Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0156: KOMPROGO

KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management. [1]

EnterpriseS0156MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

KOMPROGO is a Windows backdoor described by MITRE as used by APT32 and capable of managing processes, files, and the registry. For leaders, the practical issue is not the malware name itself; it is whether Windows endpoints have enough control and evidence to detect post-compromise administration activity before it becomes broader operational disruption or data exposure.

Executive priority

Prioritize this as a Windows endpoint and incident-readiness validation item. The ATT&CK relationships point to command shell, WMI execution, and system information discovery, which are common administrative capabilities as well as attacker tradecraft. Executives should ask whether SOC teams can distinguish approved administration from suspicious remote or scripted activity, and whether IR teams can quickly scope process, file, and registry changes on affected Windows systems.

Technical view

SOC and IR teams should validate coverage around Windows process creation, cmd.exe activity, WMI use, registry modification, file operations, and host discovery commands or API-driven inventory collection. Because MITRE provides no official detection text for KOMPROGO, detection should be behavior-led and correlated against the related techniques T1047, T1059.003, and T1082 rather than relying on a malware signature alone. Treat the APT32 relationship as threat-intelligence context, not as automatic attribution.

Likely telemetry

  • Windows endpoint process creation and parent-child process telemetry
  • Command-line logging for Windows Command Shell activity
  • WMI operational and execution-related logs
  • Registry change auditing or EDR registry telemetry
  • File creation, modification, and deletion telemetry

Detection direction

  • Confirm that Windows endpoints generate searchable telemetry for cmd.exe, WMI, registry, file, and process activity.
  • Tune detections for unusual WMI or command shell execution patterns while accounting for legitimate systems administration tools.
  • Correlate discovery activity with process, file, or registry manipulation to reduce noise from benign inventory or management tasks.
  • Avoid depending only on malware names or hashes, because the supplied ATT&CK object does not provide detection logic or indicators.
  • Use the APT32 relationship to enrich triage, but require local evidence before making attribution judgments.

Mitigation priorities

  • Strengthen least-privilege controls for Windows administrative access and management interfaces.
  • Review who can use WMI and command shell capabilities remotely or at scale.
  • Ensure endpoint logging and retention are sufficient for incident scoping of process, file, and registry activity.
  • Use application control or execution control where appropriate to limit unauthorized tools and scripts.
  • Maintain IR procedures for rapid containment and forensic review of Windows hosts showing backdoor-like management behavior.
Analyst notes and limits

The supplied object identifies KOMPROGO as a signature backdoor used by APT32 and links it to WMI, Windows Command Shell, and System Information Discovery. The business value is in validating Windows endpoint visibility and administrative-control governance, especially because these behaviors can blend with legitimate IT operations.

MITRE provides no official detection guidance, no object-level tactics, no aliases, and only limited relationship context in the supplied data. This take does not assert active exploitation, current targeting, customer exposure, or guaranteed detection coverage. Local telemetry, baselines, and incident evidence are required for operational conclusions.

Official MITRE ATT&CK definition

KOMPROGO

KOMPROGO is a signature backdoor used by APT32 that is capable of process, file, and registry management. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

3 rows
Domain ID Name Relationship / procedure
Enterprise T1082 System Information Discovery

KOMPROGO is capable of retrieving information about the infected system.CitationFireEye APT32 May 2017
Enterprise T1047 Windows Management Instrumentation

KOMPROGO is capable of running WMI queries.CitationFireEye APT32 May 2017
Enterprise T1059.003 Windows Command Shell Sub-technique

KOMPROGO is capable of creating a reverse shell.CitationFireEye APT32 May 2017
Associated objects

Groups, software, and campaigns

Group Enterprise

G0050: APT32

APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]

Relationship explorer

All related ATT&CK context

uses · Technique T1082: System Information Discovery Enterprise uses · Group G0050: APT32 Enterprise uses · Technique T1047: Windows Management Instrumentation Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
504fbb892f501a7d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 504fbb892f50…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye APT32 May 2017

    Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.

    Open source URL
  2. [2]
    KOMPROGO

    (Citation: FireEye APT32 May 2017)

  3. [3]
    mitre-attack S0156
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use