Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0019: Regin

Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003. [1]

EnterpriseS0019MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Regin is a Windows malware platform documented by ATT&CK as having targeted telecom, government, and financial institutions, with timestamps dating back to 2003. Its business significance is not a single indicator of compromise; it is the combination of long-lived malware behavior, Windows lateral movement, credential collection, stealth, registry modification, and multiple command-and-control communication patterns. For leaders, this makes Regin a useful planning case for whether the organization can investigate sophisticated Windows intrusions that blend into normal administration and network traffic.

Executive priority

Prioritize this as an assurance question: can the organization prove it would notice and investigate stealthy Windows malware using SMB/admin shares, registry changes, hidden file techniques, keylogging, network sniffing, proxies, and web/file-transfer or lower-layer C2? The value is in validating resilience of identity controls, Windows endpoint visibility, network monitoring, incident response evidence retention, and audit-ready logging rather than assuming any single control will detect the platform.

Technical view

ATT&CK provides no dedicated detection text for Regin, so SOC and IR teams should validate coverage through its related techniques. Focus on Windows telemetry for SMB/Windows Admin Shares, invalid code signatures, registry modification, NTFS file attributes, and hidden file systems. Pair that with network telemetry for sniffing behavior and command-and-control over web protocols, file transfer protocols, external proxies, and non-application layer protocols. Because several behaviors can resemble normal administration or common network traffic, detections should be correlation-driven: suspicious signed/unsigned binaries, unusual remote share access, unexpected registry changes, hidden file artifacts, credential collection signals, and anomalous outbound or internal protocol use.

Likely telemetry

  • Windows endpoint process, file, registry, and service activity logs
  • SMB and Windows admin share access records
  • Code-signing and file reputation/validation results, including invalid signature evidence
  • Filesystem metadata capable of surfacing NTFS attributes, alternate data streams, or hidden filesystem artifacts
  • Network flow, proxy, DNS, HTTP/S, FTP/FTPS/TFTP or other file-transfer protocol logs where available

Detection direction

  • Map current detections to the related ATT&CK techniques rather than relying on a Regin-specific signature, since official detection guidance is not supplied.
  • Validate that Windows lateral movement over SMB/admin shares is monitored with user, host, share, and timing context to distinguish administration from suspicious movement.
  • Tune code-signature checks to alert on invalid signatures without treating all unsigned software as malicious; prioritize unusual paths, persistence locations, or rare binaries.
  • Correlate registry modification with process lineage, account context, and persistence/defense-impairment locations.
  • Confirm ability to inspect hidden NTFS attributes, alternate data streams, and hidden filesystem artifacts during triage and forensic collection.

Mitigation priorities

  • Harden and monitor Windows administrative pathways, especially SMB/admin share use and privileged account activity.
  • Reduce credential exposure through least privilege, strong authentication practices, and rapid investigation of keylogging or sniffing indicators.
  • Maintain endpoint controls and forensic readiness that can validate code signatures, registry changes, and hidden filesystem artifacts.
  • Restrict and monitor outbound communications, proxy use, and uncommon protocols according to business need.
  • Ensure incident response playbooks include evidence preservation for endpoint filesystem metadata, registry state, SMB activity, and network communications.
Analyst notes and limits

The supplied ATT&CK object identifies Regin as a Windows malware platform and provides relationships to techniques across lateral movement, stealth, credential access, collection, persistence, defense impairment, and command-and-control. The strongest defensive value is using those relationships to test telemetry coverage and investigative workflows for a sophisticated Windows intrusion pattern.

ATT&CK does not provide official detection text, aliases, labels, or object-level tactics for this malware in the supplied fields. The related techniques include platforms beyond Windows, but the malware object itself lists Windows; any non-Windows coverage claims require local evidence and are not asserted here. No active exploitation, attribution, or customer exposure is inferred.

Official MITRE ATT&CK definition

Regin

Regin is a malware platform that has targeted victims in a range of industries, including telecom, government, and financial institutions. Some Regin timestamps date back to 2003. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

11 rows
Domain ID Name Relationship / procedure
Enterprise T1564.004 NTFS File Attributes Sub-technique

The Regin malware platform uses Extended Attributes to store encrypted executables.CitationKaspersky Regin
Enterprise T1564.005 Hidden File System Sub-technique

Regin has used a hidden file system to store some of its components.CitationKaspersky Regin
Enterprise T1071.001 Web Protocols Sub-technique

The Regin malware platform supports many standard protocols, including HTTP and HTTPS.CitationKaspersky Regin
Enterprise T1056.001 Keylogging Sub-technique

Regin contains a keylogger.CitationKaspersky Regin
Enterprise T1036.001 Invalid Code Signature Sub-technique

Regin stage 1 modules for 64-bit systems have been found to be signed with fake certificates masquerading as originating from Microsoft Corporation and Broadcom Corporation.CitationKaspersky Regin
Enterprise T1090.002 External Proxy Sub-technique

Regin leveraged several compromised universities as proxies to obscure its origin.CitationKaspersky Regin
Enterprise T1071.002 File Transfer Protocols Sub-technique

The Regin malware platform supports many standard protocols, including SMB.CitationKaspersky Regin
Enterprise T1021.002 SMB/Windows Admin Shares Sub-technique

The Regin malware platform can use Windows admin shares to move laterally.CitationKaspersky Regin
Enterprise T1095 Non-Application Layer Protocol

The Regin malware platform can use ICMP to communicate between infected computers.CitationKaspersky Regin
Enterprise T1040 Network Sniffing

Regin appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB.CitationKaspersky Regin
Enterprise T1112 Modify Registry

Regin appears to have functionality to modify remote Registry information.CitationKaspersky Regin
Relationship explorer

All related ATT&CK context

uses · Technique T1564.004: NTFS File Attributes Enterprise uses · Technique T1564.005: Hidden File System Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1036.001: Invalid Code Signature Enterprise uses · Technique T1090.002: External Proxy Enterprise uses · Technique T1071.002: File Transfer Protocols Enterprise uses · Technique T1021.002: SMB/Windows Admin Shares Enterprise uses · Technique T1095: Non-Application Layer Protocol Enterprise uses · Technique T1040: Network Sniffing Enterprise uses · Technique T1112: Modify Registry Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
73b873454bf8c4f5...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 73b873454bf8…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kaspersky Regin

    Kaspersky Lab's Global Research and Analysis Team. (2014, November 24). THE REGIN PLATFORM NATION-STATE OWNAGE OF GSM NETWORKS. Retrieved December 1, 2014.

    Open source URL
  2. [2]
    mitre-attack S0019
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use