S0090: Rover
Analyst context for executives and security teams
Rover is a Windows malware entry associated by ATT&CK with a historical targeted email case and suspected espionage purpose. Its value for defenders is not the name alone, but the behavior cluster: local and removable-media data collection, file discovery, keylogging, screenshots, local staging, automated exfiltration, and Windows registry-based persistence/modification. For executives, this represents the kind of intrusion activity that can turn one compromised workstation into loss of sensitive diplomatic, executive, legal, or operational information.
Executive priority
Prioritize Rover as a validation case for endpoint collection and exfiltration readiness rather than as a broad current-threat claim. Leaders should ask whether Windows endpoints that handle sensitive data have evidence for registry persistence, suspicious data staging, removable media access, screenshot/keylogging indicators, and outbound transfer activity. This is also useful for audit and incident-response readiness: can the organization prove what data was accessed, staged, and potentially exfiltrated from a compromised host?
Technical view
ATT&CK provides no Rover-specific detection text, so SOC and IR teams should work from the mapped behaviors: T1005, T1025, T1056.001, T1074.001, T1083, T1112, T1113, T1119, T1020, and T1547.001. On Windows, validate endpoint visibility into file enumeration, bulk or patterned file access, removable media reads, screenshot activity, keylogging-like input capture indicators where available, registry changes, Run Key or Startup Folder persistence, local staging directories, and automated outbound transfer patterns. Treat this as behavior-driven coverage validation, not signature assurance.
Likely telemetry
- Windows endpoint process execution and command-line telemetry
- File system access, enumeration, copy, archive, and staging activity
- Removable media connection and file access events
- Windows Registry modification events, especially persistence-related locations such as Run Keys and Startup folders
- Endpoint security alerts or behavioral events related to keylogging and screen capture
Detection direction
- Correlate file and directory discovery followed by collection or staging activity, rather than alerting on discovery alone.
- Tune for unusual access to sensitive local files or removable media from user workstations, especially when followed by compression, staging, or outbound transfer behavior.
- Validate monitoring for Registry modification and Registry Run Key or Startup Folder persistence on Windows systems.
- Look for behavioral sequences involving screen capture or keylogging indicators plus later data collection or exfiltration activity.
- Account for false positives from legitimate backup, indexing, remote support, administration, and user productivity tools that may enumerate files, capture screens, or move data.
Mitigation priorities
- Start with reducing sensitive data exposure on endpoints and removable media through least privilege, data handling policy, and access controls.
- Harden Windows persistence surfaces by monitoring and controlling Registry Run Keys, Startup folders, and unauthorized Registry modifications.
- Ensure endpoint protection and EDR policies cover collection behaviors such as keylogging, screen capture, suspicious staging, and abnormal file access patterns.
- Limit and monitor removable media use where business risk justifies it.
- Improve egress visibility and controls so automated exfiltration from endpoints is detectable and reviewable.
Analyst notes and limits
The supplied ATT&CK object describes Rover as malware suspected of espionage use and cites a 2015 targeted email involving an Indian Ambassador to Afghanistan. The most decision-useful context comes from the ATT&CK technique relationships, which indicate a Windows-relevant collection, credential-access, persistence, discovery, staging, and exfiltration pattern. This take avoids claiming current activity, attribution, or confirmed detection coverage.
Official detection is not provided, tactics are not specified on the malware object itself, and no aliases or labels are supplied. Some related techniques list platforms beyond Windows, but the Rover object platform is Windows; local validation should therefore focus on Windows unless additional environment-specific intelligence supports broader scope.
Rover
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Rover persists by creating a Registry entry in |
| Enterprise | T1119 | Automated Collection | Rover automatically collects files from the local system and removable drives based on a predefined list of file extensions on a regular timeframe.CitationPalo Alto Rover |
| Enterprise | T1020 | Automated Exfiltration | |
| Enterprise | T1113 | Screen Capture | Rover takes screenshots of the compromised system's desktop and saves them to |
| Enterprise | T1025 | Data from Removable Media | Rover searches for files on attached removable drives based on a predefined list of file extensions every five seconds.CitationPalo Alto Rover |
| Enterprise | T1005 | Data from Local System | Rover searches for files on local drives based on a predefined list of file extensions.CitationPalo Alto Rover |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Rover copies files from removable drives to |
| Enterprise | T1112 | Modify Registry | Rover has functionality to remove Registry Run key persistence as a cleanup procedure.CitationPalo Alto Rover |
| Enterprise | T1083 | File and Directory Discovery | Rover automatically searches for files on local drives based on a predefined list of file extensions.CitationPalo Alto Rover |
| Enterprise | T1056.001 | Keylogging Sub-technique | Rover has keylogging functionality.CitationPalo Alto Rover |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | a16c433b0c7c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto Rover
Ray, V., Hayashi, K. (2016, February 29). New Malware ‘Rover’ Targets Indian Ambassador to Afghanistan. Retrieved February 29, 2016.
Open source URL -
[2]
mitre-attack S0090Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.