Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0087: Hi-Zor

Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION. [1]

EnterpriseS0087MalwareObject v1.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Hi-Zor is a Windows remote access tool documented by ATT&CK and reported in the INOCNATION campaign. Its business relevance is not just “malware exists”; the mapped behaviors show a RAT pattern that can persist through Run keys or Startup folders, execute through Windows command shell and Regsvr32, move additional tools into the environment, and hide files or command-and-control traffic with encoding and cryptography. For leaders, this makes Hi-Zor a useful test case for whether endpoint, network, and incident response processes can connect persistence, proxy execution, file transfer, and encrypted web-like communications into one investigation.

Executive priority

Prioritize this as a validation scenario for Windows endpoint resilience and SOC readiness rather than as a claim of current exposure. Key executive questions: do teams collect enough Windows process, registry, file, and network telemetry to investigate a RAT; can they distinguish legitimate Regsvr32/cmd activity from suspicious usage; and can incident responders preserve evidence when the malware may delete files or obscure content? This supports control prioritization, audit evidence for monitoring coverage, and incident decision-making around containment of remote access behavior.

Technical view

ATT&CK provides no official detection text for Hi-Zor, so defenders should build coverage from the mapped techniques: T1547.001 for Registry Run Keys/Startup Folder persistence, T1059.003 for Windows Command Shell execution, T1218.010 for Regsvr32 proxy execution, T1105 for ingress tool transfer, T1070.004 for file deletion, T1027.013 for encrypted or encoded files, T1071.001 for web-protocol command and control, and T1573.001/T1573.002 for encrypted C2. Validate Windows detections that correlate unusual cmd.exe or regsvr32.exe activity with new persistence entries, suspicious file creation/deletion, and outbound web traffic patterns. Because web protocols and encryption are common in normal environments, detection should emphasize context and sequences rather than single indicators.

Likely telemetry

  • Windows process creation telemetry, especially cmd.exe and regsvr32.exe parent/child relationships and command-line arguments
  • Windows Registry auditing for Run keys and related user-logon persistence locations
  • Startup folder file creation and modification events
  • Endpoint file creation, modification, deletion, and quarantine evidence for dropped tools or encoded/encrypted artifacts
  • Network proxy, firewall, DNS, and web gateway logs for outbound HTTP/S or web-protocol communications

Detection direction

  • Confirm that detections exist for suspicious Regsvr32 execution, especially unusual command-line use, unexpected network activity, or execution from uncommon paths.
  • Tune Windows Command Shell detections to reduce noise from administration while preserving visibility into unusual parent processes, encoded or scripted command usage, and command execution followed by network or file-transfer activity.
  • Monitor Run keys and Startup folders for new or modified entries, with attention to user-context persistence because the related technique notes execution under the user’s permissions.
  • Look for sequences: new file arrival, execution via cmd or Regsvr32, persistence creation, outbound web traffic, and later file deletion. This is more reliable than treating any one event as decisive.
  • Account for blind spots where encrypted C2, encoded files, or common web protocols prevent content inspection; rely on metadata, endpoint context, and behavioral correlation.

Mitigation priorities

  • Ensure Windows endpoint monitoring covers process creation, command-line logging, registry persistence, file activity, and network connection context.
  • Restrict or monitor abuse-prone native utilities such as Regsvr32 where business operations allow, using policy and alerting rather than assuming all signed binary activity is benign.
  • Harden persistence locations by monitoring Run keys and Startup folders and reviewing changes during incident response.
  • Apply network egress controls and proxy logging so outbound web-protocol traffic from unusual processes or hosts can be investigated.
  • Maintain incident response procedures for rapid host isolation, evidence preservation, and review of deleted or transferred files when RAT behavior is suspected.
Analyst notes and limits

The supplied ATT&CK object identifies Hi-Zor as a RAT with similarities to Sakula and use in the INOCNATION campaign, plus technique relationships that describe the relevant defensive surface. The strongest defensive value is in validating coverage across the mapped behaviors, especially Windows execution, persistence, proxy execution, tool transfer, file deletion, and encrypted/web-based C2 patterns.

ATT&CK provides no official detection guidance, no aliases, no labels, and no object-level tactics for Hi-Zor. The relationship descriptions are technique-level context and may cover platforms beyond Hi-Zor’s listed Windows platform, so conclusions should be scoped to Windows unless local evidence supports more. No claim is made here about active exploitation, attribution, prevalence, or guaranteed detection.

Official MITRE ATT&CK definition

Hi-Zor

Hi-Zor is a remote access tool (RAT) that has characteristics similar to Sakula. It was used in a campaign named INOCNATION. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

9 rows
Domain ID Name Relationship / procedure
Enterprise T1105 Ingress Tool Transfer

Hi-Zor has the ability to upload and download files from its C2 server.CitationFidelis INOCNATION
Enterprise T1071.001 Web Protocols Sub-technique

Hi-Zor communicates with its C2 server over HTTPS.CitationFidelis INOCNATION
Enterprise T1573.001 Symmetric Cryptography Sub-technique

Hi-Zor encrypts C2 traffic with a double XOR using two distinct single-byte keys.CitationFidelis Hi-Zor
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

Hi-Zor creates a Registry Run key to establish persistence.CitationFidelis INOCNATION
Enterprise T1070.004 File Deletion Sub-technique

Hi-Zor deletes its RAT installer file as it executes its DLL payload file.CitationFidelis INOCNATION
Enterprise T1573.002 Asymmetric Cryptography Sub-technique

Hi-Zor encrypts C2 traffic with TLS.CitationFidelis Hi-Zor
Enterprise T1059.003 Windows Command Shell Sub-technique

Hi-Zor has the ability to create a reverse shell.CitationFidelis INOCNATION
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

Hi-Zor uses various XOR techniques to obfuscate its components.CitationFidelis INOCNATION
Enterprise T1218.010 Regsvr32 Sub-technique

Hi-Zor executes using regsvr32.exe called from the Registry Run Keys / Startup Folder persistence mechanism.CitationFidelis INOCNATION
Relationship explorer

All related ATT&CK context

uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1573.002: Asymmetric Cryptography Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1218.010: Regsvr32 Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.2
Created
Modified
Raw hash
1dab540055d227dc...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.2 Current bundle 1dab540055d2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Fidelis Hi-Zor

    Fidelis Threat Research Team. (2016, January 27). Introducing Hi-Zor RAT. Retrieved March 24, 2016.

    Open source URL
  2. [2]
    mitre-attack S0087
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use