Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0080: Mivast

Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach. [1]

EnterpriseS0080MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Mivast matters because ATT&CK records it as a Windows backdoor associated with Deep Panda and reportedly used in the Anthem breach. For leaders, the decision value is not the malware name alone; it is whether Windows endpoint, identity, and incident response programs can recognize the behaviors ATT&CK links to it: command shell execution, local credential access against the SAM database, tool transfer, and Run Key or Startup Folder persistence.

Executive priority

Treat this as a validation case for resilience against backdoor-enabled intrusion on Windows systems. Priority questions are: can the organization prove it collects evidence for Windows persistence, command execution, credential access, and file transfer; can IR quickly scope hosts and accounts if those behaviors appear; and can compliance or audit teams show that endpoint logging and identity controls would support investigation of local credential theft. The supplied ATT&CK data supports historical association with Deep Panda and reported Anthem use, but does not support claims of current activity or exposure.

Technical view

SOC and IR teams should map coverage to the ATT&CK relationships supplied for Mivast: T1059.003 Windows Command Shell, T1003.002 Security Account Manager, T1547.001 Registry Run Keys / Startup Folder, and T1105 Ingress Tool Transfer. Because ATT&CK provides no official detection text for Mivast, detection should be behavior-led rather than signature-led: suspicious cmd.exe activity, attempts to access or export SAM-related credential material, creation or modification of Run Keys or Startup Folder entries, and unusual inbound tool or file transfer activity around a suspected compromised host. Validate these behaviors specifically on Windows assets, the platform listed for Mivast.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry, especially cmd.exe execution context
  • Windows Registry monitoring for Run Key changes and Startup Folder persistence artifacts
  • File creation, modification, and download/transfer evidence on Windows hosts
  • Authentication and privilege context showing whether activity ran with elevated or SYSTEM-level access
  • Endpoint security alerts or EDR records tied to backdoor, persistence, credential access, or tool transfer behaviors

Detection direction

  • Do not rely on the malware family name alone; validate detections against the related ATT&CK behaviors because no official Mivast detection guidance is supplied.
  • Tune Windows command shell analytics to separate routine administration from unusual execution paths, parent processes, timing, account context, or post-compromise command patterns.
  • Monitor Registry Run Keys and Startup Folder changes, with allowlisting for approved software installers and administrative tooling to reduce false positives.
  • Validate visibility into SAM-related credential access attempts; this is especially important because the related technique notes that SAM enumeration requires SYSTEM-level access.
  • Correlate suspected tool transfer with new files, process execution, persistence creation, and credential access on the same host or account.

Mitigation priorities

  • Prioritize endpoint logging and EDR coverage on Windows systems where command execution, Registry persistence, and credential access evidence must be available to responders.
  • Reduce local credential exposure by limiting administrative privileges and monitoring activity that reaches SYSTEM-level context.
  • Harden and monitor Windows autostart locations, including Registry Run Keys and Startup Folders, and require change control where feasible.
  • Restrict and inspect unauthorized file transfer paths that could support ingress tool transfer, while preserving logs needed for investigation.
  • Prepare IR playbooks that quickly scope affected Windows hosts, persistence locations, transferred files, and potentially exposed local accounts.
Analyst notes and limits

The supplied ATT&CK object is sparse: Mivast is described as a backdoor used by Deep Panda and reportedly used in the Anthem breach, with Windows as the listed platform. The practical defensive value comes from the relationship context to specific techniques rather than from an official detection section, which is not provided.

This take uses only the supplied ATT&CK fields, references, and relationships. It does not assert current exploitation, customer exposure, active infrastructure, specific indicators, or guaranteed detection. Local asset inventory, logging configuration, EDR capabilities, and administrative baselines are required to determine actual coverage.

Official MITRE ATT&CK definition

Mivast

Mivast is a backdoor that has been used by Deep Panda. It was reportedly used in the Anthem breach. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

4 rows
Domain ID Name Relationship / procedure
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

Mivast creates the following Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Micromedia.CitationSymantec Backdoor.Mivast
Enterprise T1003.002 Security Account Manager Sub-technique

Mivast has the capability to gather NTLM password information.CitationSymantec Backdoor.Mivast
Enterprise T1105 Ingress Tool Transfer

Mivast has the capability to download and execute .exe files.CitationSymantec Backdoor.Mivast
Enterprise T1059.003 Windows Command Shell Sub-technique

Mivast has the capability to open a remote shell and run basic commands.CitationSymantec Backdoor.Mivast
Associated objects

Groups, software, and campaigns

Group Enterprise

G0009: Deep Panda

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. [1] The intrusion into healthcare company Anthem has been attributed to Deep Panda. [2] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [3] Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. [4] Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. [5]

Relationship explorer

All related ATT&CK context

uses · Group G0009: Deep Panda Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1003.002: Security Account Manager Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
735925745d4140af...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 735925745d41…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Symantec Black Vine

    DiMaggio, J.. (2015, August 6). The Black Vine cyberespionage group. Retrieved January 26, 2016.

    Open source URL
  2. [2]
    Mivast

    (Citation: Symantec Black Vine) (Citation: Symantec Backdoor.Mivast)

  3. [3]
    Symantec Backdoor.Mivast

    Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016.

    Open source URL
  4. [4]
    mitre-attack S0080
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use