S0148: RTM
Analyst context for executives and security teams
RTM is a Windows malware family written in Delphi and associated in ATT&CK with the RTM cybercriminal group. Its mapped behaviors matter because they combine credential and user-data collection, host discovery, persistence, command-and-control, and cleanup/stealth techniques. For leaders, the practical issue is not only whether a signature exists, but whether the organization can see and investigate Windows activity that looks like banking-trojan-style credential theft and persistence.
Executive priority
Prioritize RTM as a validation case for Windows endpoint resilience, identity risk, and incident response readiness. The ATT&CK relationships show behaviors that can affect credential exposure, fraud risk, and investigation quality: keylogging, screen and clipboard collection, scheduled task persistence, registry modification, web-based C2, ingress tool transfer, obfuscation, masquerading, and file/persistence cleanup. Executives should ask whether SOC coverage is behavior-based, whether evidence survives cleanup attempts, and whether high-risk financial or remote-banking users receive stronger monitoring and access controls.
Technical view
ATT&CK does not provide an official detection section for RTM, so coverage should be validated against the mapped techniques rather than a single malware name. On Windows, focus on suspicious scheduled task creation or modification, registry changes linked to persistence or defense evasion, command shell execution, user/system/process/file discovery, and collection behaviors such as keylogging, screen capture, clipboard access, and automated collection. Network teams should validate visibility into outbound web-protocol C2 patterns and use of legitimate web services as dead-drop resolvers. IR teams should also plan for obfuscated/compressed payloads, masqueraded task or service names, file deletion, and clearing of persistence artifacts.
Likely telemetry
- Windows endpoint process creation and command-line events, especially cmd.exe and discovery command patterns
- Windows Task Scheduler events and task XML/name/description changes
- Windows Registry modification telemetry for persistence- and defense-evasion-relevant keys
- File creation, deletion, compression/archive, and executable metadata telemetry on endpoints
- Endpoint alerts or behavioral telemetry for keyboard, screen capture, clipboard, and automated collection activity
Detection direction
- Because MITRE provides no official RTM detection text, build detections around technique clusters: persistence plus masquerading, discovery plus collection, and web C2 plus tool transfer.
- Tune scheduled-task detections for suspicious task names, descriptions, paths, or timing, while accounting for legitimate administrative and software-update tasks.
- Correlate registry modification, task creation, and command shell execution from the same host or user context to reduce false positives.
- Look for discovery activity followed by credential or collection behavior, including keylogging, screen capture, clipboard access, or automated file collection.
- Review network detections for outbound HTTP/S patterns that blend into normal traffic, including contacts to legitimate external services that may act as dead-drop resolvers.
Mitigation priorities
- Confirm Windows endpoint logging and EDR coverage for task scheduling, registry modification, process creation, file deletion, and suspicious collection behavior.
- Harden persistence surfaces by limiting who can create scheduled tasks or modify sensitive registry locations, and review administrative access regularly.
- Reduce credential-theft impact with strong identity controls for high-risk users, especially users of remote banking or financial systems.
- Apply egress monitoring and filtering appropriate to business requirements, with attention to unusual HTTP/S destinations and web-service-based resolver behavior.
- Prepare IR playbooks to preserve volatile endpoint evidence quickly, because the mapped techniques include file deletion and clearing persistence artifacts.
Analyst notes and limits
The supplied ATT&CK object identifies RTM as custom Delphi malware, newer versions publicly reported as Redaman, and links it to the RTM group. Relationship context maps RTM to multiple ATT&CK techniques across stealth, discovery, execution, persistence, credential access, collection, and command-and-control behaviors. The group description states interest in users of remote banking systems in Russia and neighboring countries; this should inform threat-intelligence context without being treated as proof of local exposure.
No official MITRE detection guidance is provided for this object, and the object itself lists Windows as the platform with no object-level tactics specified. Technique relationship descriptions include broader platform coverage, but this take treats RTM coverage as Windows-focused unless local intelligence supports otherwise. Local telemetry, asset criticality, user population, and incident evidence are required to determine actual risk or detection coverage.
