S0058: SslMM
Analyst context for executives and security teams
SslMM matters because ATT&CK identifies it as a Windows full-featured backdoor used by Naikon, with related behaviors that cover persistence, discovery, credential collection through keylogging, command-and-control fallback channels, token manipulation, masquerading, and impairment of defensive tools. For leaders, the decision value is not the malware name alone; it is whether the organization can prove it would notice a Windows endpoint becoming persistent, collecting user context, attempting to preserve command-and-control, and weakening security visibility.
Executive priority
Prioritize SslMM as a readiness test for espionage-style backdoor response on Windows systems. Executives should ask whether SOC and incident response teams have evidence for startup persistence, suspicious outbound communications, security-tool tampering, and identity risk from possible keylogging or token misuse. This object is especially useful for validating managed detection scope, endpoint logging coverage, egress monitoring, and post-compromise identity response rather than for making broad claims about current exposure.
Technical view
ATT&CK provides no official detection text for SslMM, so defenders should build validation around the mapped behaviors: T1547.001 Registry Run Keys / Startup Folder, T1547.009 Shortcut Modification, T1008 Fallback Channels, T1033 System Owner/User Discovery, T1082 System Information Discovery, T1134 Access Token Manipulation, T1056.001 Keylogging, T1036.005 masquerading by legitimate-looking name or location, and T1685 Disable or Modify Tools. Because the malware platform is Windows, prioritize Windows endpoint and network controls, then confirm whether local telemetry can connect persistence, discovery, credential-access, defense-impairment, and outbound communication activity into a single incident narrative.
Likely telemetry
- Windows endpoint process execution and parent/child process context
- Registry Run key changes and Startup folder additions
- Shortcut creation or modification events, especially in startup-related locations
- Windows account, logon, and user/session context useful for System Owner/User Discovery analysis
- Host inventory and system information queries or collection events
Detection direction
- Do not depend on a single malware signature; ATT&CK describes multiple variants and provides no official detection guidance.
- Validate detections for persistence changes in Run keys, Startup folders, and startup shortcuts, with allowlisting for legitimate software installers and administration tools.
- Correlate discovery behavior with persistence and outbound network activity; isolated system or user discovery can be common in administration workflows.
- Tune egress monitoring for alternate or fallback channels and ensure blocked or failed primary communications are not the only signal reviewed.
- Confirm security-tool health monitoring can detect disabling, degradation, configuration changes, or sensor loss rather than only malware execution.
Mitigation priorities
- Start with visibility: ensure Windows endpoint, registry, startup folder, shortcut, security-tool health, and egress telemetry are retained and available to SOC/IR teams.
- Harden persistence paths by monitoring and restricting unauthorized changes to Run keys, Startup folders, and startup shortcuts where operationally feasible.
- Apply least-privilege and administrative control hygiene to reduce the value of token manipulation and user-context abuse.
- Use egress control and monitoring to limit unauthorized outbound communications and make fallback-channel behavior easier to investigate.
- Protect and monitor security tools and logging agents for tampering, stoppage, or configuration changes.
Analyst notes and limits
The supplied ATT&CK relationship context links SslMM to Naikon and to multiple techniques across command-and-control, discovery, stealth, credential access, persistence, privilege escalation, and defense impairment. This supports a behavior-led defensive assessment. The official object itself is sparse: platform is Windows, tactics are not specified on the malware object, aliases are not listed, and no official detection text is provided.
This take is limited to the supplied ATT&CK STIX fields, external references, and relationships. It does not assert active exploitation, current targeting, customer exposure, or guaranteed detection. Local asset criticality, endpoint configuration, logging depth, network architecture, and SOC use cases are required to determine actual risk and coverage.
SslMM
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | SslMM sends the logged-on username to its hard-coded C2.CitationBaumgartner Naikon 2015 |
| Enterprise | T1008 | Fallback Channels | SslMM has a hard-coded primary and backup C2 string.CitationBaumgartner Naikon 2015 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.CitationBaumgartner Naikon 2015 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.CitationBaumgartner Naikon 2015 |
| Enterprise | T1056.001 | Keylogging Sub-technique | SslMM creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.CitationBaumgartner Naikon 2015 |
| Enterprise | T1134 | Access Token Manipulation | SslMM contains a feature to manipulate process privileges and tokens.CitationBaumgartner Naikon 2015 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | To establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut.CitationBaumgartner Naikon 2015 |
| Enterprise | T1685 | Disable or Modify Tools | SslMM identifies and kills anti-malware processes.CitationBaumgartner Naikon 2015 |
| Enterprise | T1082 | System Information Discovery | SslMM sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date.CitationBaumgartner Naikon 2015 |
Groups, software, and campaigns
G0019: Naikon
Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).[1] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).[1][2]
While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 0f9cc55a6ad5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Baumgartner Naikon 2015
Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
Open source URL -
[2]
mitre-attack S0058Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.