S0113: Prikormka
Analyst context for executives and security teams
Prikormka is a Windows malware family documented by MITRE as used in Operation Groundbait, observed predominantly in Ukraine and as early as 2008. Its ATT&CK relationships make it important as a defensive benchmark: it combines host discovery, credential and user activity collection, removable media collection, local staging/archiving, persistence, and stealthy execution/communications behaviors. For leaders, the value is not a single malware label; it is whether endpoint, identity, and incident response programs can prove they would notice and contain this pattern of surveillance-oriented activity.
Executive priority
Prioritize Prikormka as a coverage-validation case for Windows endpoint resilience and credential-risk response. Executives should ask whether the organization can detect suspicious persistence through Run keys/startup folders, abuse of rundll32/DLL execution, access to browser/password stores, keylogging or screen capture indicators, removable media collection, local staging, and encoded or encrypted command-and-control patterns. This supports budget and audit discussions around EDR logging, credential protection, removable media policy, and incident response evidence quality.
Technical view
MITRE does not provide a dedicated detection section for Prikormka, so SOC and detection teams should validate coverage through the related techniques. Focus on Windows telemetry for discovery activity, security software discovery, file and directory enumeration, peripheral/removable media access, credential store and browser credential access, keylogging/screen capture indicators, local data staging and archiving, file deletion, Run key/startup persistence, rundll32/DLL abuse, and encoded/encrypted C2. Tune detections around behavior chains rather than isolated events, because rundll32, registry changes, archive utilities, and discovery commands may be legitimate in normal administration.
Likely telemetry
- Windows process creation and command-line telemetry
- Registry monitoring for Run keys and startup folder persistence
- File system telemetry for staging directories, archive creation, encoded/encrypted files, and deletion
- DLL load and rundll32.exe execution telemetry
- Browser credential store and password store file access events where available
Detection direction
- Map detections to the related ATT&CK techniques rather than relying on a Prikormka-specific signature, since official detection guidance is not provided.
- Correlate discovery behaviors with later collection behaviors, such as file enumeration followed by local staging, archiving, removable media access, or credential store access.
- Baseline legitimate rundll32.exe usage and alert on unusual parent processes, command lines, DLL paths, or user contexts.
- Monitor Run key and startup folder changes, especially when paired with newly written executables or DLLs.
- Treat browser/password store access, keylogging indicators, and screen capture activity as high-value credential and privacy signals requiring rapid triage.
Mitigation priorities
- Strengthen Windows endpoint visibility first: process, registry, file, module-load, removable media, and network metadata collection.
- Apply least privilege and application control where feasible to reduce abuse of rundll32, DLL loading paths, and unauthorized persistence locations.
- Harden credential handling by reducing stored browser/password credentials where possible and protecting credential stores with enterprise policy.
- Use removable media controls and monitoring for environments where USB or optical media can carry sensitive data.
- Ensure EDR and logging policies preserve evidence for local staging, archive creation, and deletion events.
Analyst notes and limits
This take is based on the supplied MITRE software object and its listed relationships. The software object itself has no specified tactics and no official detection text, so the defensive guidance is derived from the related ATT&CK techniques: discovery, collection, credential access, persistence, execution/stealth, and command-and-control behaviors associated with Prikormka.
The supplied fields do not provide indicators of compromise, active exploitation status, victim exposure, detailed procedures, or guaranteed detection logic. Local telemetry, asset context, user roles, and business process baselines are required to determine material risk and detection quality.
Prikormka
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Prikormka encrypts some C2 traffic with the Blowfish cipher.CitationESET Operation Groundbait |
| Enterprise | T1056.001 | Keylogging Sub-technique | Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.CitationESET Operation Groundbait |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Prikormka uses rundll32.exe to load its DLL.CitationESET Operation Groundbait |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64.CitationESET Operation Groundbait |
| Enterprise | T1113 | Screen Capture | Prikormka contains a module that captures screenshots of the victim's desktop.CitationESET Operation Groundbait |
| Enterprise | T1120 | Peripheral Device Discovery | A module in Prikormka collects information on available printers and disk drives.CitationESET Operation Groundbait |
| Enterprise | T1016 | System Network Configuration Discovery | A module in Prikormka collects information from the victim about its IP addresses and MAC addresses.CitationESET Operation Groundbait |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.CitationESET Operation Groundbait |
| Enterprise | T1555 | Credentials from Password Stores | A module in Prikormka collects passwords stored in applications installed on the victim.CitationESET Operation Groundbait |
| Enterprise | T1574.001 | DLL Sub-technique | Prikormka uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.CitationESET Operation Groundbait |
| Enterprise | T1082 | System Information Discovery | A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.CitationESET Operation Groundbait |
| Enterprise | T1025 | Data from Removable Media | Prikormka contains a module that collects documents with certain extensions from removable media or fixed drives connected via USB.CitationESET Operation Groundbait |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | A module in Prikormka collects information from the victim about installed anti-virus software.CitationESET Operation Groundbait |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Prikormka encodes C2 traffic with Base64.CitationESET Operation Groundbait |
| Enterprise | T1070.004 | File Deletion Sub-technique | After encrypting its own log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.CitationESET Operation Groundbait |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.CitationESET Operation Groundbait |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Prikormka creates a directory, |
| Enterprise | T1083 | File and Directory Discovery | A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.CitationESET Operation Groundbait |
| Enterprise | T1560 | Archive Collected Data | After collecting documents from removable media, Prikormka compresses the collected files, and encrypts it with Blowfish.CitationESET Operation Groundbait |
| Enterprise | T1033 | System Owner/User Discovery | A module in Prikormka collects information from the victim about the current user name.CitationESET Operation Groundbait |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | a35eee39dcca… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Operation Groundbait
Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.
Open source URL -
[2]
mitre-attack S0113Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.