Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0152: EvilGrab

EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns. [1]

EnterpriseS0152MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

EvilGrab matters because ATT&CK describes it as Windows malware with reconnaissance and collection-oriented capabilities, including keylogging, screen capture, audio capture, video capture, and Windows Run Key/Startup Folder persistence. For leaders, the practical risk is not just malware execution; it is the potential loss of credentials, sensitive meeting content, on-screen business information, and persistence on user workstations. MITRE notes it has been deployed through malicious Microsoft Office documents in spearphishing campaigns by menuPass, so email-delivered document risk and endpoint visibility are central defensive questions.

Executive priority

Prioritize validation around Windows endpoint resilience, phishing/document controls, and evidence that SOC and incident response teams can identify credential and surveillance-style collection behaviors. This object is most useful for deciding whether endpoint telemetry, identity monitoring, and IR playbooks can handle malware that may persist through common Windows startup mechanisms while collecting user activity. Executives should ask whether the organization can prove coverage for Office-document delivery paths, Run Key/Startup Folder persistence, keystroke theft indicators, and abnormal access to microphones, cameras, or screen capture functions on business systems.

Technical view

ATT&CK provides no dedicated detection text for EvilGrab, so defenders should pivot from the relationships: T1056.001 Keylogging, T1113 Screen Capture, T1123 Audio Capture, T1125 Video Capture, and T1547.001 Registry Run Keys / Startup Folder. On Windows, validate visibility into process execution from Microsoft Office, child-process behavior, persistence changes in user and machine Run Keys or Startup folders, suspicious file writes associated with captured media, and endpoint activity involving keyboard, screen, microphone, or camera access. Because the malware object itself has no tactics specified, detection engineering should be technique-led rather than relying on a malware-family signature alone.

Likely telemetry

  • Windows endpoint process creation and parent-child process telemetry, especially Microsoft Office document activity
  • Registry monitoring for Run Key modifications and startup persistence locations
  • Startup folder file creation or modification events
  • Endpoint security alerts or behavioral events for keylogging-like activity
  • File creation telemetry for screenshots, audio, or video artifacts where available

Detection direction

  • Do not depend on an EvilGrab-specific detection rule, because ATT&CK does not provide official detection guidance for this object.
  • Build and test detections around the related techniques: keylogging, screen capture, audio capture, video capture, and Registry Run Key/Startup Folder persistence.
  • Tune Office-spawned process and document-delivery analytics carefully, since legitimate Office automation and administrative scripts can create false positives.
  • Validate whether EDR and logging policies record registry persistence changes with enough user, process, command-line, and timestamp context for incident response.
  • Review blind spots around peripheral access: many environments collect process and registry data but have limited visibility into microphone, camera, and screen capture behavior.

Mitigation priorities

  • Harden Microsoft Office document handling and phishing defenses, including controls that reduce execution from malicious attachments where appropriate.
  • Prioritize Windows endpoint protection and behavior monitoring for persistence and collection techniques rather than relying only on known-malware signatures.
  • Restrict and monitor unnecessary access to webcams, microphones, and screen capture capabilities on sensitive workstations where business requirements allow.
  • Ensure least-privilege workstation configuration so persistence established in a user context has reduced operational reach.
  • Prepare IR playbooks for suspected credential capture, including password reset, session review, and authentication-log triage after host containment.
Analyst notes and limits

The supplied ATT&CK object identifies EvilGrab as Windows malware with common reconnaissance capabilities and states it was deployed by menuPass through malicious Microsoft Office documents in spearphishing campaigns. The strongest defensive value comes from the technique relationships, which point to collection and persistence behaviors that can be tested in a Windows endpoint monitoring program.

MITRE provides no official detection section for this malware object, no aliases, no labels, and no malware-level tactics. The relationship context supports technique-led defensive planning, but local telemetry, endpoint tooling, Office configuration, and identity architecture determine actual detection and response coverage. This summary does not assert current activity or customer exposure.

Official MITRE ATT&CK definition

EvilGrab

EvilGrab is a malware family with common reconnaissance capabilities. It has been deployed by menuPass via malicious Microsoft Office documents as part of spearphishing campaigns. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

5 rows
Domain ID Name Relationship / procedure
Enterprise T1056.001 Keylogging Sub-technique

EvilGrab has the capability to capture keystrokes.CitationPWC Cloud Hopper Technical Annex April 2017
Enterprise T1123 Audio Capture

EvilGrab has the capability to capture audio from a victim machine.CitationPWC Cloud Hopper Technical Annex April 2017
Enterprise T1125 Video Capture

EvilGrab has the capability to capture video from a victim machine.CitationPWC Cloud Hopper Technical Annex April 2017
Enterprise T1113 Screen Capture

EvilGrab has the capability to capture screenshots.CitationPWC Cloud Hopper Technical Annex April 2017
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence.CitationPWC Cloud Hopper Technical Annex April 2017
Associated objects

Groups, software, and campaigns

Group Enterprise

G0045: menuPass

menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]

menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]

Relationship explorer

All related ATT&CK context

uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1123: Audio Capture Enterprise uses · Technique T1125: Video Capture Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Group G0045: menuPass Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
ec6167adafb992c3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle ec6167adafb9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    PWC Cloud Hopper Technical Annex April 2017

    PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017.

    Open source URL
  2. [2]
    mitre-attack S0152
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use