S0059: WinMM
Analyst context for executives and security teams
WinMM is a Windows backdoor documented by ATT&CK as used by Naikon. Its business relevance is less about a single malware name and more about the behaviors tied to it: maintaining command-and-control through fallback and web channels, then discovering users, processes, system details, and files. For leaders, this points to the need to validate whether Windows endpoint and network monitoring can show both suspicious outbound communications and post-compromise discovery activity.
Executive priority
Treat this as a resilience and readiness check for espionage-style intrusion scenarios. Security leaders should ask whether SOC and incident response teams can quickly answer: which Windows hosts made unusual web-based outbound connections, which accounts were active on those hosts, what local discovery occurred, and whether alternate command-and-control paths were available. This is also useful for audit and compliance evidence because it tests whether endpoint logging, network visibility, and investigation procedures are sufficient to reconstruct backdoor activity.
Technical view
ATT&CK provides no dedicated detection text for WinMM, so defenders should validate coverage through the related techniques: Fallback Channels, Web Protocols, System Owner/User Discovery, Process Discovery, System Information Discovery, and File and Directory Discovery. On Windows, prioritize correlation between suspicious outbound web traffic and host-side discovery commands, process enumeration, user/account queries, system inventory collection, and file or directory enumeration. Because the malware object has no explicit tactics listed, use the relationship context as behavioral guidance rather than a complete detection specification.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows user/session and account context telemetry
- Endpoint file and directory enumeration indicators where available
- Host inventory and system information query events
- Network connection metadata for outbound web traffic
Detection direction
- Validate that Windows endpoint telemetry can connect discovery activity to the same host and timeframe as unusual outbound web communications.
- Tune network analytics for uncommon destinations, fallback-like changes in communication path, and web traffic patterns that do not match expected business applications.
- Review false positives from legitimate administration, inventory, software management, and troubleshooting tools that also enumerate users, processes, system details, and files.
- Do not rely on a WinMM malware name alone; ATT&CK does not provide official detection logic here, so behavior-based detections mapped to the related techniques are more defensible.
- Use the Naikon relationship as threat-intelligence context, but avoid assuming attribution without local forensic evidence.
Mitigation priorities
- Ensure Windows endpoint monitoring, proxy/DNS logging, and incident response retention are sufficient to reconstruct discovery and outbound communication activity.
- Restrict and monitor unnecessary outbound web access from servers and sensitive workstations according to business need.
- Harden identity and access practices so discovery of a user or system does not easily enable broader compromise.
- Prepare IR playbooks that triage suspected backdoors by combining host process history, user context, network destinations, and file-system discovery evidence.
- Use threat-informed testing to validate coverage for the related ATT&CK techniques rather than relying on signature-only malware detection.
Analyst notes and limits
The strongest decision value comes from the relationships: WinMM is described as a full-featured simple backdoor used by Naikon, and it is linked to command-and-control and discovery techniques. This supports a defensive focus on Windows host telemetry plus web/proxy/DNS visibility. The supplied object does not include aliases, labels, malware capabilities beyond the short description, or official detection guidance.
This take is limited to the supplied ATT&CK fields, references, and relationships. It does not establish current activity, customer exposure, specific indicators, exploit methods, persistence mechanisms, or guaranteed detection coverage. Local environment baselines and forensic evidence are required to determine whether observed activity is malicious or attributable.
WinMM
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | WinMM sets a WH_CBT Windows hook to collect information on process creation.CitationBaumgartner Naikon 2015 |
| Enterprise | T1083 | File and Directory Discovery | WinMM sets a WH_CBT Windows hook to search for and capture files on the victim.CitationBaumgartner Naikon 2015 |
| Enterprise | T1082 | System Information Discovery | WinMM collects the system name, OS version including service pack, and system install date and sends the information to the C2 server.CitationBaumgartner Naikon 2015 |
| Enterprise | T1008 | Fallback Channels | WinMM is usually configured with primary and backup domains for C2 communications.CitationBaumgartner Naikon 2015 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | WinMM uses HTTP for C2.CitationBaumgartner Naikon 2015 |
| Enterprise | T1033 | System Owner/User Discovery | WinMM uses NetUser-GetInfo to identify that it is running under an “Admin” account on the local system.CitationBaumgartner Naikon 2015 |
Groups, software, and campaigns
G0019: Naikon
Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).[1] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).[1][2]
While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 5d6151ba73b5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Baumgartner Naikon 2015
Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
Open source URL -
[2]
mitre-attack S0059Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.