S0093: Backdoor.Oldrea
Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[1][2][3]
Analyst context for executives and security teams
Backdoor.Oldrea matters because ATT&CK describes it as a Windows modular backdoor used against energy companies and distributed via supply chain compromise, with modules built to enumerate and map ICS-specific systems, processes, and protocols. For leaders, the defensive value is not only “find this malware,” but verifying whether enterprise, supplier, and OT monitoring can expose a compromised Windows system that is learning the industrial environment before follow-on activity.
Executive priority
Prioritize this as an OT resilience and supply-chain assurance scenario. Ask whether software/update trust, Windows endpoint visibility, ICS network visibility, and incident response playbooks can connect suspicious execution, persistence, discovery, and industrial mapping activity into a single investigation. This is especially relevant for energy, critical infrastructure, and organizations with Windows systems that bridge business operations and industrial environments.
Technical view
ATT&CK provides no official detection text, so coverage should be validated behaviorally from the relationships. Focus on Windows hosts for persistence via Registry Run Keys/Startup Folder, proxy execution through rundll32, process injection indicators, file deletion, ingress tool transfer, encoded command-and-control traffic, and broad discovery of users, systems, network configuration, files, directories, processes, services, and email accounts. In OT/ICS contexts, correlate those host behaviors with remote system discovery, automated collection, point/tag identification, and ICS protocol or asset-enumeration activity. Treat supply-chain compromise and spearphishing/user execution relationships as initial-access validation areas rather than proof of a specific intrusion path in your environment.
Likely telemetry
- Windows endpoint process creation, command line, parent/child process, DLL/module load, and process injection telemetry
- Registry and startup folder change events, especially Run Key additions or modifications
- File creation, transfer, staging, and deletion telemetry on Windows hosts
- Network connection, DNS, proxy, and egress logs that can support command-and-control and standard-encoded traffic review
- Discovery evidence such as system, user, process, file, directory, service, network configuration, and remote host enumeration
Detection direction
- Because ATT&CK supplies no detection guidance, build detection around chained behaviors rather than single indicators.
- Baseline legitimate administration, vendor maintenance, asset inventory, and engineering tool activity to reduce false positives from discovery and ICS enumeration behaviors.
- Tune for suspicious rundll32 execution, unexpected DLL loading, new Run Key/startup persistence, unusual file deletion after execution, and inbound tool transfer followed by discovery.
- Correlate enterprise endpoint alerts with OT telemetry; a Windows host performing enterprise discovery plus ICS point/tag or remote system mapping should receive higher triage priority.
- Validate blind spots around supplier-delivered software, update mechanisms, unmanaged engineering workstations, limited OT packet visibility, and logs that are not forwarded to the SOC.
Mitigation priorities
- Strengthen supplier software assurance, update validation, and change-control evidence for systems that interact with industrial environments.
- Maintain accurate inventories of Windows assets, engineering workstations, ICS-facing servers, industrial protocols, and trusted vendor tools.
- Segment enterprise and OT networks and restrict which Windows systems can communicate with ICS assets and protocols.
- Harden Windows persistence and execution paths by monitoring and controlling Run Keys, startup folders, rundll32 abuse opportunities, and unauthorized tool transfer.
- Apply least privilege for users and service accounts that can access engineering systems, email directories, and OT networks.
Analyst notes and limits
The ATT&CK object links Backdoor.Oldrea to Dragonfly and to both enterprise and ICS techniques, but the malware object itself lists Windows as the platform and does not specify tactics or official detection. The most useful defensive interpretation is an intrusion pattern: Windows backdoor behavior plus enterprise discovery plus industrial environment enumeration. Local asset roles, supplier workflows, and OT monitoring depth will determine practical coverage.
This take is based only on the supplied ATT&CK STIX fields, external references, and relationships. It does not assert current activity, customer exposure, guaranteed detection, or environment-specific impact. ATT&CK provides no official detection section for this object, and several related technique platform fields are broader than the malware platform, so local validation is required.
Backdoor.Oldrea
Backdoor.Oldrea is a modular backdoor that used by Dragonfly against energy companies since at least 2013. Backdoor.Oldrea was distributed via supply chain compromise, and included specialized modules to enumerate and map ICS-specific systems, processes, and protocols.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Backdoor.Oldrea adds Registry Run keys to achieve persistence.CitationSymantec DragonflyCitationGigamon Berserk Bear October 2021 |
| Enterprise | T1046 | Network Service Discovery | Backdoor.Oldrea can use a network scanning module to identify ICS-related ports.CitationGigamon Berserk Bear October 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.CitationSymantec Dragonfly |
| Enterprise | T1016 | System Network Configuration Discovery | Backdoor.Oldrea collects information about the Internet adapter configuration.CitationSymantec DragonflyCitationGigamon Berserk Bear October 2021 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Backdoor.Oldrea can use rundll32 for execution on compromised hosts.CitationGigamon Berserk Bear October 2021 |
| Enterprise | T1055 | Process Injection | Backdoor.Oldrea injects itself into explorer.exe.CitationSymantec DragonflyCitationGigamon Berserk Bear October 2021 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Some Backdoor.Oldrea samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.CitationSymantec Dragonfly |
| Enterprise | T1105 | Ingress Tool Transfer | Backdoor.Oldrea can download additional modules from C2.CitationGigamon Berserk Bear October 2021 |
| Enterprise | T1087.003 | Email Account Sub-technique | Backdoor.Oldrea collects address book information from Outlook.CitationSymantec Dragonfly |
| Enterprise | T1560 | Archive Collected Data | Backdoor.Oldrea writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server.CitationSymantec Dragonfly |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Some Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool.CitationSymantec Dragonfly |
| Enterprise | T1057 | Process Discovery | Backdoor.Oldrea collects information about running processes.CitationSymantec Dragonfly |
| Enterprise | T1083 | File and Directory Discovery | Backdoor.Oldrea collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files.CitationSymantec Dragonfly |
| Enterprise | T1033 | System Owner/User Discovery | Backdoor.Oldrea collects the current username from the victim.CitationSymantec Dragonfly |
| Enterprise | T1018 | Remote System Discovery | Backdoor.Oldrea can enumerate and map ICS-specific systems in victim environments.CitationGigamon Berserk Bear October 2021 |
| Enterprise | T1082 | System Information Discovery | Backdoor.Oldrea collects information about the OS and computer name.CitationSymantec DragonflyCitationGigamon Berserk Bear October 2021 |
Groups, software, and campaigns
G0035: Dragonfly
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[1][2] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[3][4][5][6][7][8][9]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | cd7f3f4dc851… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Dragonfly
Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
Open source URL -
[2]
Gigamon Berserk Bear October 2021
Slowik, J. (2021, October). THE BAFFLING BERSERK BEAR: A DECADE’S ACTIVITY TARGETING CRITICAL INFRASTRUCTURE. Retrieved December 6, 2021.
Open source URL -
[3]
Symantec Dragonfly Sept 2017
Symantec Security Response. (2014, July 7). Dragonfly: Western energy sector targeted by sophisticated attack group. Retrieved September 9, 2017.
Open source URL -
[4]
mitre-attack S0093Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.