Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0203: Hydraq

Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.[1][2][3][4][5][6][7][8]

EnterpriseS0203MalwareObject v2.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Hydraq is a Windows data-theft trojan associated in ATT&CK reporting with Operation Aurora-era activity and later reporting under several names. Its decision value is not just the malware name; it represents a post-compromise capability set that can discover host and network context, collect local data and screen content, maintain or execute through Windows services, manipulate registry and access tokens, transfer tools, encrypt command-and-control traffic, exfiltrate data, and remove evidence.

Executive priority

Treat Hydraq as a useful control-validation case for Windows endpoint resilience and incident readiness. Leaders should ask whether the organization can prove visibility into discovery, persistence, collection, exfiltration, and log-clearing behaviors on high-value Windows systems—not merely whether a signature exists for one malware family. The related group context includes Axiom targeting aerospace, defense, government, manufacturing, and media sectors, so organizations in similar sectors may want to prioritize intelligence review and tabletop response assumptions, while avoiding unsupported claims of current exposure.

Technical view

ATT&CK provides no official detection text for Hydraq, so SOC and detection teams should validate coverage through the related techniques: Windows service creation/modification and service execution, registry query and modification, process/service/system/file discovery, local data collection, screen capture, ingress tool transfer, alternate-protocol exfiltration, symmetric cryptography for C2, file deletion, Windows Event Log clearing, shared module loading, and access token manipulation. Because Hydraq is listed as Windows malware, prioritize Windows endpoint, registry, service-control, process, file, event-log, and network egress telemetry. Correlating multiple behaviors is more defensible than relying on any single indicator or alias.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry
  • Windows service creation, modification, start, and service-control activity
  • Windows Registry query and modification events
  • Windows Event Log clear events and audit-log health signals
  • File creation, deletion, module load, and directory enumeration activity

Detection direction

  • Build detections around behavior clusters mapped to the related ATT&CK techniques rather than the Hydraq name alone.
  • Validate Windows service persistence and execution monitoring, including new or modified services with unusual paths or execution context.
  • Tune registry monitoring for suspicious query/modify patterns while accounting for legitimate administration and software-management noise.
  • Correlate discovery commands or API-driven enumeration with subsequent file access, tool transfer, encrypted outbound traffic, or exfiltration-like flows.
  • Monitor for Windows Event Log clearing and file deletion as potential post-compromise evidence removal; ensure alerting distinguishes authorized maintenance from suspicious clearing.

Mitigation priorities

  • Prioritize hardening and monitoring of high-value Windows endpoints and servers where local data, screenshots, or privileged tokens would create material risk.
  • Restrict administrative permissions and service-management rights to reduce opportunities for service-based persistence, service execution, registry modification, log clearing, and token-related abuse.
  • Maintain reliable endpoint logging, centralized log forwarding, and retention so file deletion or event-log clearing does not eliminate incident evidence.
  • Apply egress control and network monitoring that can identify unusual outbound protocols, destinations, and data-transfer patterns from sensitive systems.
  • Use application control and endpoint protection policies to reduce unauthorized tool transfer, shared-module execution, and unapproved binaries where operationally feasible.
Analyst notes and limits

Hydraq has many aliases in the references, including 9002 RAT, HidraQ, HomeUnix, Homux, HydraQ, McRat, MdmBot, Roarur, and others. ATT&CK relationship context links Axiom as using this object and lists numerous techniques used by Hydraq, spanning discovery, collection, execution, persistence, privilege escalation, defense impairment, command and control, and exfiltration. Use those relationships to guide validation, but confirm locally which Windows systems, logs, and network controls provide usable evidence.

The official ATT&CK object does not provide a detection section, labels, aliases in the core alias field, or object-level tactics. Technique relationships provide behavioral context, but the supplied data does not prove active exploitation, current campaign activity, customer exposure, or guaranteed detection coverage. Some related techniques list platforms beyond Windows; Hydraq itself is supplied here as Windows malware, so platform claims should remain Windows-focused unless separate evidence supports more.

Official MITRE ATT&CK definition

Hydraq

Hydraq is a data-theft trojan first used by Elderwood in the 2009 Google intrusion known as Operation Aurora, though variations of this trojan have been used in more recent campaigns by other Chinese actors, possibly including APT17.[1][2][3][4][5][6][7][8]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

19 rows
Domain ID Name Relationship / procedure
Enterprise T1012 Query Registry

Hydraq creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys.CitationSymantec Trojan.Hydraq Jan 2010CitationSymantec Hydraq Jan 2010
Enterprise T1129 Shared Modules

Hydraq creates a backdoor through which remote attackers can load and call DLL functions.CitationSymantec Trojan.Hydraq Jan 2010CitationSymantec Hydraq Jan 2010
Enterprise T1569.002 Service Execution Sub-technique

Hydraq uses svchost.exe to execute a malicious DLL included in a new service group.CitationSymantec Hydraq Persistence Jan 2010
Enterprise T1016 System Network Configuration Discovery

Hydraq creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines.CitationSymantec Trojan.Hydraq Jan 2010CitationSymantec Hydraq Jan 2010
Enterprise T1082 System Information Discovery

Hydraq creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed.CitationSymantec Hydraq Jan 2010
Enterprise T1005 Data from Local System

Hydraq creates a backdoor through which remote attackers can read data from files.CitationSymantec Trojan.Hydraq Jan 2010CitationSymantec Hydraq Jan 2010
Enterprise T1112 Modify Registry

Hydraq creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. Hydraq's backdoor also enables remote attackers to modify and delete subkeys.CitationSymantec Trojan.Hydraq Jan 2010CitationSymantec Hydraq Jan 2010
Enterprise T1105 Ingress Tool Transfer

