S0034: NETEAGLE
Analyst context for executives and security teams
NETEAGLE is a Windows backdoor associated in ATT&CK with APT30 and documented with compile dates as early as 2008. Its business significance is not that it is new, but that its mapped behaviors represent durable intrusion tradecraft: persistence through Windows startup mechanisms, host discovery, command execution, resilient command-and-control, and exfiltration over the same C2 channel. For leaders, this is a useful test case for whether endpoint, network, and incident response processes can recognize older but still relevant backdoor patterns rather than relying only on named-malware signatures.
Executive priority
Prioritize NETEAGLE as a coverage-validation object, not as proof of current exposure. It helps security leaders ask whether Windows endpoint monitoring, egress visibility, web/non-web protocol inspection, and persistence auditing are sufficient to support incident decisions. Because the ATT&CK relationships include fallback channels, dynamic resolution, encrypted C2, and exfiltration over C2, the key business issue is resilience: can the organization detect and contain a backdoor that changes communication paths and blends data theft into command traffic?
Technical view
ATT&CK lists NETEAGLE as Windows malware and maps it to execution via Windows Command Shell, discovery of processes and files/directories, persistence via Registry Run Keys or Startup Folder, multiple C2 patterns including application-layer protocols, web protocols, non-application-layer protocols, fallback channels, dynamic resolution, symmetric cryptography, and exfiltration over C2. SOC and IR teams should validate host telemetry for suspicious cmd.exe activity, autorun/startup changes, process and file enumeration, and network telemetry for unusual outbound sessions, web-like C2, alternate protocol use, changing destinations, and encrypted payloads not explained by normal business applications.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and discovery commands
- Windows registry and startup folder change events related to autorun persistence
- File and directory enumeration activity from endpoints
- Process listing or process discovery activity from endpoints
- DNS, proxy, firewall, and network flow records for outbound C2-like communications
Detection direction
- Do not depend only on a NETEAGLE malware name or static signature; validate behavior-based coverage across the mapped ATT&CK techniques.
- Correlate Windows autorun persistence with subsequent command-shell execution, discovery activity, and outbound network connections.
- Tune detections for command shell and discovery activity against administrative baselines to reduce false positives from legitimate IT operations.
- Review whether proxy, DNS, firewall, and endpoint data can connect a host process to outbound web or non-web protocol communications.
- Assess blind spots around encrypted C2, dynamic resolution, and fallback channels, because these behaviors can weaken simple domain/IP blocklists and single-channel detections.
Mitigation priorities
- Harden Windows persistence surfaces by monitoring and controlling Registry Run Keys and startup folder changes.
- Limit unnecessary command-shell use through administrative controls and least privilege where operationally feasible.
- Maintain egress controls and logging for outbound web and non-web protocols, with review paths for unusual destinations or protocol use.
- Ensure DNS, proxy, firewall, and endpoint telemetry are retained long enough to support incident reconstruction of C2 and exfiltration-over-C2 scenarios.
- Prepare IR playbooks that include containment of a host with possible fallback C2, collection of persistence artifacts, process history, and network history.
Analyst notes and limits
The supplied ATT&CK object provides a concise malware description, one external FireEye APT30 reference, and relationship mappings to techniques. The most defensible Glexia interpretation is to treat NETEAGLE as a behavioral coverage benchmark for Windows backdoor activity associated with a documented threat group, rather than as a standalone current threat claim.
MITRE provides no official detection text for this object, and the supplied fields do not include indicators, hashes, specific C2 infrastructure, affected sectors, active exploitation status, or detailed variant behavior beyond the Scout and Norton names. Local telemetry, asset context, and approved administrative baselines are required to determine exposure, detection quality, and response priority.
NETEAGLE
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | NETEAGLE will decrypt resources it downloads with HTTP requests by using RC4 with the key "ScoutEagle."CitationFireEye APT30 |
| Enterprise | T1057 | Process Discovery | NETEAGLE can send process listings over the C2 channel.CitationFireEye APT30 |
| Enterprise | T1071 | Application Layer Protocol | Adversaries can also use NETEAGLE to establish an RDP connection with a controller over TCP/7519. |
| Enterprise | T1041 | Exfiltration Over C2 Channel | NETEAGLE is capable of reading files over the C2 channel.CitationFireEye APT30 |
| Enterprise | T1568 | Dynamic Resolution | NETEAGLE can use HTTP to download resources that contain an IP address and port number pair to connect to for C2.CitationFireEye APT30 |
| Enterprise | T1083 | File and Directory Discovery | NETEAGLE allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information.CitationFireEye APT30 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | The "SCOUT" variant of NETEAGLE achieves persistence by adding itself to the |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | NETEAGLE allows adversaries to execute shell commands on the infected host.CitationFireEye APT30 |
| Enterprise | T1008 | Fallback Channels | |
| Enterprise | T1095 | Non-Application Layer Protocol | If NETEAGLE does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, NETEAGLE will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs.CitationFireEye APT30 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 870f8bb9730e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT30
FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved November 17, 2024.
Open source URL -
[2]
mitre-attack S0034Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.