S0055: RARSTONE
Analyst context for executives and security teams
RARSTONE matters because ATT&CK describes it as Windows malware used by Naikon and linked to behaviors that support stealth, discovery, command-and-control, and tool transfer. For leaders, the value is not a signature for one malware family; it is a checklist for whether the organization can see and contain a Windows intrusion that injects code, searches local files, communicates over non-application-layer protocols, and brings in additional tools.
Executive priority
Treat this as an espionage-oriented readiness use case rather than evidence of current exposure. The relationship to Naikon raises the importance of protecting sensitive government, military, civil, partner, and regional business information where relevant. Priority questions: do endpoint and network controls provide evidence for DLL injection, file discovery, unusual protocol use, and inbound tool staging; can the SOC make a timely decision from that evidence; and can incident response isolate affected Windows hosts without losing forensic visibility?
Technical view
ATT&CK provides no official detection text for RARSTONE, so coverage should be validated through the related techniques: T1055.001 Dynamic-link Library Injection, T1083 File and Directory Discovery, T1095 Non-Application Layer Protocol, and T1105 Ingress Tool Transfer. For Windows endpoints, confirm visibility into suspicious DLL loading or remote-thread style injection patterns, file and directory enumeration activity, unexpected file creation from external sources, and network flows using protocols such as ICMP, UDP, SOCKS, or other non-application-layer communications referenced by the related technique context.
Likely telemetry
- Windows endpoint process execution and parent-child process context
- DLL/module load events and process injection indicators from EDR or host telemetry
- File system enumeration, file access, and directory listing activity
- New or modified files consistent with transferred tools or payloads
- Network flow, firewall, and packet/protocol metadata for non-application-layer or unusual outbound communications
Detection direction
- Build behavior-based coverage around the related techniques rather than relying on a RARSTONE-specific detection, because ATT&CK does not provide official detection guidance for this object.
- Validate that DLL injection analytics distinguish suspicious cross-process activity from legitimate software that also loads DLLs dynamically.
- Correlate file and directory discovery with other behaviors such as injection, unusual outbound protocol use, or new tool staging to reduce false positives.
- Review whether network monitoring can see ICMP, UDP, SOCKS, or other non-HTTP style communications; proxy-only visibility may miss relevant command-and-control patterns.
- Tune ingress tool transfer detections around external-to-host file arrival followed by execution, movement, or persistence-like staging, while accounting for legitimate administration and software deployment activity.
Mitigation priorities
- Prioritize Windows endpoint hardening and EDR coverage for process injection and suspicious module loading behaviors.
- Limit unnecessary egress paths and monitor allowed non-application-layer protocols so command-and-control options are reduced and more visible.
- Use application control, least privilege, and controlled software deployment processes to reduce the ability to stage and run transferred tools.
- Ensure incident response playbooks cover rapid isolation of Windows hosts while preserving process, module, file, and network evidence.
- Use this object as a control validation scenario for SOC readiness, threat-informed detection engineering, and audit evidence around malware response capabilities.
Analyst notes and limits
The supplied ATT&CK object identifies RARSTONE as malware used by Naikon and notes similarity to PlugX, but the practical defensive value comes from the related techniques. Because the object has no official detection text and no object-level tactics, detections should be framed as technique coverage validation, not as guaranteed RARSTONE identification.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not establish current exploitation, local targeting, customer exposure, or confirmed detection coverage. Local telemetry, asset criticality, business geography, and incident evidence are required to determine operational priority.
RARSTONE
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | After decrypting itself in memory, RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system.CitationCamba RARSTONE |
| Enterprise | T1095 | Non-Application Layer Protocol | RARSTONE uses SSL to encrypt its communication with its C2 server.CitationAquino RARSTONE |
| Enterprise | T1083 | File and Directory Discovery | RARSTONE obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications.CitationCamba RARSTONE |
| Enterprise | T1105 | Ingress Tool Transfer | RARSTONE downloads its backdoor component from a C2 server and loads it directly into memory.CitationAquino RARSTONE |
Groups, software, and campaigns
G0019: Naikon
Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).[1] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).[1][2]
While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 1d4de47fdfe4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Aquino RARSTONE
Aquino, M. (2013, June 13). RARSTONE Found In Targeted Attacks. Retrieved December 17, 2015.
Open source URL -
[2]
mitre-attack S0055Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.