S0118: Nidiran
Analyst context for executives and security teams
Nidiran matters because ATT&CK describes it as a custom Windows backdoor associated with Suckfly and delivery via strategic web compromise. For leaders, the practical issue is not just the malware name: it points to the need to validate whether Windows environments can detect backdoor persistence through services, disguised task or service names, and external tool transfer activity after an initial web-based compromise.
Executive priority
Prioritize this as a readiness and evidence question: can the organization prove it monitors Windows service creation/modification, suspicious service naming, and inbound file/tool transfer activity well enough to support incident response decisions? This is relevant to business continuity because a backdoor with service-based persistence can extend attacker dwell time if service inventory, endpoint telemetry, and SOC triage processes are weak.
Technical view
ATT&CK provides no object-level detection text for Nidiran, so defenders should pivot to the related behaviors: T1543.003 Windows Service, T1036.004 Masquerade Task or Service, and T1105 Ingress Tool Transfer. Validate visibility for Windows service creation and modification, service executable paths and registry-backed configuration, anomalous or misleading service names/descriptions, and file transfers from external systems into compromised hosts. Because the malware platform is Windows, Windows endpoint and service telemetry should be the primary validation focus.
Likely telemetry
- Windows service creation, modification, start, stop, and configuration change records
- Windows Registry data related to service configuration and executable paths
- Endpoint process execution and parent/child process context for service-hosted payloads
- File creation and download/transfer evidence on Windows hosts
- Network connection logs showing external transfer activity into endpoints
Detection direction
- Hunt for newly created or modified Windows services with unusual executable paths, names, descriptions, or recovery commands.
- Compare service and task names against known-good enterprise baselines to identify masquerading rather than relying only on malware signatures.
- Correlate suspected service persistence with external file transfer activity consistent with Ingress Tool Transfer.
- Tune detections to reduce false positives from legitimate software deployment, administrative tooling, and patch management activity.
- Use the Suckfly relationship as threat-intelligence context only; do not assume attribution from a single Nidiran-like behavior.
Mitigation priorities
- Maintain an authoritative inventory and baseline of approved Windows services and scheduled tasks.
- Restrict and monitor administrative permissions capable of creating or modifying Windows services.
- Ensure endpoint logging captures service configuration changes and file transfer artifacts needed for IR reconstruction.
- Review web compromise response playbooks so endpoint persistence checks are included after suspected strategic web compromise exposure.
- Use detection engineering tests around T1543.003, T1036.004, and T1105 to validate SOC coverage rather than treating the malware family name as the primary control point.
Analyst notes and limits
The most useful defensive framing is behavior-based. The supplied ATT&CK relationships show Nidiran using masqueraded tasks/services, ingress tool transfer, and Windows services, which gives SOC and IR teams concrete validation targets even though no official detection text is provided.
ATT&CK fields supplied here do not include aliases, detailed procedures, indicators, hashes, C2 infrastructure, or official detection logic. Tactics are not specified on the malware object itself. Local telemetry, baselines, and incident evidence are required before drawing conclusions about exposure, detection coverage, or attribution.
Nidiran
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | Nidiran can download and execute files.CitationSymantec Backdoor.Nidiran |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Nidiran can create a new service named msamger (Microsoft Security Accounts Manager), which mimics the legitimate Microsoft database by the same name.CitationSymantec Backdoor.NidiranCitationMicrosoft SAM |
| Enterprise | T1543.003 | Windows Service Sub-technique | Nidiran can create a new service named msamger (Microsoft Security Accounts Manager).CitationSymantec Backdoor.Nidiran |
Groups, software, and campaigns
G0039: Suckfly
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 084f8c6a9baa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Suckfly March 2016
DiMaggio, J. (2016, March 15). Suckfly: Revealing the secret life of your code signing certificates. Retrieved August 3, 2016.
Open source URL -
[2]
mitre-attack S0118Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.