S0137: CORESHELL
Analyst context for executives and security teams
CORESHELL is a Windows downloader associated in ATT&CK with APT28, with older reporting also referring to SOURFACE. Its business significance is not just the malware name: a downloader is often a pivot point between initial compromise and additional tooling. If it is missed, defenders may lose the opportunity to contain an intrusion before persistence, discovery, command-and-control, or further payload transfer occur.
Executive priority
Treat this as a validation item for Windows endpoint, network, and incident response readiness rather than as a standalone signature problem. Leaders should ask whether SOC teams can connect suspicious Windows execution, registry-based persistence, system and storage discovery, and web/mail-based command-and-control into one investigation. Because ATT&CK provides no official detection text for CORESHELL, coverage should be proven through telemetry and response exercises, not assumed from malware naming alone.
Technical view
ATT&CK lists CORESHELL as Windows malware and relates it to obfuscation, junk code insertion, web and mail protocols for command-and-control, system and local storage discovery, ingress tool transfer, standard encoding, rundll32 abuse, registry run keys/startup folder persistence, and symmetric cryptography. SOC and IR teams should validate detections around suspicious rundll32.exe execution, new or modified Run key/startup persistence, downloader-like file creation after external communications, encoded or encrypted C2-like traffic over common protocols, and host discovery activity occurring near suspicious process execution. Because the object has no official detection guidance, detections should be behavior-led and correlated across endpoint, network, and persistence evidence.
Likely telemetry
- Windows process creation and command-line telemetry, especially rundll32.exe activity
- Windows registry monitoring for Run keys and startup persistence locations
- File creation/modification events for newly downloaded tools or payloads
- Endpoint security alerts and malware analysis artifacts related to obfuscated or packed files
- Network proxy, firewall, DNS, and HTTP/S metadata for outbound web-protocol communications
Detection direction
- Correlate suspicious downloader behavior with follow-on ingress tool transfer rather than relying only on static malware names or hashes.
- Tune rundll32.exe analytics to distinguish normal administrative or application activity from unusual DLL paths, export names, parent processes, user contexts, or network-adjacent execution.
- Monitor Run key and startup folder changes with allowlisting for known software updaters to reduce false positives.
- Review outbound web and mail protocol visibility, because C2 over common protocols can blend into ordinary enterprise traffic.
- Account for obfuscation, junk code, standard encoding, and symmetric cryptography as reasons static detections or payload inspection may be incomplete.
Mitigation priorities
- Prioritize Windows endpoint visibility for process, registry, file, and network activity before assuming CORESHELL-specific coverage.
- Restrict and monitor abuse-prone execution paths such as rundll32.exe where business operations allow, using policy and alerting rather than blanket assumptions.
- Harden persistence locations by monitoring and controlling registry Run keys and startup folders.
- Limit unnecessary outbound web and mail protocol paths and ensure egress logging is retained for investigations.
- Strengthen incident response playbooks for downloader findings: isolate affected hosts, preserve volatile and persistence evidence, and hunt for additional transferred tools.
Analyst notes and limits
The most useful defensive framing is behavioral: CORESHELL is described as a downloader, and the relationships point to persistence, discovery, C2, obfuscation, and tool transfer behaviors. The APT28 relationship increases intelligence relevance, but local evidence is still required for incident scoping or attribution.
The official ATT&CK object does not specify tactics for the malware itself and provides no official detection text. Technique relationships provide direction but not environment-specific indicators, signatures, infrastructure, prevalence, or confirmed exposure. Platform claims should be limited to Windows for this malware object, with related technique platforms treated as generic ATT&CK context.
CORESHELL
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | CORESHELL can communicate over HTTP for C2.CitationFireEye APT28CitationMicrosoft SIR Vol 19 |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | CORESHELL can communicate over SMTP and POP3 for C2.CitationFireEye APT28CitationMicrosoft SIR Vol 19 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | CORESHELL C2 messages are Base64-encoded.CitationFireEye APT28 |
| Enterprise | T1680 | Local Storage Discovery | CORESHELL collects the volume serial number from the victim and sends the information to its C2 server.CitationFireEye APT28 |
| Enterprise | T1082 | System Information Discovery | CORESHELL collects hostname and OS version data from the victim and sends the information to its C2 server.CitationFireEye APT28 |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.CitationFireEye APT28 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | CORESHELL is installed via execution of rundll32 with an export named "init" or "InitW."CitationMicrosoft SIR Vol 19 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | CORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.CitationMicrosoft SIR Vol 19 |
| Enterprise | T1105 | Ingress Tool Transfer | CORESHELL downloads another dropper from its C2 server.CitationFireEye APT28 |
| Enterprise | T1027 | Obfuscated Files or Information | CORESHELL obfuscates strings using a custom stream cipher.CitationFireEye APT28 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | CORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys.CitationFireEye APT28 |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | 7cfda8656117… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT28
FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
Open source URL -
[2]
FireEye APT28 January 2017
FireEye iSIGHT Intelligence. (2017, January 11). APT28: At the Center of the Storm. Retrieved November 17, 2024.
Open source URL -
[3]
CORESHELL
(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)
-
[4]
SOURFACE
(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)(Citation: Securelist Sofacy Feb 2018)
-
[5]
Securelist Sofacy Feb 2018
Kaspersky Lab's Global Research & Analysis Team. (2018, February 20). A Slice of 2017 Sofacy Activity. Retrieved November 27, 2018.
Open source URL -
[6]
Sofacy
This designation has been used in reporting both to refer to the threat group ([APT28](https://attack.mitre.org/groups/G0007)) and its associated malware.(Citation: FireEye APT28) (Citation: FireEye APT28 January 2017)(Citation: Securelist Sofacy Feb 2018)
-
[7]
mitre-attack S0137Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.