S0060: Sys10
Analyst context for executives and security teams
Sys10 is a Windows backdoor documented by MITRE as used by Naikon in 2013. Its value to defenders is less about a current malware headline and more about validating whether the organization can recognize a backdoor that performs host, user, group, and network discovery and communicates over web protocols with encrypted command-and-control content. For leaders, this maps to basic incident readiness: can the SOC prove what a compromised Windows host learned, where it communicated, and which accounts or local groups may have been exposed?
Executive priority
Treat Sys10 as a coverage validation case for Windows endpoint visibility, discovery-behavior monitoring, and command-and-control investigation workflows. Because ATT&CK does not provide a detection section for this malware, executives should ask for evidence-based assurance rather than tool claims: endpoint process telemetry, user and local group visibility, network/web traffic logs, and incident response procedures for scoping discovery and encrypted outbound communications.
Technical view
ATT&CK lists Sys10 as a Windows backdoor and relates it to System Network Configuration Discovery, System Owner/User Discovery, Local Groups discovery, System Information Discovery, Web Protocols for command and control, and Symmetric Cryptography. SOC and IR teams should validate detections around unusual discovery activity from Windows hosts, unexpected enumeration of users or local groups, host and network configuration collection, and outbound web-protocol communications that do not match normal application behavior. Since no official detection guidance is supplied, analytics should be environment-tuned and supported by baseline knowledge of legitimate administration and management tools.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows user, logon, and local group enumeration evidence
- Host inventory and system information query activity
- Network connection metadata from Windows endpoints
- Proxy, web gateway, DNS, and firewall logs for outbound web-protocol traffic
Detection direction
- Validate behavioral detections for discovery activity rather than relying on a Sys10 name or signature alone.
- Correlate user, local group, system information, and network configuration discovery occurring close in time on the same Windows host.
- Review outbound web-protocol traffic from hosts showing discovery behavior, especially traffic that is unusual for the process, destination, timing, or user context.
- Account for false positives from legitimate administration, asset inventory, helpdesk, and security tooling that may perform similar discovery.
- Because symmetric cryptography may conceal command-and-control content, emphasize metadata, process-to-network correlation, destination reputation/context, and deviations from baseline rather than payload inspection alone.
Mitigation priorities
- Prioritize endpoint visibility on Windows systems so process, user, local group, and network connection evidence is available during investigations.
- Harden and monitor local administrative group membership and privileged account exposure, since local group discovery can help adversaries identify elevated access paths.
- Restrict and monitor outbound web traffic through controlled egress points such as proxies, firewalls, or web gateways where appropriate.
- Maintain incident response playbooks for backdoor investigations that include host isolation decisions, account review, local group review, and outbound communication scoping.
- Use threat intelligence context from the Naikon relationship cautiously for prioritization and hunting, without assuming current activity or attribution in the local environment.
Analyst notes and limits
The supplied ATT&CK object is sparse: Sys10 has a short official description, Windows platform, no aliases, no ATT&CK tactics listed directly on the malware object, and no official detection text. The most useful defensive context comes from the relationships to discovery and command-and-control techniques and the relationship indicating Naikon used the malware.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not assert current exploitation, customer exposure, malware capabilities beyond the listed relationships, or guaranteed detection logic. Local baselines, endpoint logging quality, network architecture, and IR evidence are required to determine actual risk and coverage.
Sys10
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Sys10 uses an XOR 0x1 loop to encrypt its C2 domain.CitationBaumgartner Naikon 2015 |
| Enterprise | T1069.001 | Local Groups Sub-technique | Sys10 collects the group name of the logged-in user and sends it to the C2.CitationBaumgartner Naikon 2015 |
| Enterprise | T1082 | System Information Discovery | Sys10 collects the computer name, OS versioning information, and OS install date and sends the information to the C2.CitationBaumgartner Naikon 2015 |
| Enterprise | T1016 | System Network Configuration Discovery | Sys10 collects the local IP address of the victim and sends it to the C2.CitationBaumgartner Naikon 2015 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Sys10 uses HTTP for C2.CitationBaumgartner Naikon 2015 |
| Enterprise | T1033 | System Owner/User Discovery | Sys10 collects the account name of the logged-in user and sends it to the C2.CitationBaumgartner Naikon 2015 |
Groups, software, and campaigns
G0019: Naikon
Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).[1] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).[1][2]
While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 8b833ea47469… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Baumgartner Naikon 2015
Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
Open source URL -
[2]
mitre-attack S0060Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.