RTM
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.CitationESET RTM Feb 2017 |
| Enterprise | T1219 | Remote Access Tools | RTM has the capability to download a VNC module from command and control (C2).CitationESET RTM Feb 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | RTM uses the command line and rundll32.exe to execute.CitationESET RTM Feb 2017 |
| Enterprise | T1115 | Clipboard Data | RTM collects data from the clipboard.CitationESET RTM Feb 2017CitationUnit42 Redaman January 2019 |
| Enterprise | T1056.001 | Keylogging Sub-technique | RTM can record keystrokes from both the keyboard and virtual keyboard.CitationESET RTM Feb 2017CitationUnit42 Redaman January 2019 |
| Enterprise | T1568 | Dynamic Resolution | |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | RTM has been delivered via spearphishing attachments disguised as PDF documents.CitationUnit42 Redaman January 2019 |
| Enterprise | T1027.015 | Compression Sub-technique | RTM has been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.CitationESET RTM Feb 2017CitationUnit42 Redaman January 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | RTM tries to add a Registry Run key under the name "Windows Update" to establish persistence.CitationESET RTM Feb 2017 |
| Enterprise | T1120 | Peripheral Device Discovery | RTM can obtain a list of smart card readers attached to the victim.CitationESET RTM Feb 2017CitationUnit42 Redaman January 2019 |
| Enterprise | T1124 | System Time Discovery | RTM can obtain the victim time zone.CitationESET RTM Feb 2017 |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | RTM can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.CitationESET RTM Feb 2017 |
| Enterprise | T1553.002 | Code Signing Sub-technique | RTM samples have been signed with a code-signing certificates.CitationESET RTM Feb 2017 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | RTM can detect if it is running within a sandbox or other virtualized analysis environment.CitationUnit42 Redaman January 2019 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | RTM tries to add a scheduled task to establish persistence.CitationESET RTM Feb 2017CitationUnit42 Redaman January 2019 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | RTM has named the scheduled task it creates "Windows Update".CitationUnit42 Redaman January 2019 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | RTM encrypts C2 traffic with a custom RC4 variant.CitationESET RTM Feb 2017 |
| Enterprise | T1112 | Modify Registry | RTM can delete all Registry entries created during its execution.CitationESET RTM Feb 2017 |
| Enterprise | T1102.001 | Dead Drop Resolver Sub-technique | |
| Enterprise | T1106 | Native API | RTM can use the |
| Enterprise | T1119 | Automated Collection | RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.CitationESET RTM Feb 2017CitationUnit42 Redaman January 2019 |
| Enterprise | T1033 | System Owner/User Discovery | RTM can obtain the victim username and permissions.CitationESET RTM Feb 2017 |
| Enterprise | T1553.004 | Install Root Certificate Sub-technique | RTM can add a certificate to the Windows store.CitationESET RTM Feb 2017CitationUnit42 Redaman January 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | RTM has initiated connections to external domains using HTTPS.CitationUnit42 Redaman January 2019 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | RTM runs its core DLL file using rundll32.exe.CitationESET RTM Feb 2017CitationUnit42 Redaman January 2019 |
| Enterprise | T1571 | Non-Standard Port | RTM used Port 44443 for its VNC module.CitationESET RTM Feb 2017 |
| Enterprise | T1082 | System Information Discovery | RTM can obtain the computer name, OS version, and default language identifier.CitationESET RTM Feb 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | RTM can download additional files.CitationESET RTM Feb 2017CitationUnit42 Redaman January 2019 |
| Enterprise | T1083 | File and Directory Discovery | RTM can check for specific files and directories associated with virtualization and malware analysis.CitationUnit42 Redaman January 2019 |
| Enterprise | T1027 | Obfuscated Files or Information | RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm.CitationESET RTM Feb 2017CitationUnit42 Redaman January 2019 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | RTM can obtain information about security software on the victim.CitationESET RTM Feb 2017 |
| Enterprise | T1204.002 | Malicious File Sub-technique | RTM has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within.CitationUnit42 Redaman January 2019 |
| Enterprise | T1057 | Process Discovery | RTM can obtain information about process integrity levels.CitationESET RTM Feb 2017 |
| Enterprise | T1518 | Software Discovery | RTM can scan victim drives to look for specific banking software on the machine to determine next actions.CitationESET RTM Feb 2017 |
| Enterprise | T1113 | Screen Capture | RTM can capture screenshots.CitationESET RTM Feb 2017CitationUnit42 Redaman January 2019 |
| Enterprise | T1070.009 | Clear Persistence Sub-technique | RTM has the ability to remove Registry entries that it created for persistence.CitationESET RTM Feb 2017 |
| Enterprise | T1036 | Masquerading | RTM has been delivered as archived Windows executable files masquerading as PDF documents.CitationUnit42 Redaman January 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | RTM can delete all files created during its execution.CitationESET RTM Feb 2017CitationUnit42 Redaman January 2019 |
Groups, software, and campaigns
G0048: RTM
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | cfbd4a3aa638… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET RTM Feb 2017
Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
Open source URL -
[2]
Unit42 Redaman January 2019
Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
Open source URL -
[3]
Redaman
(Citation: Unit42 Redaman January 2019)
-
[4]
mitre-attack S0148Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.