S0126: ComRAT
Analyst context for executives and security teams
ComRAT is a Windows second-stage implant associated in ATT&CK with Turla and described as having evolved over many years from earlier Agent.btz lineage. Its business significance is not a single malware signature; it is the combination of stealth, persistence, discovery, command-and-control, and scheduled transfer behaviors that can allow a long-running intrusion to remain operational after initial access. For leaders, this object is a reminder to validate whether Windows endpoint, registry, scheduled task, PowerShell/cmd, and network C2 telemetry can support an investigation when a mature espionage-style implant is suspected.
Executive priority
Prioritize ComRAT as a resilience and readiness validation case for Windows environments, especially where sensitive government, research, pharmaceutical, military, embassy, education, or similar information risks are material, as those sectors are noted in the related Turla description. The decision value is to confirm whether existing SOC, incident response, identity, endpoint, and network controls can prove or disprove persistence, command execution, registry abuse, obfuscation, and C2 activity—not to assume a specific exposure. This is also useful audit evidence: teams should be able to show that logging, retention, and response playbooks cover scheduled tasks, registry modifications, command interpreters, and suspicious web or mail protocol communications.
Technical view
ATT&CK provides no official detection text for ComRAT, so defenders should validate coverage through the related behaviors. On Windows, focus on registry query and modification activity, scheduled task creation or masquerading, COM hijacking indicators, DLL injection evidence, PowerShell and Windows Command Shell execution, native API-driven process activity where observable, software and system time discovery, fileless or hidden storage patterns, obfuscated or embedded payload handling, and network communications using web protocols, mail protocols, legitimate web-service-style bidirectional communication, and asymmetric cryptography. IR teams should correlate endpoint execution and persistence artifacts with outbound network timing, since scheduled transfer is included in the relationships.
Likely telemetry
- Windows endpoint process creation and command-line telemetry for PowerShell and cmd.exe activity
- Windows Registry access and modification telemetry, including COM-related registry locations where available
- Scheduled Task creation, modification, execution, names, descriptions, and parent process context
- Service or task naming data to identify possible masquerading
- Endpoint file, memory, and module-load telemetry relevant to DLL injection and embedded or obfuscated payloads
Detection direction
- Because ATT&CK does not provide official detection guidance for this object, build detections from the related techniques rather than from the malware name alone.
- Correlate scheduled task creation or modification with suspicious command interpreters, registry changes, or unusual outbound communications.
- Tune for masquerading by comparing task and service names, descriptions, paths, signers, and execution context against known-good administrative baselines.
- Review registry query and modification patterns in combination with persistence behaviors such as COM hijacking or fileless storage, rather than treating all registry access as suspicious.
- Hunt for obfuscated command lines, encoded content, embedded payload indicators, and deobfuscation or decoding behavior, while accounting for legitimate administration and software deployment tools.
Mitigation priorities
- Ensure Windows logging and retention are sufficient before relying on malware-specific alerts: process creation, PowerShell, registry, scheduled task, and network metadata are foundational.
- Harden and monitor persistence surfaces related to scheduled tasks, services, COM references, and registry autorun-style locations according to least privilege and change-control practices.
- Limit unnecessary script and command interpreter abuse through administrative controls, PowerShell logging, constrained administration, and review of legitimate automation paths.
- Maintain endpoint protection and response capability that can inspect obfuscation, embedded payloads, suspicious module loads, and process injection behaviors where supported.
- Baseline normal web and mail protocol egress, then restrict or review unusual outbound communications from servers and workstations that should not initiate them.
Analyst notes and limits
The supplied ATT&CK object identifies ComRAT as a Windows second-stage implant used by Turla, with external reporting from Symantec, G Data/NorthSec, and ESET. The relationship set is rich and points to behaviors spanning discovery, execution, persistence, privilege escalation, defense evasion/stealth, command-and-control, and exfiltration-related scheduling. Use this object as a threat-informed validation scenario for mature Windows intrusion response rather than as a standalone indicator list.
MITRE provides no official detection section for this object, and the object itself lists no tactics. Several related techniques have broader platform lists, but the ComRAT object platform is Windows, so local validation should center on Windows evidence unless separate intelligence supports other platforms. This take does not assert current exploitation, customer exposure, or confirmed detection coverage; environment-specific telemetry and investigation data are required.
ComRAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.003 | Mail Protocols Sub-technique | ComRAT can use email attachments for command and control.CitationESET ComRAT May 2020 |
| Enterprise | T1564.005 | Hidden File System Sub-technique | ComRAT has used a portable FAT16 partition image placed in %TEMP% as a hidden file system.CitationESET ComRAT May 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | ComRAT has used HTTP requests for command and control.CitationNorthSec 2015 GData Uroburos ToolsCitationESET ComRAT May 2020CitationCISA ComRAT Oct 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | ComRAT has used a scheduled task to launch its PowerShell loader.CitationESET ComRAT May 2020CitationCISA ComRAT Oct 2020 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | |
| Enterprise | T1518 | Software Discovery | ComRAT can check the victim's default browser to determine which process to inject its communications module into.CitationESET ComRAT May 2020 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | ComRAT has injected its orchestrator DLL into explorer.exe. ComRAT has also injected its communications module into the victim's default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.CitationESET ComRAT May 2020CitationCISA ComRAT Oct 2020 |
| Enterprise | T1027 | Obfuscated Files or Information | ComRAT has encrypted its virtual file system using AES-256 in XTS mode.CitationESET ComRAT May 2020CitationCISA ComRAT Oct 2020 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | ComRAT has stored encrypted orchestrator code and payloads in the Registry.CitationESET ComRAT May 2020CitationCISA ComRAT Oct 2020 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | |
| Enterprise | T1029 | Scheduled Transfer | ComRAT has been programmed to sleep outside local business hours (9 to 5, Monday to Friday).CitationESET ComRAT May 2020 |
| Enterprise | T1546.015 | Component Object Model Hijacking Sub-technique | ComRAT samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | ComRAT has the ability to use the Gmail web UI to receive commands and exfiltrate information.CitationESET ComRAT May 2020CitationCISA ComRAT Oct 2020 |
| Enterprise | T1106 | Native API | ComRAT can load a PE file from memory or the file system and execute it with |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | ComRAT has used |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1012 | Query Registry | ComRAT can check the default browser by querying |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1112 | Modify Registry | ComRAT has modified Registry values to store encrypted orchestrator code and payloads.CitationESET ComRAT May 2020CitationCISA ComRAT Oct 2020 |
| Enterprise | T1124 | System Time Discovery | ComRAT has checked the victim system's date and time to perform tasks during business hours (9 to 5, Monday to Friday).CitationCISA ComRAT Oct 2020 |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | ComRAT has embedded a XOR encrypted communications module inside the orchestrator module.CitationESET ComRAT May 2020CitationCISA ComRAT Oct 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | ComRAT has used a task name associated with Windows SQM Consolidator.CitationESET ComRAT May 2020 |
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | 4fa73c98f13f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Waterbug
Symantec. (2015, January 26). The Waterbug attack group. Retrieved April 10, 2015.
Open source URL -
[2]
NorthSec 2015 GData Uroburos Tools
Rascagneres, P. (2015, May). Tools used by the Uroburos actors. Retrieved August 18, 2016.
Open source URL -
[3]
ESET ComRAT May 2020
Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020.
Open source URL -
[4]
mitre-attack S0126Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.