Hydraq creates a backdoor through which remote attackers can download files and additional malware components.CitationSymantec Trojan.Hydraq Jan 2010CitationSymantec Hydraq Jan 2010
Enterprise T1027 Obfuscated Files or Information

Hydraq uses basic obfuscation in the form of spaghetti code.CitationSymantec Elderwood Sept 2012CitationSymantec Trojan.Hydraq Jan 2010
Enterprise T1543.003 Windows Service Sub-technique

Hydraq creates new services to establish persistence.CitationSymantec Trojan.Hydraq Jan 2010CitationSymantec Hydraq Jan 2010CitationSymantec Hydraq Persistence Jan 2010
Enterprise T1685.005 Clear Windows Event Logs Sub-technique

Hydraq creates a backdoor through which remote attackers can clear all system event logs.CitationSymantec Trojan.Hydraq Jan 2010CitationSymantec Hydraq Jan 2010
Enterprise T1573.001 Symmetric Cryptography Sub-technique

Hydraq C2 traffic is encrypted using bitwise NOT and XOR operations.CitationSymantec Hydraq Jan 2010
Enterprise T1007 System Service Discovery

Hydraq creates a backdoor through which remote attackers can monitor services.CitationSymantec Trojan.Hydraq Jan 2010CitationSymantec Hydraq Jan 2010
Enterprise T1070.004 File Deletion Sub-technique

Hydraq creates a backdoor through which remote attackers can delete files.CitationSymantec Trojan.Hydraq Jan 2010CitationSymantec Hydraq Jan 2010
Enterprise T1057 Process Discovery

Hydraq creates a backdoor through which remote attackers can monitor processes.CitationSymantec Trojan.Hydraq Jan 2010CitationSymantec Hydraq Jan 2010
Enterprise T1113 Screen Capture

Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host.CitationSymantec Hydraq Jan 2010
Enterprise T1048 Exfiltration Over Alternative Protocol

Hydraq connects to a predefined domain on port 443 to exfil gathered information.CitationSymantec Hydraq Jan 2010
Enterprise T1083 File and Directory Discovery

Hydraq creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives.CitationSymantec Trojan.Hydraq Jan 2010CitationSymantec Hydraq Jan 2010
Enterprise T1134 Access Token Manipulation

Hydraq creates a backdoor through which remote attackers can adjust token privileges.CitationSymantec Hydraq Jan 2010
Associated objects

Groups, software, and campaigns

Group Enterprise

G0066: Elderwood

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [1] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [2] [3]

Group Enterprise

G0001: Axiom

Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[1][2][3]

Relationship explorer

All related ATT&CK context

uses · Technique T1012: Query Registry Enterprise uses · Technique T1129: Shared Modules Enterprise uses · Technique T1569.002: Service Execution Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Group G0066: Elderwood Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Technique T1543.003: Windows Service Enterprise uses · Technique T1685.005: Clear Windows Event Logs Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1007: System Service Discovery Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1048: Exfiltration Over Alternative Protocol Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1134: Access Token Manipulation Enterprise uses · Group G0001: Axiom Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.0
Created
Modified
Raw hash
5d64f49a01d24605...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.0 Current bundle 5d64f49a01d2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    MicroFocus 9002 Aug 2016

    Petrovsky, O. (2016, August 30). “9002 RAT” -- a second building on the left. Retrieved February 20, 2018.

    Open source URL
  2. [2]
    Symantec Elderwood Sept 2012

    O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024.

    Open source URL
  3. [3]
    Symantec Trojan.Hydraq Jan 2010

    Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018.

    Open source URL
  4. [4]
    ASERT Seven Pointed Dagger Aug 2015

    ASERT. (2015, August). ASERT Threat Intelligence Report – Uncovering the Seven Pointed Dagger. Retrieved March 19, 2018.

    Open source URL
  5. [5]
    FireEye DeputyDog 9002 November 2013

    Moran, N. et al.. (2013, November 10). Operation Ephemeral Hydra: IE Zero-Day Linked to DeputyDog Uses Diskless Method. Retrieved November 17, 2024.

    Open source URL
  6. [6]
    ProofPoint GoT 9002 Aug 2017

    Huss, D. & Mesa, M. (2017, August 25). Operation RAT Cook: Chinese APT actors use fake Game of Thrones leaks as lures. Retrieved March 19, 2018.

    Open source URL
  7. [7]
    FireEye Sunshop Campaign May 2013

    Moran, N. (2013, May 20). Ready for Summer: The Sunshop Campaign. Retrieved November 17, 2024.

    Open source URL
  8. [8]
    PaloAlto 3102 Sept 2015

    Falcone, R. & Miller-Osborn, J. (2015, September 23). Chinese Actors Use ‘3102’ Malware in Attacks on US Government and EU Media. Retrieved March 19, 2018.

    Open source URL
  9. [9]
    9002 RAT

    (Citation: MicroFocus 9002 Aug 2016)

  10. [10]
    Aurora

    (Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Trojan.Hydraq Jan 2010)

  11. [11]
    HidraQ

    (Citation: Novetta-Axiom)

  12. [12]
    HomeUnix

    (Citation: Novetta-Axiom)

  13. [13]
    Homux

    (Citation: Novetta-Axiom)

  14. [14]
    HydraQ

    (Citation: Novetta-Axiom)

  15. [15]
    Hydraq

    (Citation: Symantec Elderwood Sept 2012) (Citation: Symantec Trojan.Hydraq Jan 2010)

  16. [16]
    McRat

    (Citation: Novetta-Axiom)

  17. [17]
    MdmBot

    (Citation: Novetta-Axiom)

  18. [18]
    Novetta-Axiom

    Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.

    Open source URL
  19. [19]
    Roarur

    (Citation: Novetta-Axiom)

  20. [20]
    mitre-attack S0203
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use