S0074: Sakula
Analyst context for executives and security teams
Sakula is a Windows remote access tool documented by ATT&CK as surfacing in 2012 and being used in intrusions through 2015. Its business relevance is less about the age of the malware name and more about the behaviors ATT&CK links to it: persistence through Windows services and Run keys, execution through cmd.exe/rundll32/DLL abuse, file cleanup, tool transfer, and encrypted or web-based command-and-control. These are common decision points for whether a SOC can see and contain remote access after initial compromise.
Executive priority
Treat Sakula as a validation case for Windows intrusion readiness. Leaders should ask whether endpoint, identity, proxy, and incident response teams can prove visibility into service creation, startup persistence, suspicious command shell use, DLL/rundll32 execution, inbound tool transfer, and encrypted outbound communications. This object also supports budget and audit discussions around endpoint logging, egress control, privileged access governance, and evidence retention, because several related behaviors are designed to persist, elevate, blend into normal administration, or remove traces.
Technical view
ATT&CK provides no dedicated detection text for Sakula, so defenders should validate coverage from the related techniques rather than rely on a malware signature alone. For Windows hosts, prioritize process creation and parent-child analysis for cmd.exe and rundll32.exe, monitoring of service creation/modification and Registry Run key or startup folder changes, DLL loading or suspicious DLL execution paths, file creation followed by deletion, and evidence of tool transfer. Network teams should confirm visibility into outbound web-protocol communications and encrypted command-and-control patterns where metadata, destination reputation, proxy logs, and host correlation can be used without assuming payload inspection.
Likely telemetry
- Windows endpoint process creation events, including cmd.exe and rundll32.exe parent-child relationships
- Windows service creation, modification, and service configuration change logs
- Registry monitoring for Run keys and startup persistence locations
- File system telemetry for dropped tools, DLLs, encoded/encrypted files, and subsequent deletion
- DLL load or module execution telemetry where available
Detection direction
- Map current detections to the ATT&CK relationships: T1059.003, T1218.011, T1574.001, T1543.003, T1547.001, T1548.002, T1105, T1070.004, T1027.013, T1071.001, and T1573.001.
- Tune detections for suspicious combinations, such as rundll32.exe or cmd.exe activity followed by service or Run key persistence, outbound web traffic, tool transfer, or file deletion.
- Account for false positives from legitimate administration, software deployment, Windows services, login scripts, and normal DLL use; require context such as unusual path, user, host role, command line, timing, or external destination.
- Do not depend only on static malware signatures because related behavior includes encrypted/encoded files and symmetric cryptography for command-and-control.
- Use the Deep Panda relationship as threat-intelligence context only; do not infer current activity or attribution without local evidence.
Mitigation priorities
- Reduce administrative exposure on Windows systems and review local administrator rights, since related behavior includes UAC bypass and persistence mechanisms that benefit from elevated privileges.
- Harden and monitor Windows service creation/modification, Registry Run keys, startup folders, rundll32.exe usage, and DLL search/loading behavior.
- Apply application control or execution control policies where feasible to constrain unauthorized binaries, DLLs, scripts, and administrative utilities.
- Strengthen egress controls, proxy enforcement, DNS logging, and network monitoring for web-based and encrypted outbound communications.
- Ensure incident response procedures preserve endpoint, service, registry, file system, proxy, DNS, and firewall evidence quickly, because related behavior includes file deletion and trace reduction.
Analyst notes and limits
The official ATT&CK description identifies Sakula as a RAT and cites Dell SecureWorks reporting. ATT&CK relates this software to Deep Panda and to multiple Windows-relevant execution, persistence, privilege-escalation, stealth, tool-transfer, and command-and-control techniques. The most useful defensive value is to test whether those behaviors are observable and actionable in the local environment.
ATT&CK provides no official detection guidance, no aliases, and no object-level tactics for Sakula in the supplied fields. The relationship data indicates techniques associated with the malware, but local telemetry is required to determine exposure, detection quality, or incident relevance. No active exploitation, current campaign activity, or guaranteed detection coverage is established by the supplied fields.
Sakula
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Sakula uses single-byte XOR obfuscation to obfuscate many of its files.CitationDell Sakula |
| Enterprise | T1105 | Ingress Tool Transfer | Sakula has the capability to download files.CitationDell Sakula |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Most Sakula samples maintain persistence by setting the Registry Run key |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Sakula uses HTTP for C2.CitationDell Sakula |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Sakula contains UAC bypass code for both 32- and 64-bit systems.CitationDell Sakula |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Sakula encodes C2 traffic with single-byte XOR keys.CitationDell Sakula |
| Enterprise | T1574.001 | DLL Sub-technique | Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.CitationDell Sakula |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Sakula calls cmd.exe to run various DLL files via rundll32.CitationDell Sakula |
| Enterprise | T1543.003 | Windows Service Sub-technique | Some Sakula samples install themselves as services for persistence by calling WinExec with the |
| Enterprise | T1070.004 | File Deletion Sub-technique | Some Sakula samples use cmd.exe to delete temporary files.CitationDell Sakula |
Groups, software, and campaigns
G0009: Deep Panda
Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. [1] The intrusion into healthcare company Anthem has been attributed to Deep Panda. [2] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [3] Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. [4] Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. [5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 37c3845d9e9f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Dell Sakula
Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
Open source URL -
[2]
mitre-attack S0074Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.