S0158: PHOREAL
Analyst context for executives and security teams
PHOREAL matters because it is a Windows backdoor associated in ATT&CK with APT32, a group described as targeting private sector organizations, governments, dissidents, and journalists with a Southeast Asia focus. Even though ATT&CK provides no dedicated detection text for this malware, the linked behaviors point to practical defensive questions: can the organization see suspicious command shell use, registry modification, and non-application-layer command-and-control traffic on Windows systems?
Executive priority
Treat PHOREAL as a coverage validation case rather than a standalone signature problem. Security leaders should ask whether Windows endpoint logging, network monitoring, and incident response playbooks can support investigation of backdoor activity tied to command execution, persistence or defense-impairment via registry changes, and unusual C2 protocols. For organizations with operations, partners, or exposure in Southeast Asia, the APT32 relationship may increase threat-intelligence relevance, but local risk should be based on business footprint and observed telemetry.
Technical view
ATT&CK lists PHOREAL as Windows malware and relates it to Windows Command Shell (T1059.003), Non-Application Layer Protocol (T1095), and Modify Registry (T1112). SOC and IR teams should validate visibility into cmd.exe process execution, parent-child process relationships, command-line arguments where available, registry key/value changes, and network sessions that do not align with expected application-layer behavior. Because no official PHOREAL detection guidance is supplied, detections should be behavior-led and correlated across endpoint and network evidence rather than relying only on malware names or static indicators.
Likely telemetry
- Windows process creation events, especially cmd.exe and unusual parent/child process chains
- Command-line argument logging where enabled and permitted
- Windows Registry modification telemetry, including key/value creation or alteration
- Endpoint detection and response alerts or host forensic artifacts related to backdoor behavior
- Network flow, firewall, proxy, IDS, or packet metadata showing unusual non-application-layer protocols or unexpected outbound communications
Detection direction
- Validate behavior-based analytics for suspicious Windows Command Shell execution, especially when launched by unexpected processes or followed by network activity.
- Tune registry modification detections around persistence- and defense-impairment-relevant locations while accounting for legitimate software installation, administration, and policy changes.
- Review network monitoring coverage for protocols and traffic patterns outside normal application-layer channels; confirm whether segmentation points actually log this traffic.
- Correlate endpoint command execution, registry changes, and unusual network sessions to reduce false positives and strengthen investigation confidence.
- Do not assume PHOREAL-specific coverage from generic malware signatures; ATT&CK does not provide official detection logic for this object.
Mitigation priorities
- Prioritize strong Windows endpoint telemetry collection and retention for process, command-line, registry, and network activity.
- Restrict and monitor administrative privileges that can modify sensitive registry areas or execute commands at scale.
- Harden egress controls and network monitoring so unusual outbound protocols or destinations are reviewable, not invisible.
- Prepare incident response procedures for suspected backdoor activity, including host isolation, credential review, registry and process triage, and network scoping.
- Use the APT32 relationship as threat-intelligence context for prioritization where the organization’s geography, sector, or partners make that context relevant.
Analyst notes and limits
The supplied ATT&CK data identifies PHOREAL as a signature backdoor used by APT32 and provides relationships to three techniques: Windows Command Shell, Non-Application Layer Protocol, and Modify Registry. The strongest defensive value is to test whether existing controls can observe and correlate those behaviors on Windows systems.
Official ATT&CK detection guidance is not provided for PHOREAL, and the object has no listed tactics or aliases in the supplied fields. The relationship to APT32 is useful context but does not by itself establish current targeting, active exploitation, or exposure for any specific organization. Local environment telemetry and threat intelligence are required to assess risk and coverage.
PHOREAL
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1112 | Modify Registry | PHOREAL is capable of manipulating the Registry.CitationFireEye APT32 May 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | PHOREAL is capable of creating reverse shell.CitationFireEye APT32 May 2017 |
| Enterprise | T1095 | Non-Application Layer Protocol | PHOREAL communicates via ICMP for C2.CitationFireEye APT32 May 2017 |
Groups, software, and campaigns
G0050: APT32
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 2954865e31fa… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT32 May 2017
Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
Open source URL -
[2]
PHOREAL
(Citation: FireEye APT32 May 2017)
-
[3]
mitre-attack S0158Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.