S0130: Unknown Logger
Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. [1]
Analyst context for executives and security teams
Unknown Logger matters because it is a publicly released free Windows backdoor associated in ATT&CK with credential collection, keylogging, system discovery, tool transfer, removable-media replication, and defense impairment behaviors. For leaders, the business issue is not the malware name itself; it is whether Windows endpoint, browser-credential, removable-media, and security-tool telemetry would show a backdoor collecting credentials and preparing follow-on access.
Executive priority
Prioritize this as a validation case for Windows endpoint visibility, credential protection, and incident response readiness. The ATT&CK relationships connect Unknown Logger to behaviors that can support account takeover, lateral movement via removable media, and reduced security visibility. Executives should ask whether SOC and IR teams can prove collection of endpoint process, credential-store access, removable-media, network-transfer, and security-tool health evidence before an incident, not after.
Technical view
ATT&CK provides no official detection text for S0130, so defenders should build coverage from the related techniques: System Network Configuration Discovery, System Owner/User Discovery, Keylogging, System Information Discovery, Replication Through Removable Media, Ingress Tool Transfer, Credentials from Web Browsers, and Disable or Modify Tools. For Windows environments, validate detection logic around unusual discovery activity, suspicious browser credential-store access, keystroke-capture indicators, external file transfer into endpoints, removable-media execution or propagation, and attempts to stop, degrade, or modify security tools. Relationship context notes use by Patchwork and use in the MONSOON reporting, but local telemetry is required to determine relevance or exposure.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- File creation, modification, and execution events on endpoints
- Browser profile and credential-store access events where available
- Keyboard input or keylogging-related endpoint security alerts where available
- Removable-media insertion, autorun-related activity, and execution from removable drives
Detection direction
- Because MITRE provides no official detection guidance for Unknown Logger, map detections to the related ATT&CK techniques rather than relying on malware-name signatures alone.
- Tune discovery detections to distinguish normal administration from clustered host, user, and network reconnaissance on Windows endpoints.
- Validate browser credential-access monitoring and alerting, especially where saved credentials are permitted by policy.
- Correlate removable-media activity with new executable files, renamed files, and execution from removable paths; this is especially important for segmented, disconnected, or operational environments that rely on USB transfer.
- Monitor for security-tool disablement or modification as a high-priority context signal when paired with discovery, credential access, or ingress tool transfer.
Mitigation priorities
- Reduce credential exposure by limiting saved browser passwords, enforcing strong identity controls, and reviewing where browser credential storage is allowed.
- Harden Windows endpoint controls around removable media, including policy restrictions, scanning, and execution control where operationally feasible.
- Ensure endpoint protection, logging agents, and security tools have tamper protection, health monitoring, and alerting for service or configuration changes.
- Maintain least privilege so discovery, credential access, and security-tool modification attempts have reduced impact.
- Prepare IR playbooks that cover suspected keylogging or browser credential theft, including password reset scope, session revocation, and affected-account review.
Analyst notes and limits
The strongest decision value is to use S0130 as a coverage test for credential theft plus discovery plus removable-media risk on Windows. The object is a malware entry with sparse native fields, so the practical defensive picture comes primarily from its ATT&CK relationships to techniques and the cited Forcepoint MONSOON reporting.
Official detection is not provided, tactics are not specified on the malware object, aliases are not listed, and platform support is limited to Windows for this object. Related technique platform lists are broader and in some cases do not align cleanly with the malware platform, so defenders should validate relevance against their own Windows estate and telemetry.
Unknown Logger
Unknown Logger is a publicly released, free backdoor. Version 1.5 of the backdoor has been used by the actors responsible for the MONSOON campaign. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | Unknown Logger can obtain information about the victim computer name, physical memory, country, and date.CitationForcepoint Monsoon |
| Enterprise | T1033 | System Owner/User Discovery | Unknown Logger can obtain information about the victim usernames.CitationForcepoint Monsoon |
| Enterprise | T1091 | Replication Through Removable Media | Unknown Logger is capable of spreading to USB devices.CitationForcepoint Monsoon |
| Enterprise | T1105 | Ingress Tool Transfer | Unknown Logger is capable of downloading remote files.CitationForcepoint Monsoon |
| Enterprise | T1685 | Disable or Modify Tools | Unknown Logger has functionality to disable security tools, including Kaspersky, BitDefender, and MalwareBytes.CitationForcepoint Monsoon |
| Enterprise | T1016 | System Network Configuration Discovery | Unknown Logger can obtain information about the victim's IP address.CitationForcepoint Monsoon |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Unknown Logger is capable of stealing usernames and passwords from browsers on the victim machine.CitationForcepoint Monsoon |
| Enterprise | T1056.001 | Keylogging Sub-technique | Unknown Logger is capable of recording keystrokes.CitationForcepoint Monsoon |
Groups, software, and campaigns
G0040: Patchwork
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[1] [2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | b71c5c3fce63… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Forcepoint Monsoon
Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
Open source URL -
[2]
mitre-attack S0130Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.