S0180: Volgmer
Analyst context for executives and security teams
Volgmer matters because it is a Windows backdoor Trojan associated in ATT&CK with covert access to compromised systems and historical targeting of government, financial, automotive, and media organizations. For leaders, the decision point is not just whether a malware name is blocked; it is whether Windows endpoint, registry, service, command-shell, discovery, file-transfer, and encrypted command-and-control behaviors would be visible and actionable during an intrusion.
Executive priority
Prioritize Volgmer as a resilience and incident-readiness use case for Windows environments where sensitive operations, regulated data, or executive-facing services depend on rapid containment. ATT&CK provides no official detection guidance for this object, so executives should ask for evidence that the SOC can detect the related behaviors: Windows service persistence, registry activity, host and network discovery, command-shell execution, tool transfer, file deletion, and encrypted C2. This is also useful for audit and compliance discussions because it tests whether controls are measured against observable behaviors rather than malware names alone.
Technical view
Volgmer is documented by ATT&CK as Windows malware and a backdoor Trojan, with relationships to discovery, execution, persistence, defense evasion, command-and-control, and stealth techniques. SOC and IR teams should validate coverage around Windows Command Shell, Native API-driven execution indicators, Windows service creation or modification, registry query and modification, process/service/network/file discovery, ingress tool transfer, file deletion, fileless or encoded storage, masqueraded services or tasks, and encrypted C2 patterns. ATT&CK also relates Volgmer to Lazarus Group use; treat that as threat-intelligence context, not proof of local attribution.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows service creation, modification, display name, binary path, and startup configuration records
- Windows Registry query and modification telemetry
- File creation, deletion, rename, and directory enumeration events
- Network connection metadata from endpoints and network sensors
Detection direction
- Because ATT&CK provides no official detection text for Volgmer, validate behavior-based analytics mapped to the related techniques rather than relying on signature-only coverage.
- Tune for suspicious service creation or modification, especially services with misleading names, unusual binary paths, or registry-backed configuration changes.
- Correlate discovery bursts: process, service, registry, file, directory, system, and network enumeration occurring close together on a Windows host.
- Review command-shell activity that launches discovery utilities, modifies services or registry keys, deletes artifacts, or stages transferred tools.
- Look for outbound encrypted communications that are unusual for the host role, while accounting for normal encrypted enterprise traffic to reduce false positives.
Mitigation priorities
- Start with visibility: ensure Windows endpoints collect process, command-line, registry, service, file, and network telemetry needed to investigate the related ATT&CK behaviors.
- Harden persistence surfaces by monitoring and controlling Windows service creation/modification and privileged registry locations.
- Reduce spearphishing exposure where relevant, since ATT&CK notes suspected primary delivery by spearphishing, through user reporting, email security controls, and response playbooks.
- Apply least privilege so routine users cannot easily create services, modify sensitive registry keys, or install unauthorized tools.
- Prepare IR runbooks for backdoor containment: isolate affected Windows hosts, preserve volatile evidence where possible, review persistence points, and investigate outbound communications and transferred tools.
Analyst notes and limits
This take is based on ATT&CK S0180 Volgmer, external references from US-CERT and Symantec, and ATT&CK relationships showing associated techniques and Lazarus Group use. The most defensible defensive value is behavioral validation across Windows persistence, discovery, evasion, execution, and C2 rather than malware-name matching.
ATT&CK lists no official detection guidance and no tactics directly on the Volgmer malware object. The object platform is Windows, although some related techniques apply to additional platforms in ATT&CK generally. Local prioritization requires environment-specific evidence such as exposed business processes, Windows asset criticality, telemetry coverage, and current control performance.
Volgmer
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | Volgmer can list directories on a victim.CitationUS-CERT Volgmer Nov 2017 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Volgmer installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service's Registry entry. Some Volgmer variants also install .dll files as services with names generated by a list of hard-coded strings.CitationUS-CERT Volgmer Nov 2017CitationUS-CERT Volgmer 2 Nov 2017CitationSymantec Volgmer Aug 2014 |
| Enterprise | T1012 | Query Registry | Volgmer checks the system for certain Registry keys.CitationUS-CERT Volgmer 2 Nov 2017 |
| Enterprise | T1082 | System Information Discovery | Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim's machine.CitationUS-CERT Volgmer Nov 2017CitationUS-CERT Volgmer 2 Nov 2017CitationSymantec Volgmer Aug 2014 |
| Enterprise | T1106 | Native API | Volgmer executes payloads using the Windows API call CreateProcessW().CitationUS-CERT Volgmer 2 Nov 2017 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Volgmer uses a simple XOR cipher to encrypt traffic and files.CitationUS-CERT Volgmer 2 Nov 2017 |
| Enterprise | T1007 | System Service Discovery | Volgmer queries the system to identify existing services.CitationUS-CERT Volgmer Nov 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | Volgmer can download remote files and additional payloads to the victim's machine.CitationUS-CERT Volgmer Nov 2017CitationUS-CERT Volgmer 2 Nov 2017CitationSymantec Volgmer Aug 2014 |
| Enterprise | T1057 | Process Discovery | Volgmer can gather a list of processes.CitationSymantec Volgmer Aug 2014 |
| Enterprise | T1016 | System Network Configuration Discovery | Volgmer can gather the IP address from the victim's machine.CitationSymantec Volgmer Aug 2014 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Volgmer can execute commands on the victim's machine.CitationUS-CERT Volgmer Nov 2017CitationUS-CERT Volgmer 2 Nov 2017 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Some Volgmer variants use SSL to encrypt C2 communications.CitationUS-CERT Volgmer Nov 2017 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | Volgmer stores an encoded configuration file in |
| Enterprise | T1112 | Modify Registry | Volgmer modifies the Registry to store an encoded configuration file in |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Some Volgmer variants add new services with display names generated by a list of hard-coded strings such as Application, Background, Security, and Windows, presumably as a way to masquerade as a legitimate service.CitationUS-CERT Volgmer 2 Nov 2017CitationSymantec Volgmer Aug 2014 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | A Volgmer variant is encoded using a simple XOR cipher.CitationUS-CERT Volgmer 2 Nov 2017 |
| Enterprise | T1049 | System Network Connections Discovery | Volgmer can gather information about TCP connection state.CitationSymantec Volgmer Aug 2014 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Volgmer can delete files and itself after infection to avoid analysis.CitationUS-CERT Volgmer 2 Nov 2017 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Volgmer deobfuscates its strings and APIs once its executed.CitationUS-CERT Volgmer 2 Nov 2017 |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 354a87500bbc… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
US-CERT Volgmer Nov 2017
US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
Open source URL -
[2]
Symantec Volgmer Aug 2014
Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
Open source URL -
[3]
US-CERT Volgmer 2 Nov 2017
US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
Open source URL -
[4]
Volgmer
(Citation: US-CERT Volgmer Nov 2017) (Citation: US-CERT Volgmer 2 Nov 2017) (Citation: Symantec Volgmer Aug 2014)
-
[5]
mitre-attack S0180Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.