S0167: Matryoshka
Matryoshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. [1] [2]
Analyst context for executives and security teams
Matryoshka matters because ATT&CK describes it as a Windows malware framework with a dropper, loader, and RAT components, not a single-purpose tool. That means defenders should think beyond file detection: the related behaviors point to persistence, stealthy execution, credential collection, keylogging, screen capture, command execution, and DNS-based command-and-control. For leaders, the practical question is whether Windows endpoint, identity, and network monitoring can reconstruct a multi-stage intrusion rather than only alert on a known malware name.
Executive priority
Prioritize this as a readiness and evidence question: can the organization prove it monitors Windows persistence, suspicious rundll32/DLL activity, credential access, user activity collection, and abnormal DNS communications well enough to support incident response decisions? Because the official ATT&CK object has no provided detection guidance and the malware was reported in historical references, budget decisions should focus on durable behavior-based controls and telemetry validation rather than Matryoshka-specific signatures alone.
Technical view
For SOC, detection engineering, and IR teams, validate coverage against the ATT&CK relationships: T1027 Obfuscated Files or Information, T1053.005 Scheduled Task, T1055.001 DLL Injection, T1056.001 Keylogging, T1059 Command and Scripting Interpreter, T1071.004 DNS, T1113 Screen Capture, T1218.011 Rundll32, T1547.001 Registry Run Keys/Startup Folder, and T1555 Credentials from Password Stores. The object platform is Windows, so endpoint visibility should be the primary validation point, with DNS telemetry used to assess possible command-and-control behavior. Treat rundll32, scheduled tasks, run keys, credential-store access, and script execution as correlated signals rather than isolated alerts.
Likely telemetry
- Windows process creation and command-line telemetry, especially rundll32.exe and script or command interpreter use
- Windows scheduled task creation, modification, and execution records
- Registry autorun key and startup folder change telemetry
- Endpoint file metadata and content inspection for packed, encrypted, encoded, or otherwise obfuscated files
- Process injection or suspicious cross-process memory activity telemetry where available
Detection direction
- Build behavior-based detections around the related techniques rather than relying on the malware name Matryoshka, since ATT&CK provides no official detection text for this object.
- Correlate persistence events, such as scheduled tasks or run keys, with unusual process execution, rundll32 activity, or newly dropped files to reduce false positives from legitimate administration.
- Review DNS monitoring for unusual client behavior, rare domains, suspicious query patterns, or DNS traffic from hosts that also show endpoint persistence or credential-access signals.
- Tune command and scripting interpreter detections carefully because administrative scripts are common; raise priority when paired with obfuscated payloads, autoruns, credential-store access, screen capture, or keylogging indicators.
- Validate whether EDR or endpoint logging can expose DLL injection-style behavior; many environments have weaker visibility here than for simple process starts.
Mitigation priorities
- Start with telemetry assurance: confirm Windows endpoint, process, registry, scheduled task, and DNS logs are collected, retained, and usable for investigations.
- Harden persistence surfaces by controlling and monitoring scheduled task creation, registry autorun locations, startup folders, and execution through rundll32 where feasible.
- Apply least privilege and application control principles to reduce unauthorized loaders, DLL execution, and script abuse without assuming a vendor-specific control.
- Protect credentials by reducing local credential exposure, monitoring access to password stores, and ensuring credential rotation procedures are ready for suspected compromise.
- Ensure IR playbooks cover multi-stage malware frameworks: initial dropper/loader triage, persistence removal, credential exposure assessment, DNS/network scoping, and endpoint containment.
Analyst notes and limits
ATT&CK identifies Matryoshka as a malware framework used by CopyKittens and cites ClearSky/Trend Micro and Minerva Labs/ClearSky reporting. The most useful defensive value in the supplied data comes from the mapped behaviors, especially Windows persistence, stealthy execution, credential access, collection, and DNS command-and-control. Because no official detection text is provided, local detection content should be validated against the related ATT&CK techniques and the organization’s actual Windows and DNS telemetry.
This take is limited to the supplied ATT&CK STIX fields, external references, and relationships. The object lists Windows as the platform and does not specify tactics directly. It does not provide official detection logic, indicators, active exploitation status, current campaign activity, or environment-specific prevalence. Any assessment of exposure or detection coverage requires local telemetry and control validation.
Matryoshka
Matryoshka is a malware framework used by CopyKittens that consists of a dropper, loader, and RAT. It has multiple versions; v1 was seen in the wild from July 2016 until January 2017. v2 has fewer commands and other minor differences. [1] [2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1056.001 | Keylogging Sub-technique | Matryoshka is capable of keylogging.CitationClearSky Wilted Tulip July 2017CitationCopyKittens Nov 2015 |
| Enterprise | T1059 | Command and Scripting Interpreter | Matryoshka is capable of providing Meterpreter shell access.CitationClearSky Wilted Tulip July 2017 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Matryoshka can establish persistence by adding Registry Run keys.CitationClearSky Wilted Tulip July 2017CitationCopyKittens Nov 2015 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Matryoshka uses reflective DLL injection to inject the malicious library and execute the RAT.CitationCopyKittens Nov 2015 |
| Enterprise | T1555 | Credentials from Password Stores | Matryoshka is capable of stealing Outlook passwords.CitationClearSky Wilted Tulip July 2017CitationCopyKittens Nov 2015 |
| Enterprise | T1027 | Obfuscated Files or Information | Matryoshka obfuscates API function names using a substitute cipher combined with Base64 encoding.CitationCopyKittens Nov 2015 |
| Enterprise | T1113 | Screen Capture | Matryoshka is capable of performing screen captures.CitationClearSky Wilted Tulip July 2017CitationCopyKittens Nov 2015 |
| Enterprise | T1071.004 | DNS Sub-technique | Matryoshka uses DNS for C2.CitationClearSky Wilted Tulip July 2017CitationCopyKittens Nov 2015 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Matryoshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.CitationCopyKittens Nov 2015 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Matryoshka can establish persistence by adding a Scheduled Task named "Microsoft Boost Kernel Optimization".CitationClearSky Wilted Tulip July 2017CitationCopyKittens Nov 2015 |
Groups, software, and campaigns
G0052: CopyKittens
CopyKittens is an Iranian cyber espionage group that has been operating since at least 2013. It has targeted countries including Israel, Saudi Arabia, Turkey, the U.S., Jordan, and Germany. The group is responsible for the campaign known as Operation Wilted Tulip.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 05ec7c49a5d6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ClearSky Wilted Tulip July 2017
ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017.
Open source URL -
[2]
CopyKittens Nov 2015
Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved November 17, 2024.
Open source URL -
[3]
Matryoshka
(Citation: ClearSky Wilted Tulip July 2017)
-
[4]
mitre-attack S0167Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.