Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0188: Starloader

Starloader is a loader component that has been observed loading Felismus and associated tools. [1]

EnterpriseS0188MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Starloader matters because it is described as a Windows loader component, not a standalone end-state capability. In practice, loader malware is often the point where an intrusion turns into follow-on tooling, so defenders should treat evidence of Starloader-like behavior as a potential staging signal for additional malware such as Felismus and associated tools referenced by ATT&CK.

Executive priority

Prioritize this as an incident-readiness and visibility question rather than a single-signature malware problem. Leaders should ask whether Windows endpoint telemetry, malware triage, and IR playbooks can identify suspicious loaders, renamed or misplaced resources, and decode/deobfuscation behavior quickly enough to determine whether additional tools were deployed. The ATT&CK record links Starloader to Sowbug reporting, but the supplied data does not support claims of current activity or exposure.

Technical view

For SOC and IR teams, validate coverage around Windows loader execution, file placement/naming anomalies, and decode/deobfuscation activity. ATT&CK provides no official detection text for Starloader, so detection should be built from the relationships: Starloader is reported to use Match Legitimate Resource Name or Location and Deobfuscate/Decode Files or Information, and it has been observed loading Felismus and associated tools. Investigations should pivot from any suspected loader artifact to child processes, dropped files, decoded content, persistence indicators, and subsequent malware execution.

Likely telemetry

  • Windows endpoint process execution telemetry, including parent-child process relationships
  • File creation, rename, path, and hash telemetry for executables and staged content
  • Command-line and script activity that may indicate decoding or deobfuscation
  • Endpoint malware alerts and quarantine records tied to loader-like artifacts
  • Forensic evidence of dropped or loaded follow-on tools, including Felismus where applicable

Detection direction

  • Do not rely on the malware name alone; ATT&CK supplies no official Starloader detection logic.
  • Tune for suspicious Windows executables using legitimate-looking names or locations, while accounting for high false positives from normal software installation and administration activity.
  • Review decode/deobfuscation patterns in context, especially when followed by new executable creation or execution.
  • Correlate suspected Starloader activity with follow-on tool loading, including Felismus, rather than closing on an isolated file alert.
  • Validate whether EDR, SIEM, and malware-analysis workflows preserve enough command-line, file-path, hash, and parent-process detail to reconstruct loader activity.

Mitigation priorities

  • Maintain strong Windows endpoint prevention and response controls, including timely isolation and forensic collection procedures for suspected loaders.
  • Harden software execution policy and application control where feasible to reduce unauthorized executable staging.
  • Improve asset and baseline knowledge of legitimate file names and locations so resource-name spoofing is easier to investigate.
  • Ensure IR playbooks require scoping for follow-on payloads whenever loader malware is suspected.
  • Use the ATT&CK relationships to guide threat-hunting content, but validate detections against local administrative and software-deployment patterns.
Analyst notes and limits

The useful decision point is the loader role: Starloader should trigger questions about what else may have been loaded and whether the organization can prove the answer with Windows telemetry. The supplied relationship to Sowbug provides historical threat-intelligence context from Symantec reporting, not evidence of current targeting.

The official ATT&CK object is sparse: tactics are not specified, aliases are not listed, and no official detection guidance is provided. Conclusions here are limited to the supplied description, external references, platform field, and relationships to Sowbug, Felismus loading, T1036.005, and T1140. Local evidence is required to determine prevalence, impact, or detection coverage.

Official MITRE ATT&CK definition

Starloader

Starloader is a loader component that has been observed loading Felismus and associated tools. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

2 rows
Domain ID Name Relationship / procedure
Enterprise T1140 Deobfuscate/Decode Files or Information

Starloader decrypts and executes shellcode from a file called Stars.jps.CitationSymantec Sowbug Nov 2017
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

Starloader has masqueraded as legitimate software update packages such as Adobe Acrobat Reader and Intel.CitationSymantec Sowbug Nov 2017
Associated objects

Groups, software, and campaigns

Group Enterprise

G0054: Sowbug

Sowbug is a threat group that has conducted targeted attacks against organizations in South America and Southeast Asia, particularly government entities, since at least 2015. [1]

Relationship explorer

All related ATT&CK context

uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Group G0054: Sowbug Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
174b1d94b555d890...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 174b1d94b555…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Symantec Sowbug Nov 2017

    Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.

    Open source URL
  2. [2]
    Starloader

    (Citation: Symantec Sowbug Nov 2017)

  3. [3]
    mitre-attack S0188
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use