S0162: Komplex
Analyst context for executives and security teams
Komplex is a macOS backdoor associated in ATT&CK with APT28 usage. Its value for defenders is less about a single malware name and more about validating whether macOS endpoints are monitored for persistence, discovery, stealth, and web-based command-and-control behaviors that can otherwise blend into normal user activity.
Executive priority
Treat this as a macOS coverage question: are executive, developer, and privileged-user Macs included in endpoint logging, incident response playbooks, and network monitoring? Because ATT&CK provides no official detection guidance for Komplex, leaders should ask for evidence that controls cover the related behaviors: Launch Agent persistence, process and user discovery, hidden files, file deletion, and encrypted web-protocol C2.
Technical view
SOC and IR teams should validate macOS visibility around the related ATT&CK techniques: T1543.001 Launch Agent creation or modification, T1033 System Owner/User Discovery, T1057 Process Discovery, T1070.004 File Deletion, T1564.001 Hidden Files and Directories, T1071.001 Web Protocols, and T1573.001 Symmetric Cryptography. Since no official detection text is supplied, prioritize behavior-based detections and response triage rather than relying on malware-name alerts alone.
Likely telemetry
- macOS endpoint process execution and parent-child process activity
- File system events for LaunchAgents paths and property list changes
- Creation, modification, hiding, or deletion of files and directories on macOS hosts
- User and account discovery command activity
- Process listing or process enumeration activity
Detection direction
- Confirm macOS hosts are in scope for EDR, logging, retention, and IR collection; macOS is the only platform supplied for Komplex.
- Tune for suspicious Launch Agent persistence, especially new or modified plist files outside expected software management workflows.
- Correlate discovery behaviors with persistence and outbound web traffic rather than alerting on common administrative commands in isolation.
- Review blind spots around hidden files, deleted artifacts, and limited macOS forensic retention, because related techniques include stealth and file deletion.
- Use the APT28 relationship as threat-intelligence context only; do not treat it as proof of current activity without local evidence.
Mitigation priorities
- Ensure managed macOS endpoints have centralized logging, endpoint protection, and response collection enabled.
- Control and audit Launch Agent locations and changes as part of macOS hardening.
- Restrict unnecessary user privileges and validate administrative tooling so legitimate process and user discovery can be distinguished from suspicious activity.
- Maintain web egress monitoring and DNS/proxy logging for macOS systems, including privileged-user devices.
- Preserve incident response procedures for collecting volatile process data, persistence artifacts, filesystem evidence, and network indicators before cleanup.
Analyst notes and limits
ATT&CK identifies Komplex as a backdoor used by APT28 on OS X/macOS and notes similarity in development to XAgentOSX. The strongest defensive value comes from the listed relationships to macOS persistence, discovery, stealth, and command-and-control techniques, not from ATT&CK-provided detection logic.
Official detection is not provided, tactics are not specified for the malware object, and aliases are not supplied. Local environment baselines, approved macOS management tools, and actual telemetry coverage are required before assessing exposure or detection confidence.
Komplex
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.004 | File Deletion Sub-technique | The Komplex trojan supports file deletion.CitationSofacy Komplex Trojan |
| Enterprise | T1033 | System Owner/User Discovery | The OsInfo function in Komplex collects the current running username.CitationSofacy Komplex Trojan |
| Enterprise | T1057 | Process Discovery | The OsInfo function in Komplex collects a running process list.CitationSofacy Komplex Trojan |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | The Komplex C2 channel uses an 11-byte XOR algorithm to hide data.CitationSofacy Komplex Trojan |
| Enterprise | T1071.001 | Web Protocols Sub-technique | The Komplex C2 channel uses HTTP POST requests.CitationSofacy Komplex Trojan |
| Enterprise | T1543.001 | Launch Agent Sub-technique | The Komplex trojan creates a persistent launch agent called with |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | The Komplex payload is stored in a hidden directory at |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 0bab7cff0bd4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
XAgentOSX 2017
Robert Falcone. (2017, February 14). XAgentOSX: Sofacy's Xagent macOS Tool. Retrieved July 12, 2017.
Open source URL -
[2]
Sofacy Komplex Trojan
Dani Creus, Tyler Halfpop, Robert Falcone. (2016, September 26). Sofacy's 'Komplex' OS X Trojan. Retrieved July 8, 2017.
Open source URL -
[3]
mitre-attack S0162Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.