S0198: NETWIRE
Analyst context for executives and security teams
NETWIRE matters because it is a publicly available remote administration tool with Windows, Linux, and macOS relevance, and ATT&CK records use by multiple criminal and APT groups. For leaders, the decision point is not whether the tool name appears in an alert, but whether endpoint, identity, and network defenses can recognize the behaviors commonly associated with this RAT: persistence, command execution, discovery, credential collection through keylogging, staging, obfuscation, and web-based command-and-control.
Executive priority
Treat NETWIRE as a resilience and readiness test case for commodity RAT defense across a mixed operating-system estate. Its public availability and relationship to multiple groups make it useful for validating whether controls depend too heavily on known signatures. Security leaders should ask whether SOC coverage includes cross-platform endpoint telemetry, command-line visibility, scheduled task and cron monitoring, suspicious process injection indicators, keylogging-related detections, and web-protocol C2 review. This also supports audit and incident-readiness evidence: teams should be able to show how they detect and respond to remote access tooling even when ATT&CK provides no object-specific detection guidance.
Technical view
ATT&CK does not provide a NETWIRE-specific detection field, so defenders should validate coverage through its related techniques. On Windows, prioritize visibility into PowerShell, cmd, scheduled tasks, invalid code signatures, process injection and process hollowing, local staging, and suspicious web-protocol communications. On Linux and macOS, validate Unix shell execution, cron persistence, process and network discovery, application window discovery where applicable, local staging, fileless or nonstandard storage locations, packing or obfuscation indicators, and web-protocol C2 patterns. IR teams should correlate discovery commands, persistence artifacts, credential-access behavior such as keylogging, and outbound communications rather than relying on the malware family name alone.
Likely telemetry
- Endpoint process creation and command-line telemetry across Windows, Linux, and macOS
- PowerShell, Windows command shell, Unix shell, and Visual Basic execution records where applicable
- Windows scheduled task creation or modification logs
- Cron entry creation or modification on Linux and macOS
- Endpoint memory or EDR telemetry for process injection and process hollowing indicators
Detection direction
- Build detections around behavior clusters rather than the NETWIRE name: execution plus persistence, discovery plus outbound web traffic, or keylogging plus local staging should raise priority.
- Tune scheduled task and cron alerts to distinguish approved administration from newly created or unusual recurring execution paths.
- Review packed, obfuscated, or invalidly signed binaries carefully, but expect false positives from legitimate software installers and protection tools.
- Correlate process injection or process hollowing signals with network activity and persistence artifacts to reduce noise.
- For web-protocol C2 hunting, baseline normal destinations and user-agent or traffic patterns before treating generic HTTP/S traffic as suspicious.
Mitigation priorities
- Start with inventory and telemetry coverage for Windows, Linux, and macOS endpoints because the ATT&CK object is multiplatform.
- Harden and monitor persistence mechanisms: Windows Task Scheduler and cron should have change monitoring, ownership review, and least-privilege administration.
- Apply application control, script control, and code-signing validation where operationally feasible to reduce unauthorized RAT execution and misleading binaries.
- Limit unnecessary scripting and shell access, and log administrative command execution with sufficient command-line detail.
- Use endpoint protection capable of observing memory-level behaviors such as process injection, not only file signatures.
Analyst notes and limits
The ATT&CK record identifies NETWIRE as a publicly available, multiplatform RAT used by criminal and APT groups since at least 2012. Relationship context links it to APT33, SilverTerrier, The White Company, and TA2541, and maps it to techniques spanning execution, persistence, privilege escalation, defense evasion, discovery, credential access, collection, and command-and-control. The strongest defensive value is using those mapped behaviors to check whether SOC and IR coverage works across operating systems and does not depend solely on static malware naming.
No official ATT&CK detection guidance, aliases, labels, or tactics are supplied for the NETWIRE object itself. The recommendations above are derived from supplied ATT&CK relationships and platform fields, not from claims of current activity, confirmed customer exposure, or guaranteed detection. Local environment baselines, approved administration patterns, EDR capabilities, and network architecture are required to determine actual risk and coverage.
