S0171: Felismus

Felismus is a Windows modular backdoor documented by ATT&CK and reported as used by Sowbug. Its ATT&CK relationships show behaviors that matter to defenders after initial compromise: discovering users, system and network details, checking for security software, executing through Windows command shell, transferring tools, and communicating over web protocols with encoding/encryption. For leaders, the value is less about the malware name itself and more about whether the organization can see and respond to backdoor-style discovery and command-and-control activity before it enables broader intrusion activity.

Executive priority

Treat Felismus as a validation case for endpoint, network, and incident response readiness on Windows systems. Because ATT&CK provides no official detection text for this object, security leaders should ask whether coverage is behavior-based rather than dependent on a specific malware signature. Priority questions: can the SOC identify suspicious Windows command shell use, system/security-tool discovery, unusual inbound tool transfer, and web-based command-and-control patterns; can IR teams quickly scope affected users and hosts; and can compliance evidence demonstrate logging and monitoring for these behaviors?

Technical view

For SOC and detection engineering, build validation around the related ATT&CK behaviors rather than the malware label alone. On Windows endpoints, confirm visibility into command shell execution, parent/child process context, command-line arguments, user context, file creation or download activity, and discovery commands for user, system, network, and security software information. On the network side, review web protocol traffic for unusual destinations, encoded content patterns, encrypted C2-like sessions, and file transfer into the environment. The relationship to Sowbug is supplied by ATT&CK, but local detections should not rely on attribution; they should focus on observable behavior.

Likely telemetry

Windows endpoint process execution events, including cmd.exe and parent/child process relationships
Command-line logging for discovery activity related to users, host information, network configuration, and security software
Endpoint file creation, modification, and downloaded/transferred tool evidence
Network proxy, web gateway, DNS, and firewall logs for outbound web protocol communications
EDR or host telemetry showing suspicious binaries placed in legitimate-looking names or locations

Detection direction

Validate behavior-based detections for T1059.003 Windows Command Shell execution, especially when paired with discovery or file-transfer activity.
Correlate T1016, T1033, T1082, and T1518.001-style discovery behaviors occurring close together on the same Windows host or user session.
Review detections for T1036.005-like masquerading, including executables or resources using legitimate-looking names or locations; tune carefully to avoid broad false positives from normal software installations.
Monitor for T1071.001 web protocol communications and T1132.001/T1573.001-style encoded or encrypted C2 patterns, recognizing that normal HTTPS and encoded application traffic can create false positives without endpoint correlation.
Look for T1105 ingress tool transfer indicators such as unexpected file downloads followed by execution or discovery commands.

Mitigation priorities

Prioritize reliable Windows endpoint logging and EDR coverage for process, command-line, file, and user-context telemetry.
Restrict and monitor unnecessary command shell use where operationally feasible, especially on sensitive systems.
Harden egress controls and web proxy monitoring so unusual outbound web communications and file transfers can be investigated.
Maintain application control or allowlisting policies where appropriate to reduce execution of unapproved tools and masqueraded binaries.
Ensure security tools are monitored for tampering or unexpected discovery activity, since the related techniques include Security Software Discovery.

Analyst notes and limits

ATT&CK identifies Felismus as a modular backdoor used by Sowbug and provides relationships to discovery, execution, command-and-control, ingress transfer, encoding/encryption, and masquerading techniques. The strongest defensive use is as a behavioral coverage checklist for Windows backdoor activity rather than a narrow malware-family alert.

The supplied ATT&CK object has no official detection text, no aliases, no labels, and no object-level tactics. Related techniques include platform mappings broader than the Felismus object; this take treats Windows as the supported malware platform and uses technique relationships only for behavioral context. Local telemetry, baselines, and environment architecture are required to determine actual exposure or coverage.

Official MITRE ATT&CK definition

Felismus

Felismus is a modular backdoor that has been used by Sowbug. [1] [2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 10 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1036.005	Match Legitimate Resource Name or Location Sub-technique	Felismus has masqueraded as legitimate Adobe Content Management System files.CitationATT Felismus
Enterprise	T1033	System Owner/User Discovery	Felismus collects the current username and sends it to the C2 server.CitationForcepoint Felismus Mar 2017
Enterprise	T1071.001	Web Protocols Sub-technique	Felismus uses HTTP for C2.CitationForcepoint Felismus Mar 2017
Enterprise	T1518.001	Security Software Discovery Sub-technique	Felismus checks for processes associated with anti-virus vendors.CitationForcepoint Felismus Mar 2017
Enterprise	T1082	System Information Discovery	Felismus collects the system information, including hostname and OS version, and sends it to the C2 server.CitationForcepoint Felismus Mar 2017
Enterprise	T1132.001	Standard Encoding Sub-technique	Some Felismus samples use a custom method for C2 traffic that utilizes Base64.CitationForcepoint Felismus Mar 2017
Enterprise	T1016	System Network Configuration Discovery	Felismus collects the victim LAN IP address and sends it to the C2 server.CitationForcepoint Felismus Mar 2017
Enterprise	T1105	Ingress Tool Transfer	Felismus can download files from remote servers.CitationForcepoint Felismus Mar 2017
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	Some Felismus samples use a custom encryption method for C2 traffic that utilizes AES and multiple keys.CitationForcepoint Felismus Mar 2017
Enterprise	T1059.003	Windows Command Shell Sub-technique	Felismus uses command line for execution.CitationForcepoint Felismus Mar 2017

Associated objects

Groups, software, and campaigns

G0054: Sowbug

Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. [1]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Jan 16, 2018, 16:13 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:42 UTC (UTC+00:00)
Raw hash: 89d6ab364d6a59d5...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.1	Apr 25, 2025, 14:42 UTC (UTC+00:00)	Current bundle	`89d6ab364d6a…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Symantec Sowbug Nov 2017

Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
Open source URL
[2]
Forcepoint Felismus Mar 2017

Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
Open source URL
[3]
Felismus

(Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)
[4]
mitre-attack S0171
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams