S0098: T9000
Analyst context for executives and security teams
T9000 matters because ATT&CK describes it as a Windows backdoor focused on gathering victim information, with relationships spanning host discovery, user and network reconnaissance, screen/audio/video capture, automated collection, custom archiving, AppInit DLL persistence, and DLL abuse. For leaders, the value is not just identifying one malware family; it is validating whether Windows endpoint monitoring would reveal an information-gathering intrusion before sensitive business context, meetings, screenshots, or internal system details are collected.
Executive priority
Treat this as a control-validation use case for targeted information collection on Windows endpoints. Priority questions: do we collect enough endpoint evidence to prove what was discovered or captured, can incident responders determine whether persistence was established through AppInit DLLs or DLL abuse, and do audit/compliance records show monitoring around sensitive systems, cameras/microphones, and security-tool discovery? The ATT&CK record does not provide current exploitation claims or detection logic, so prioritize readiness testing over threat-specific assumptions.
Technical view
The malware object has no official detection text and no explicit tactic field, but its relationships map to discovery, collection, persistence/privilege-escalation, and stealth/execution behaviors. SOC and IR teams should validate Windows visibility for system, user, network, time, peripheral, and security software discovery; collection behaviors such as screen, audio, video, and automated file collection; creation of custom archives; and persistence or execution involving AppInit DLL registry locations and DLL loading behavior. Detection should be behavior-led rather than family-name-led because the supplied ATT&CK data emphasizes capabilities, not indicators.
Likely telemetry
- Windows endpoint process execution and command-line telemetry for discovery activity
- Registry monitoring for AppInit_DLLs-related keys under Windows NT CurrentVersion Windows paths
- DLL load, module load, and suspicious library path telemetry
- File creation, file access, and archive-like output telemetry consistent with collected data staging
- Screen capture, camera, microphone, and peripheral access events where available
Detection direction
- Do not rely on a supplied ATT&CK detection section; none is provided for this malware object.
- Build detections around the related techniques: discovery bursts, security software discovery, AppInit DLL registry modification, unusual DLL loading, and collection from screen/audio/video/peripheral sources.
- Tune for administrative false positives: legitimate inventory, helpdesk tools, conferencing software, endpoint management, and security products may touch similar data sources.
- Correlate discovery plus collection plus staging behavior; single discovery commands may be low confidence, while chained discovery, capture, archiving, and persistence are more material.
- Validate blind spots on Windows endpoints where camera/microphone access, DLL load events, registry changes, or file staging are not centrally logged.
Mitigation priorities
- Because no official mitigation text is supplied, sequence controls from the related behaviors rather than malware-specific fixes.
- Harden and monitor Windows persistence surfaces, especially AppInit DLL registry locations and DLL search/load behavior.
- Limit unnecessary local privileges and restrict who can modify system-wide registry and application loading locations.
- Apply endpoint controls and policy governance for camera, microphone, removable/peripheral device, and sensitive data access where business operations allow.
- Ensure endpoint protection and logging cannot be silently disabled or bypassed without alerting, especially because the relationships include security software discovery.
Analyst notes and limits
The strongest decision value is readiness validation: can the organization see and investigate Windows-based discovery, collection, archiving, and persistence behaviors associated with T9000’s ATT&CK relationships? The external references identify FireEye reporting from 2014 and Palo Alto reporting from 2016, and the ATT&CK description states use in multiple targeted attacks against U.S.-based organizations. This summary does not extend that into current activity, attribution, or exposure claims.
Official detection is not provided, tactics are not specified on the malware object itself, and aliases/labels are absent. Relationship descriptions are partly truncated in the supplied data, so local validation should use full ATT&CK technique pages and environment-specific telemetry before engineering final detections. No claim is made that any organization is covered or exposed.
T9000
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | T9000 gathers and beacons the MAC and IP addresses during installation.CitationPalo Alto T9000 Feb 2016 |
| Enterprise | T1124 | System Time Discovery | T9000 gathers and beacons the system time during installation.CitationPalo Alto T9000 Feb 2016 |
| Enterprise | T1119 | Automated Collection | T9000 searches removable storage devices for files with a pre-defined list of file extensions (e.g. * .doc, *.ppt, *.xls, *.docx, *.pptx, *.xlsx). Any matching files are encrypted and written to a local user directory.CitationPalo Alto T9000 Feb 2016 |
| Enterprise | T1546.010 | AppInit DLLs Sub-technique | If a victim meets certain criteria, T9000 uses the AppInit_DLL functionality to achieve persistence by ensuring that every user mode process that is spawned will load its malicious DLL, ResN32.dll. It does this by creating the following Registry keys: |
| Enterprise | T1082 | System Information Discovery | T9000 gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation.CitationPalo Alto T9000 Feb 2016 |
| Enterprise | T1574.001 | DLL Sub-technique | During the T9000 installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.CitationPalo Alto T9000 Feb 2016 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | T9000 performs checks for various antivirus and security products during installation.CitationPalo Alto T9000 Feb 2016 |
| Enterprise | T1123 | Audio Capture | T9000 uses the Skype API to record audio and video calls. It writes encrypted data to |
| Enterprise | T1033 | System Owner/User Discovery | T9000 gathers and beacons the username of the logged in account during installation. It will also gather the username of running processes to determine if it is running as SYSTEM.CitationPalo Alto T9000 Feb 2016 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | T9000 encrypts collected data using a single byte XOR key.CitationPalo Alto T9000 Feb 2016 |
| Enterprise | T1113 | Screen Capture | T9000 can take screenshots of the desktop and target application windows, saving them to user directories as one byte XOR encrypted .dat files.CitationPalo Alto T9000 Feb 2016 |
| Enterprise | T1125 | Video Capture | T9000 uses the Skype API to record audio and video calls. It writes encrypted data to |
| Enterprise | T1120 | Peripheral Device Discovery | T9000 searches through connected drives for removable storage devices.CitationPalo Alto T9000 Feb 2016 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | a3a4ff7fc975… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye admin@338 March 2014
Moran, N. and Lanstein, A.. (2014, March 25). Spear Phishing the News Cycle: APT Actors Leverage Interest in the Disappearance of Malaysian Flight MH 370. Retrieved April 15, 2016.
Open source URL -
[2]
Palo Alto T9000 Feb 2016
Grunzweig, J. and Miller-Osborn, J.. (2016, February 4). T9000: Advanced Modular Backdoor Uses Complex Anti-Analysis Techniques. Retrieved April 15, 2016.
Open source URL -
[3]
mitre-attack S0098Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.