NETWIRE
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1090 | Proxy | NETWIRE can implement use of proxies to pivot traffic.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | NETWIRE creates a Registry start-up entry to establish persistence.CitationMcAfee Netwire Mar 2015CitationRed Canary NETWIRE January 2020CitationUnit 42 NETWIRE April 2020CitationProofpoint NETWIRE December 2020 |
| Enterprise | T1027.002 | Software Packing Sub-technique | NETWIRE has used .NET packer tools to evade detection.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | NETWIRE can use AES encryption for C2 data transferred.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | NETWIRE has used a custom encryption algorithm to encrypt collected data.CitationFireEye NETWIRE March 2019 |
| Enterprise | T1204.002 | Malicious File Sub-technique | NETWIRE has been executed through luring victims into opening malicious documents.CitationFireEye NETWIRE March 2019CitationUnit 42 NETWIRE April 2020CitationProofpoint NETWIRE December 2020 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | NETWIRE has been executed through convincing victims into clicking malicious links.CitationFireEye NETWIRE March 2019CitationUnit 42 NETWIRE April 2020 |
| Enterprise | T1119 | Automated Collection | NETWIRE can automatically archive collected data.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1547.013 | XDG Autostart Entries Sub-technique | NETWIRE can use XDG Autostart Entries to establish persistence on Linux systems.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | NETWIRE has been executed through use of VBScripts.CitationFireEye NETWIRE March 2019CitationProofpoint NETWIRE December 2020 |
| Enterprise | T1027 | Obfuscated Files or Information | NETWIRE has used a custom obfuscation algorithm to hide strings including Registry keys, APIs, and DLL names.CitationFireEye NETWIRE March 2019 |
| Enterprise | T1059.001 | PowerShell Sub-technique | The NETWIRE binary has been executed via PowerShell script.CitationFireEye NETWIRE March 2019 |
| Enterprise | T1055 | Process Injection | NETWIRE can inject code into system processes including notepad.exe, svchost.exe, and vbc.exe.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1053.003 | Cron Sub-technique | NETWIRE can use crontabs to establish persistence.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | NETWIRE can store its configuration information in the Registry under `HKCU:\Software\Netwire`.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1083 | File and Directory Discovery | NETWIRE has the ability to search for files on the compromised host.CitationProofpoint NETWIRE December 2020 |
| Enterprise | T1057 | Process Discovery | NETWIRE can discover processes on compromised hosts.CitationFireEye NETWIRE March 2019 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | NETWIRE has the ability to use |
| Enterprise | T1049 | System Network Connections Discovery | NETWIRE can capture session logon details from a compromised host.CitationFireEye NETWIRE March 2019 |
| Enterprise | T1560 | Archive Collected Data | NETWIRE has the ability to compress archived screenshots.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | NETWIRE has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome.CitationFireEye NETWIRE March 2019CitationRed Canary NETWIRE January 2020CitationProofpoint NETWIRE December 2020 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | NETWIRE has been spread via e-mail campaigns utilizing malicious links.CitationUnit 42 NETWIRE April 2020 |
| Enterprise | T1555 | Credentials from Password Stores | NETWIRE can retrieve passwords from messaging and mail client applications.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | NETWIRE has masqueraded as legitimate software including TeamViewer and macOS Finder.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1102 | Web Service | NETWIRE has used web services including Paste.ee to host payloads.CitationFireEye NETWIRE March 2019 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | NETWIRE can copy itself to and launch itself from hidden folders.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1010 | Application Window Discovery | NETWIRE can discover and close windows on controlled systems.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | NETWIRE can issue commands using cmd.exe.CitationRed Canary NETWIRE January 2020CitationProofpoint NETWIRE December 2020 |
| Enterprise | T1036.001 | Invalid Code Signature Sub-technique | The NETWIRE client has been signed by fake and invalid digital certificates.CitationMcAfee Netwire Mar 2015 |
| Enterprise | T1056.001 | Keylogging Sub-technique | NETWIRE can perform keylogging.CitationMcAfee Netwire Mar 2015CitationFireEye APT33 Webinar Sept 2017CitationFireEye NETWIRE March 2019CitationRed Canary NETWIRE January 2020CitationProofpoint NETWIRE December 2020 |
| Enterprise | T1106 | Native API | NETWIRE can use Native API including |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | NETWIRE can create a scheduled task to establish persistence.CitationFireEye NETWIRE March 2019 |
| Enterprise | T1113 | Screen Capture | NETWIRE can capture the victim's screen.CitationMcAfee Netwire Mar 2015CitationFireEye NETWIRE March 2019CitationRed Canary NETWIRE January 2020CitationProofpoint NETWIRE December 2020 |
| Enterprise | T1547.015 | Login Items Sub-technique | NETWIRE can persist via startup options for Login items.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | NETWIRE can collect the IP address of a compromised host.CitationRed Canary NETWIRE January 2020CitationProofpoint NETWIRE December 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | NETWIRE has the ability to communicate over HTTP.CitationRed Canary NETWIRE January 2020CitationProofpoint NETWIRE December 2020 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | The NETWIRE payload has been injected into benign Microsoft executables via process hollowing.CitationFireEye NETWIRE March 2019CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1112 | Modify Registry | NETWIRE can modify the Registry to store its configuration information.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1082 | System Information Discovery | NETWIRE can discover and collect victim system information.CitationMcAfee Netwire Mar 2015 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | NETWIRE has been spread via e-mail campaigns utilizing malicious attachments.CitationUnit 42 NETWIRE April 2020CitationProofpoint NETWIRE December 2020 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | NETWIRE has the ability to write collected data to a file created in the |
| Enterprise | T1095 | Non-Application Layer Protocol | NETWIRE can use TCP in C2 communications.CitationRed Canary NETWIRE January 2020CitationUnit 42 NETWIRE April 2020 |
| Enterprise | T1573 | Encrypted Channel | NETWIRE can encrypt C2 communications.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1543.001 | Launch Agent Sub-technique | NETWIRE can use launch agents for persistence.CitationRed Canary NETWIRE January 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | NETWIRE can downloaded payloads from C2 to the compromised host.CitationFireEye NETWIRE March 2019CitationProofpoint NETWIRE December 2020 |
Groups, software, and campaigns
G0089: The White Company
The White Company is a likely state-sponsored threat actor with advanced capabilities. From 2017 through 2018, the group led an espionage campaign called Operation Shaheen targeting government and military organizations in Pakistan.[1]
G0064: APT33
G0083: SilverTerrier
SilverTerrier is a Nigerian threat group that has been seen active since 2014. SilverTerrier mainly targets organizations in high technology, higher education, and manufacturing.[1][2]
G1018: TA2541
TA2541 is a cybercriminal group that has been targeting the aviation, aerospace, transportation, manufacturing, and defense industries since at least 2017. TA2541 campaigns are typically high volume and involve the use of commodity remote access tools obfuscated by crypters and themes related to aviation, transportation, and travel.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.6 | Current bundle | eee1a6ece6a9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT33 Sept 2017
O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
Open source URL -
[2]
McAfee Netwire Mar 2015
McAfee. (2015, March 2). Netwire RAT Behind Recent Targeted Attacks. Retrieved February 15, 2018.
Open source URL -
[3]
FireEye APT33 Webinar Sept 2017
Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
Open source URL -
[4]
NETWIRE
(Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017) (Citation: McAfee Netwire Mar 2015)
-
[5]
mitre-attack S0198Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.