S0149: MoonWind
Analyst context for executives and security teams
MoonWind is a Windows remote access tool documented by ATT&CK as used in 2016 against organizations in Thailand. Its ATT&CK relationships matter because they describe a RAT pattern that can support hands-on intrusion activity: discovery of users, processes, files, network configuration, peripherals, and system time; command execution through Windows command shell; persistence through Windows services; local data staging; file deletion; keylogging; and command-and-control using non-standard ports, non-application-layer protocols, and symmetric encryption.
Executive priority
Treat MoonWind as a control-validation case for Windows endpoint resilience and RAT readiness rather than as evidence of current exposure. The business question is whether the organization can prove it would notice and contain a remote-access intrusion that performs discovery, credential collection via keylogging, service-based persistence, local staging, and concealed C2. This is useful for prioritizing endpoint logging, identity protection, network egress visibility, incident response evidence retention, and audit-ready proof that discovery and persistence behaviors are monitored.
Technical view
ATT&CK provides no official detection text for MoonWind, so defenders should validate coverage through the related techniques. On Windows, confirm visibility for command-shell execution, service creation or modification, process and user discovery, file and directory enumeration, local staging directories or unusual collection patterns, file deletion after tool activity, and signs of keylogging behavior where endpoint telemetry supports it. Network teams should validate egress monitoring for unusual protocol/port pairings, non-standard ports, non-application-layer C2 patterns, and encrypted traffic that does not match expected application behavior. IR teams should ensure triage playbooks preserve service configuration, command-line history where available, process lineage, filesystem artifacts, and network connection metadata before cleanup.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe activity
- Windows service creation, modification, and service executable path/configuration records
- User/account discovery evidence such as logged-on user queries or username enumeration artifacts
- Process, file, directory, system information, system time, network configuration, and peripheral discovery evidence
- File creation, modification, staging, and deletion telemetry from endpoints or EDR
Detection direction
- Build behavior-based detection around the related ATT&CK techniques rather than relying on a MoonWind-specific signature, because no official detection guidance is supplied.
- Correlate discovery bursts across user, process, network configuration, file/directory, system information, peripheral, and system time queries from the same host or process tree.
- Tune Windows command-shell detections for suspicious parent/child process chains, remote execution context, and command sequences associated with discovery, staging, deletion, or service manipulation.
- Monitor new or modified Windows services, especially services pointing to unusual paths or recently written executables; account for legitimate software deployment and administration tools as common false-positive sources.
- Look for local data staging followed by deletion, especially when paired with discovery and outbound network activity.
Mitigation priorities
- Prioritize endpoint visibility and retention for Windows process, service, file, and network activity so investigations can reconstruct RAT behavior.
- Harden Windows service creation and modification rights; restrict administrative privileges and monitor privileged changes.
- Apply least privilege and credential-protection practices to reduce the value of keylogging and user discovery.
- Control and monitor outbound network access, including non-standard ports and unexpected protocols, with documented business exceptions.
- Use application control or execution policy where feasible to reduce unauthorized command-shell and unknown binary execution.
Analyst notes and limits
The object is a malware entry for MoonWind, a Windows RAT, with one cited public report and ATT&CK relationships to multiple techniques. The most decision-useful context comes from those relationships: discovery-heavy host profiling, Windows command execution, Windows service persistence, local staging, file deletion, keylogging, and C2 concealment through non-standard ports/protocols/encryption.
ATT&CK does not provide official detection text, aliases, labels, or object-level tactics for MoonWind in the supplied fields. The description only states historical use in 2016 against organizations in Thailand; it does not support claims of current exploitation, attribution beyond the cited report, or guaranteed detection logic. Local environment baselines are required to distinguish malicious RAT behavior from legitimate administration, software deployment, and business network traffic.
MoonWind
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1056.001 | Keylogging Sub-technique | MoonWind has a keylogger.CitationPalo Alto MoonWind March 2017 |
| Enterprise | T1057 | Process Discovery | MoonWind has a command to return a list of running processes.CitationPalo Alto MoonWind March 2017 |
| Enterprise | T1543.003 | Windows Service Sub-technique | MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance.CitationPalo Alto MoonWind March 2017 |
| Enterprise | T1571 | Non-Standard Port | MoonWind communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports.CitationPalo Alto MoonWind March 2017 |
| Enterprise | T1095 | Non-Application Layer Protocol | MoonWind completes network communication via raw sockets.CitationPalo Alto MoonWind March 2017 |
| Enterprise | T1083 | File and Directory Discovery | MoonWind has a command to return a directory listing for a specified directory.CitationPalo Alto MoonWind March 2017 |
| Enterprise | T1120 | Peripheral Device Discovery | MoonWind obtains the number of removable drives from the victim.CitationPalo Alto MoonWind March 2017 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | MoonWind encrypts C2 traffic using RC4 with a static key.CitationPalo Alto MoonWind March 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1082 | System Information Discovery | MoonWind can obtain the victim hostname, Windows version, RAM amount, and screen resolution.CitationPalo Alto MoonWind March 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | MoonWind can delete itself or specified files.CitationPalo Alto MoonWind March 2017 |
| Enterprise | T1124 | System Time Discovery | MoonWind obtains the victim's current time.CitationPalo Alto MoonWind March 2017 |
| Enterprise | T1033 | System Owner/User Discovery | MoonWind obtains the victim username.CitationPalo Alto MoonWind March 2017 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | MoonWind saves information from its keylogging routine as a .zip file in the present working directory.CitationPalo Alto MoonWind March 2017 |
| Enterprise | T1016 | System Network Configuration Discovery | MoonWind obtains the victim IP address.CitationPalo Alto MoonWind March 2017 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | d5fbda4b6d89… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto MoonWind March 2017
Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017.
Open source URL -
[2]
mitre-attack S0149Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.