S0181: FALLCHILL
FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. [1]
Analyst context for executives and security teams
FALLCHILL matters because it is a Windows remote access trojan associated in ATT&CK with Lazarus Group activity and historical targeting of aerospace, telecommunications, and finance. Its mapped behaviors point to a post-compromise tool used for command and control, discovery, persistence through Windows services, and evidence reduction. For leaders, the key question is not whether a specific signature exists, but whether the organization can recognize a Windows host that is quietly discovering the environment, maintaining service-based persistence, and communicating over disguised or encrypted channels.
Executive priority
Prioritize this as a resilience and incident-readiness issue for Windows estates, especially where business operations depend on high-value intellectual property, regulated financial activity, telecommunications infrastructure, or aerospace operations. Leadership should ask whether SOC teams have usable endpoint, Windows service, file-system, and network telemetry to reconstruct remote access activity, and whether incident responders can quickly determine scope when command-and-control traffic is intentionally made to resemble legitimate service traffic.
Technical view
ATT&CK does not provide a detection section for FALLCHILL, so defenders should validate coverage through the mapped behaviors: command-and-control using protocol or service impersonation and symmetric cryptography, discovery of system, network, file, directory, and local storage information, persistence or privilege escalation via Windows services, and stealth through file deletion and timestomping. On Windows, detection engineering should correlate suspicious service creation or modification, unusual discovery activity, file timestamp anomalies, deleted artifacts, and outbound traffic patterns that do not match expected application behavior.
Likely telemetry
- Windows event logs related to service creation, service modification, and service start behavior
- Endpoint process creation and command-line telemetry for system, network, file, directory, and storage discovery activity
- File-system metadata, including creation, modification, access times, and evidence of timestomping or suspicious file deletion
- Registry and service configuration data for Windows service persistence review
- Network connection metadata, proxy logs, DNS logs, and firewall logs for outbound command-and-control patterns
Detection direction
- Because official detection guidance is not provided, build detections around the related ATT&CK techniques rather than the malware name alone.
- Correlate Windows service creation or modification with unusual executable paths, recently written binaries, or service activity from unexpected parent processes.
- Tune discovery detections to separate normal administration from clustered host, network, directory, file, and storage enumeration that appears after suspicious execution.
- Review outbound traffic for applications or hosts using protocols in ways that do not match their normal role, while accounting for legitimate encrypted business traffic to reduce false positives.
- Use file metadata and forensic timelines to identify timestamp inconsistencies and suspicious deletion patterns, recognizing that timestomping may weaken simple time-based triage.
Mitigation priorities
- Start with visibility: ensure Windows endpoint logging, service-change monitoring, process telemetry, file metadata retention, and network egress logging are available to SOC and IR teams.
- Harden Windows service creation and modification paths through least privilege, administrative control review, and monitoring of service configuration changes.
- Improve egress governance by restricting unnecessary outbound paths and reviewing whether high-value Windows systems should communicate directly to the internet.
- Prepare IR playbooks for remote access trojan investigations, including service persistence review, discovery-command review, network scoping, and forensic timeline analysis.
- Use the Lazarus Group relationship as threat-intelligence context for prioritization, but require local telemetry before making attribution or exposure conclusions.
Analyst notes and limits
The strongest decision value comes from the relationships: FALLCHILL is mapped to command-and-control, discovery, persistence, privilege-escalation, and stealth techniques. ATT&CK identifies Windows as the platform and states that the malware has been used by Lazarus Group since at least 2016, usually dropped by other Lazarus Group malware or delivered through visits to compromised websites. This take avoids asserting current exploitation or environment-specific exposure.
Official ATT&CK detection guidance is not provided for this object, and tactics are not specified directly on the malware object. The practical guidance therefore depends on the supplied technique relationships and must be validated against local Windows architecture, logging depth, network baselines, and incident response evidence.
FALLCHILL
FALLCHILL is a RAT that has been used by Lazarus Group since at least 2016 to target the aerospace, telecommunications, and finance industries. It is usually dropped by other Lazarus Group malware or delivered when a victim unknowingly visits a compromised website. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | FALLCHILL can search files on a victim.CitationUS-CERT FALLCHILL Nov 2017 |
| Enterprise | T1070.006 | Timestomp Sub-technique | FALLCHILL can modify file or directory timestamps.CitationUS-CERT FALLCHILL Nov 2017 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | FALLCHILL encrypts C2 data with RC4 encryption.CitationUS-CERT FALLCHILL Nov 2017CitationCISA AppleJeus Feb 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | FALLCHILL can delete malware and associated artifacts from the victim.CitationUS-CERT FALLCHILL Nov 2017 |
| Enterprise | T1082 | System Information Discovery | FALLCHILL can collect operating system (OS) version information, processor information, and system name from the victim.CitationUS-CERT FALLCHILL Nov 2017 |
| Enterprise | T1016 | System Network Configuration Discovery | FALLCHILL collects MAC address and local IP address information from the victim.CitationUS-CERT FALLCHILL Nov 2017 |
| Enterprise | T1680 | Local Storage Discovery | FALLCHILL can collect information about installed disks from the victim.CitationUS-CERT FALLCHILL Nov 2017 |
| Enterprise | T1543.003 | Windows Service Sub-technique | FALLCHILL has been installed as a Windows service.CitationCISA AppleJeus Feb 2021 |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | FALLCHILL uses fake Transport Layer Security (TLS) to communicate with its C2 server.CitationUS-CERT FALLCHILL Nov 2017 |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | fd26bc3f2bb5… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
US-CERT FALLCHILL Nov 2017
US-CERT. (2017, November 22). Alert (TA17-318A): HIDDEN COBRA – North Korean Remote Administration Tool: FALLCHILL. Retrieved December 7, 2017.
Open source URL -
[2]
FALLCHILL
(Citation: US-CERT FALLCHILL Nov 2017)
-
[3]
mitre-attack S0181Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.