S0172: Reaver
Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of Control Panel items.[1]
Analyst context for executives and security teams
Reaver matters because it is a Windows malware family whose ATT&CK relationships combine stealthy execution via Control Panel items with persistence, host discovery, collection preparation, cleanup, and command-and-control behaviors. For leaders, the practical question is not just whether a signature exists, but whether the organization can see uncommon Windows execution paths, persistence changes, and suspicious outbound communications early enough to support containment and evidence preservation.
Executive priority
Prioritize Reaver as a validation case for Windows endpoint visibility and incident response readiness. Its documented use of Control Panel item execution, registry and service-based persistence, discovery, file deletion, and C2-related techniques makes it useful for testing whether SOC, IR, and compliance teams can prove control coverage across prevention, logging, alert triage, and forensic retention. The supplied ATT&CK data does not support claims of current exposure or active exploitation.
Technical view
For SOC and detection teams, validate Windows telemetry around control.exe and .cpl execution, especially when paired with unusual child processes, encoded or encrypted files, registry queries, user/system/network discovery, service creation or modification, Run key or Startup Folder changes, shortcut modification, archive creation via custom methods, and file deletion. Network monitoring should account for both web-protocol C2 patterns and non-application-layer protocol use, while avoiding assumptions that traffic will be obviously malicious without host context.
Likely telemetry
- Windows process creation and command-line telemetry
- Control Panel item and control.exe execution events
- File creation, modification, deletion, and archive-related activity
- Registry query and registry modification events
- Windows service creation or modification logs
Detection direction
- Correlate Control Panel item execution with persistence changes, discovery activity, encoded or encrypted files, and outbound communications rather than relying on any single behavior.
- Tune for uncommon or unauthorized .cpl/control.exe usage, while allowing for legitimate administrative Control Panel activity.
- Monitor service, Run key, Startup Folder, and shortcut changes with attention to newly introduced or user-writable paths.
- Treat file deletion after payload execution or discovery as a possible anti-forensics signal, but validate against normal software install/update behavior.
- Use host-network correlation for web-protocol and non-application-layer communications because the ATT&CK object does not provide a specific detection analytic or indicator set.
Mitigation priorities
- Ensure Windows endpoint logging captures process, registry, service, file, and persistence-point activity needed for investigation.
- Restrict unnecessary administrative privileges so persistence mechanisms such as services and startup locations are harder to modify.
- Harden and monitor common Windows persistence locations, including services, Run keys, Startup Folder entries, and shortcuts.
- Review whether Control Panel item execution is necessary in sensitive environments and apply policy restrictions where operationally feasible.
- Maintain egress monitoring and filtering that can identify unusual web and non-application-layer communications.
Analyst notes and limits
The official ATT&CK description highlights Reaver as a rare malware family because its final payload is in the form of Control Panel items. Relationship context shows a broader behavior cluster across discovery, stealth, persistence, collection preparation, and command-and-control. This makes Reaver useful as a purple-team or detection-engineering scenario for Windows tradecraft coverage.
MITRE does not provide official detection text for this object, and the supplied fields do not include specific indicators, hashes, infrastructure, campaigns, current activity, or guaranteed detection logic. Local baselines are required to distinguish legitimate Windows administration from suspicious behavior.
Reaver
Reaver is a malware family that has been in the wild since at least late 2016. Reporting indicates victims have primarily been associated with the "Five Poisons," which are movements the Chinese government considers dangerous. The type of malware is rare due to its final payload being in the form of Control Panel items.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.CitationPalo Alto Reaver Nov 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Reaver deletes the original dropped file from the victim.CitationPalo Alto Reaver Nov 2017 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.CitationPalo Alto Reaver Nov 2017 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Reaver encrypts some of its files with XOR.CitationPalo Alto Reaver Nov 2017 |
| Enterprise | T1095 | Non-Application Layer Protocol | Some Reaver variants use raw TCP for C2.CitationPalo Alto Reaver Nov 2017 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Some Reaver variants use HTTP for C2.CitationPalo Alto Reaver Nov 2017 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | Reaver encrypts collected data with an incremental XOR key prior to exfiltration.CitationPalo Alto Reaver Nov 2017 |
| Enterprise | T1218.002 | Control Panel Sub-technique | Reaver drops and executes a malicious CPL file as its payload.CitationPalo Alto Reaver Nov 2017 |
| Enterprise | T1680 | Local Storage Discovery | Reaver collects volume serial number from the victim.CitationPalo Alto Reaver Nov 2017 |
| Enterprise | T1033 | System Owner/User Discovery | Reaver collects the victim's username.CitationPalo Alto Reaver Nov 2017 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Reaver installs itself as a new service.CitationPalo Alto Reaver Nov 2017 |
| Enterprise | T1082 | System Information Discovery | Reaver collects system information from the victim, including CPU speed, computer name, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information.CitationPalo Alto Reaver Nov 2017 |
| Enterprise | T1012 | Query Registry | Reaver queries the Registry to determine the correct Startup path to use for persistence.CitationPalo Alto Reaver Nov 2017 |
| Enterprise | T1016 | System Network Configuration Discovery | Reaver collects the victim's IP address.CitationPalo Alto Reaver Nov 2017 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | e6a078436153… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto Reaver Nov 2017
Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017.
Open source URL -
[2]
Reaver
(Citation: Palo Alto Reaver Nov 2017)
-
[3]
mitre-attack S0172Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.