S0061: HDoor

HDoor matters because ATT&CK identifies it as Windows malware customized and used by Naikon, with linked behavior around discovering network services and impairing defensive tools. For leaders, the practical issue is not just the malware name; it is whether the organization can see a Windows host being used to map internal services and whether security tooling remains trustworthy during an investigation.

Executive priority

Prioritize this as a readiness and assurance question: can the business prove that Windows endpoint telemetry, network visibility, and security-tool health monitoring would survive and surface discovery and defense-impairment behavior? This is especially relevant for incident response decision-making, compliance evidence around monitoring controls, and resilience of SOC operations during a suspected intrusion.

Technical view

ATT&CK provides no official detection text for HDoor, so defenders should validate coverage through the related behaviors: Network Service Discovery (T1046) and Disable or Modify Tools (T1685). For Windows environments, review whether endpoint and network controls can identify unusual service enumeration from a host, unexpected scanning patterns, and attempts to stop, degrade, reconfigure, or blind security tools and logging agents. Because ATT&CK links HDoor to Naikon, threat intelligence teams may use that relationship for contextual prioritization, but local detection should be behavior-based rather than relying only on malware naming.

Likely telemetry

Windows endpoint process execution and command-line telemetry
Windows service creation, modification, stop, and failure events
Endpoint security, antivirus, EDR, and logging-agent health events
Host firewall, network firewall, IDS/IPS, NetFlow, or similar network connection records
Internal scan or service-enumeration indicators across hosts and network infrastructure

Detection direction

Baseline authorized vulnerability scanners, inventory tools, and administrative discovery activity to reduce false positives for Network Service Discovery.
Alert on unusual internal port or service enumeration from Windows endpoints, especially from systems that do not normally perform scanning.
Monitor for stopping, disabling, reconfiguring, deleting, or otherwise degrading security tools, sensors, logging agents, or their update mechanisms.
Correlate discovery activity with security-tool impairment events; the combination is more decision-relevant than either signal alone.
Validate that telemetry still arrives when endpoint controls are tampered with, including independent network-side visibility where possible.

Mitigation priorities

Harden Windows endpoints and restrict administrative privileges that can disable services or security tooling.
Enable tamper protection and change control for security agents, logging components, and monitoring configurations where available.
Segment networks and limit unnecessary service exposure so discovery produces less useful information for an intruder.
Maintain an accurate inventory of authorized scanners and exposed services to support faster triage.
Test incident response procedures for scenarios where endpoint telemetry is partially impaired or unavailable.

Analyst notes and limits

The strongest operational value comes from the relationship context: HDoor is a Windows malware entry associated with Naikon and mapped to service discovery and defense-impairment techniques. Detection engineering should focus on those behaviors rather than assuming a specific signature or vendor detection exists.

ATT&CK does not provide official detection guidance, aliases, labels, malware tactics, or detailed HDoor functionality in the supplied fields. The related technique platform lists are broader than the HDoor platform field; this take treats HDoor itself as Windows-supported and uses the technique relationships only for defensive validation direction. Local environment baselines are required to separate legitimate scanning and administration from suspicious activity.

Official MITRE ATT&CK definition

HDoor

HDoor is malware that has been customized and used by the Naikon group. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 2 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1046	Network Service Discovery	HDoor scans to identify open ports on the victim.CitationBaumgartner Naikon 2015
Enterprise	T1685	Disable or Modify Tools	HDoor kills anti-virus found on the victim.CitationBaumgartner Naikon 2015

Associated objects

Groups, software, and campaigns

G0019: Naikon

Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).[1] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).[1][2]

While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[3]

Relationship explorer

All related ATT&CK context

uses · Group G0019: Naikon Enterprise uses · Technique T1046: Network Service Discovery Enterprise uses · Technique T1685: Disable or Modify Tools Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: May 31, 2017, 21:32 UTC (UTC+00:00)
Modified: Apr 16, 2025, 20:37 UTC (UTC+00:00)
Raw hash: ac45c7e40e1a4fac...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Apr 16, 2025, 20:37 UTC (UTC+00:00)	Current bundle	`ac45c7e40e1a…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Baumgartner Naikon 2015

Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019.
Open source URL
[2]
mitre-attack S0061
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams