S0094: Trojan.Karagany
Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. [1][2][3]
Analyst context for executives and security teams
Trojan.Karagany matters because ATT&CK describes it as a modular Windows remote access tool used for reconnaissance and linked through ATT&CK relationships to Dragonfly. Its mapped behaviors cover credential theft, discovery, persistence, command-and-control over web protocols, local data staging, screen capture, and stealth. For leaders, the decision point is not whether one named malware family is present today, but whether Windows monitoring and response playbooks can expose the behavior pattern of a modular RAT operating after initial compromise.
Executive priority
Prioritize this as a resilience and incident-readiness issue for Windows environments, especially where business operations depend on sensitive credentials, administrative workstations, or IT systems connected to critical operational functions. The ATT&CK relationships show behaviors that can support reconnaissance, credential access, persistence, and collection, so executives should ask whether the organization can prove coverage for credential dumping, browser credential access, suspicious Run key persistence, web-based C2, and data staging. This object is also useful for audit and board evidence: it provides a concrete scenario for validating endpoint visibility, SOC triage, IR containment, and identity-access hardening without claiming current exposure.
Technical view
ATT&CK does not provide a detection section for Trojan.Karagany, so SOC and IR teams should validate coverage against the mapped techniques rather than the malware name alone. On Windows, focus on correlated signs of command shell execution, process and file discovery, user and network discovery, process injection via thread execution hijacking, registry Run key or Startup Folder persistence, keylogging or screen capture indicators, browser credential access, local data staging, file deletion, ingress tool transfer, and HTTP/S or web-protocol command-and-control. Because the malware is described as modular and associated with obfuscation, packing, asymmetric cryptography, and sandbox/system checks, defenders should assume hash-only or static signature approaches are insufficient and confirm behavioral telemetry is retained long enough for post-compromise investigation.
Likely telemetry
- Windows endpoint process creation, parent-child process lineage, and command-line logging
- Registry monitoring for Run keys and Startup Folder persistence locations
- Endpoint file creation, modification, deletion, and staging-directory activity
- EDR telemetry for process injection, thread manipulation, suspicious memory behavior, and packed or obfuscated executables
- Credential-access telemetry, including LSASS access patterns and browser credential store access where available
Detection direction
- Build detections around behavior chains: discovery followed by credential access, persistence, C2 over web protocols, local staging, and cleanup is more meaningful than any single command.
- Tune Windows command shell detections to reduce administrator false positives by correlating with unusual parent processes, rare hosts, unexpected users, and follow-on network connections.
- Validate monitoring of Run keys and Startup Folders for new or modified autoruns, especially when paired with newly written executables or packed files.
- Review EDR coverage for thread execution hijacking and other process-injection telemetry; these signals can be noisy but are high value when tied to unsigned, rare, or recently dropped binaries.
- Use network telemetry to hunt for uncommon HTTP/S destinations, periodic beacon-like traffic, or encrypted application-layer traffic from hosts that also show discovery or credential-access behavior.
Mitigation priorities
- Start with identity controls: reduce credential exposure, limit local administrator rights, protect credential stores, and monitor privileged account use because the mapped behaviors include OS credential dumping, browser credential access, and keylogging.
- Harden Windows persistence paths by controlling write access to autorun locations and routinely auditing Registry Run keys and Startup Folders.
- Maintain endpoint protection and EDR coverage capable of behavioral detection for process injection, suspicious command execution, packed files, and file deletion used for cleanup.
- Restrict and monitor outbound web traffic from servers and sensitive workstations; require proxy logging where practical to support C2 investigation.
- Segment and monitor systems that bridge business IT and operational or critical environments, where reconnaissance and credential theft could have outsized operational consequences.
Analyst notes and limits
This take is based on the official ATT&CK software object S0094, its external references, and the supplied relationships. The most decision-relevant context is the breadth of mapped techniques: credential access, discovery, persistence, collection, stealth, and command-and-control. The Dragonfly relationship and energy-sector references make this especially relevant for organizations evaluating critical infrastructure or IT/OT-adjacent readiness, but local telemetry is required to determine actual risk or exposure.
MITRE provides no official detection guidance for Trojan.Karagany in the supplied object, and the malware object lists Windows as the supported platform while several related techniques have broader platform scopes. This summary does not assert current activity, customer exposure, or guaranteed detection. Detection and mitigation priorities must be validated against local endpoint, identity, proxy, DNS, and IR evidence.
Trojan.Karagany
Trojan.Karagany is a modular remote access tool used for recon and linked to Dragonfly. The source code for Trojan.Karagany originated from Dream Loader malware which was leaked in 2010 and sold on underground forums. [1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | Trojan.Karagany can gather information about the user on a compromised host.CitationSecureworks Karagany July 2019 |
| Enterprise | T1113 | Screen Capture | Trojan.Karagany can take a desktop screenshot and save the file into |
| Enterprise | T1049 | System Network Connections Discovery | Trojan.Karagany can use netstat to collect a list of network connections.CitationSecureworks Karagany July 2019 |
| Enterprise | T1010 | Application Window Discovery | Trojan.Karagany can monitor the titles of open windows to identify specific keywords.CitationSecureworks Karagany July 2019 |
| Enterprise | T1027 | Obfuscated Files or Information | Trojan.Karagany can base64 encode and AES-128-CBC encrypt data prior to transmission.CitationSecureworks Karagany July 2019 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.CitationSymantec DragonflyCitationSecureworks Karagany July 2019 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Trojan.Karagany can steal data and credentials from browsers.CitationSecureworks Karagany July 2019 |
| Enterprise | T1057 | Process Discovery | Trojan.Karagany can use Tasklist to collect a list of running tasks.CitationSymantec DragonflyCitationSecureworks Karagany July 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Trojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.CitationSymantec DragonflyCitationSecureworks Karagany July 2019 |
| Enterprise | T1082 | System Information Discovery | Trojan.Karagany can capture information regarding the victim's OS, security, and hardware configuration.CitationSecureworks Karagany July 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Trojan.Karagany has used plugins with a self-delete capability.CitationSecureworks Karagany July 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | Trojan.Karagany can upload, download, and execute files on the victim.CitationSymantec DragonflyCitationSecureworks Karagany July 2019 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Trojan.Karagany can capture keystrokes on a compromised host.CitationSecureworks Karagany July 2019 |
| Enterprise | T1083 | File and Directory Discovery | Trojan.Karagany can enumerate files and directories on a compromised host.CitationSecureworks Karagany July 2019 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Trojan.Karagany can create directories to store plugin output and stage data for exfiltration.CitationSymantec DragonflyCitationSecureworks Karagany July 2019 |
| Enterprise | T1055.003 | Thread Execution Hijacking Sub-technique | Trojan.Karagany can inject a suspended thread of its own process into a new process and initiate via the |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Trojan.Karagany can secure C2 communications with SSL and TLS.CitationSecureworks Karagany July 2019 |
| Enterprise | T1497.001 | System Checks Sub-technique | Trojan.Karagany can detect commonly used and generic virtualization platforms based primarily on drivers and file paths.CitationSecureworks Karagany July 2019 |
| Enterprise | T1003 | OS Credential Dumping | Trojan.Karagany can dump passwords and save them into |
| Enterprise | T1016 | System Network Configuration Discovery | Trojan.Karagany can gather information on the network configuration of a compromised host.CitationSecureworks Karagany July 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Trojan.Karagany can perform reconnaissance commands on a victim machine via a cmd.exe process.CitationSecureworks Karagany July 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Trojan.Karagany can communicate with C2 via HTTP POST requests.CitationSecureworks Karagany July 2019 |
Groups, software, and campaigns
G0035: Dragonfly
Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[1][2] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[3][4][5][6][7][8][9]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.0 | Current bundle | 7bb0f263d18f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Dragonfly
Symantec Security Response. (2014, June 30). Dragonfly: Cyberespionage Attacks Against Energy Suppliers. Retrieved April 8, 2016.
Open source URL -
[2]
Secureworks Karagany July 2019
Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020.
Open source URL -
[3]
Dragos DYMALLOY
Dragos. (n.d.). DYMALLOY. Retrieved August 20, 2020.
Open source URL -
[4]
Karagany
(Citation: Secureworks Karagany July 2019)
-
[5]
mitre-attack S0094Open source URL
-
[6]
xFrost
(Citation: Secureworks Karagany July 2019)
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.