Registry entries pointing to a malicious executable dropped to disk.CitationSymantec Darkmoon Aug 2005 |
| Enterprise | T1027 | Obfuscated Files or Information | PoisonIvy hides any strings related to its own indicators of compromise.CitationSymantec Darkmoon Aug 2005 |
| Enterprise | T1056.001 | Keylogging Sub-technique | PoisonIvy contains a keylogger.CitationFireEye Poison IvyCitationSymantec Darkmoon Aug 2005 |
| Enterprise | T1547.014 | Active Setup Sub-technique | PoisonIvy creates a Registry key in the Active Setup pointing to a malicious executable.CitationMicrosoft PoisonIvy 2017Citationpaloalto Tropic Trooper 2016CitationFireEye Regsvr32 Targeting Mongolian Gov |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | PoisonIvy creates a mutex using either a custom or default value.CitationFireEye Poison Ivy |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | PoisonIvy can inject a malicious DLL into a process.CitationFireEye Poison IvyCitationSymantec Darkmoon Aug 2005 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | PoisonIvy stages collected data in a text file.CitationSymantec Darkmoon Aug 2005 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | PoisonIvy creates a backdoor through which remote attackers can open a command-line interface.CitationSymantec Darkmoon Aug 2005 |
| Enterprise | T1105 | Ingress Tool Transfer | PoisonIvy creates a backdoor through which remote attackers can upload files.CitationSymantec Darkmoon Aug 2005 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | PoisonIvy uses the Camellia cipher to encrypt communications.CitationFireEye Poison Ivy |
| Enterprise | T1005 | Data from Local System | PoisonIvy creates a backdoor through which remote attackers can steal system information.CitationSymantec Darkmoon Aug 2005 |
| Enterprise | T1010 | Application Window Discovery | PoisonIvy captures window titles.CitationSymantec Darkmoon Aug 2005 |
| Enterprise | T1014 | Rootkit | PoisonIvy starts a rootkit from a malicious file dropped to disk.CitationSymantec Darkmoon Aug 2005 |
Groups, software, and campaigns
G0066: Elderwood
Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [1] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [2] [3]
G1023: APT5
APT5 is a China-based espionage actor that has been active since at least 2007 primarily targeting the telecommunications, aerospace, and defense industries throughout the U.S., Europe, and Asia. APT5 has displayed advanced tradecraft and significant interest in compromising networking devices and their underlying software including through the use of zero-day exploits.[1][2][3][4][5][6]
G0093: GALLIUM
GALLIUM is a cyberespionage group that has been active since at least 2012, primarily targeting telecommunications companies, financial institutions, and government entities in Afghanistan, Australia, Belgium, Cambodia, Malaysia, Mozambique, the Philippines, Russia, and Vietnam. This group is particularly known for launching Operation Soft Cell, a long-term campaign targeting telecommunications providers.[1] Security researchers have identified GALLIUM as a likely Chinese state-sponsored group, based in part on tools used and TTPs commonly associated with Chinese threat actors.[1][2][3]
G0006: APT1
G0018: admin@338
admin@338 is a China-based cyber threat group. It has previously used newsworthy events as lures to deliver malware and has primarily targeted organizations involved in financial, economic, and trade policy, typically using publicly available RATs such as PoisonIvy, as well as some non-public backdoors. [1]
G0081: Tropic Trooper
Tropic Trooper is an unaffiliated threat group that has led targeted campaigns against targets in Taiwan, the Philippines, and Hong Kong. Tropic Trooper focuses on targeting government, healthcare, transportation, and high-tech industries and has been active since 2011.[1][2][3]
G0017: DragonOK
DragonOK is a threat group that has targeted Japanese organizations with phishing emails. Due to overlapping TTPs, including similar custom tools, DragonOK is thought to have a direct or indirect relationship with the threat group Moafee. [1] It is known to use a variety of malware, including Sysget/HelloBridge, PlugX, PoisonIvy, FormerFirstRat, NFlog, and NewCT. [2]
G0011: PittyTiger
PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.[1][2]
G0136: IndigoZebra
IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.[1][2][3]
G0001: Axiom
Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[1][2][3]
G0045: menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]
menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]
G0002: Moafee
S0209: Darkmoon
Official MITRE ATT&CK object mirrored from source data.
C0016: Operation Dust Storm
Operation Dust Storm was a long-standing persistent cyber espionage campaign that targeted multiple industries in Japan, South Korea, the United States, Europe, and several Southeast Asian countries. By 2015, the Operation Dust Storm threat actors shifted from government and defense-related intelligence targets to Japanese companies or Japanese subdivisions of larger foreign organizations supporting Japan's critical infrastructure, including electricity generation, oil and natural gas, finance, transportation, and construction.[1]
Operation Dust Storm threat actors also began to use Android backdoors in their operations by 2015, with all identified victims at the time residing in Japan or South Korea.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | 4ed53268fb33… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye Poison Ivy
FireEye. (2014). POISON IVY: Assessing Damage and Extracting Intelligence. Retrieved September 19, 2024.
Open source URL -
[2]
Symantec Elderwood Sept 2012
O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024.
Open source URL -
[3]
Symantec Darkmoon Aug 2005
Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018.
Open source URL -
[4]
Breut
(Citation: Novetta-Axiom)
-
[5]
Darkmoon
(Citation: Symantec Darkmoon Sept 2014)
-
[6]
Novetta-Axiom
Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
Open source URL -
[7]
Poison Ivy
(Citation: FireEye Poison Ivy) (Citation: Symantec Darkmoon Sept 2014)
-
[8]
PoisonIvy
(Citation: FireEye Poison Ivy)(Citation: Symantec Darkmoon Sept 2014)
-
[9]
Symantec Darkmoon Sept 2014
Payet, L. (2014, September 19). Life on Mars: How attackers took advantage of hope for alien existance in new Darkmoon campaign. Retrieved September 13, 2018.
Open source URL -
[10]
mitre-attack S0012Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.