S0206: Wiarp
Analyst context for executives and security teams
Wiarp is a Windows trojan identified by MITRE as a backdoor used by Elderwood. Its business significance is not just the malware name: the mapped behaviors point to persistence through Windows services, command execution through the Windows command shell, process injection for stealth or privilege context, and tool transfer over command-and-control paths. For leaders, this is a reminder to validate whether Windows endpoint, service-control, process, and network telemetry can support fast containment of a host that has become a backdoor foothold.
Executive priority
Prioritize Wiarp as a control-validation case for Windows compromise readiness rather than as a standalone malware alert. Security leaders should ask whether the organization can prove visibility into suspicious service creation or modification, command-shell execution, injected process behavior, and inbound tool/file transfer activity. These evidence classes matter for incident response scoping, audit defensibility, and resilience because a backdoor with persistence can extend dwell time and complicate containment if endpoint and network telemetry are incomplete.
Technical view
ATT&CK provides no official detection text for Wiarp, so SOC and detection teams should work from the supplied relationships: T1055 Process Injection, T1059.003 Windows Command Shell, T1105 Ingress Tool Transfer, and T1543.003 Windows Service. Validate Windows detections for unusual cmd.exe execution, service creation or service configuration changes, service executable path changes, process injection indicators, and file/tool transfers associated with suspicious network sessions. Incident responders should use these behaviors to scope potentially compromised Windows hosts, persistence locations, child processes, and related downloaded files rather than relying only on malware naming.
Likely telemetry
- Windows endpoint process creation and parent/child process telemetry, especially cmd.exe activity
- Windows service creation, modification, and service executable path evidence
- Windows Registry evidence related to service configuration where collected
- Endpoint security or EDR telemetry for process injection or cross-process memory activity
- File creation and modification telemetry for newly introduced tools or payloads
Detection direction
- Because ATT&CK provides no Wiarp-specific detection guidance, validate behavior-based coverage across the related techniques rather than only signature-based malware identification.
- Correlate suspicious Windows service changes with recent command-shell execution, new file creation, and external network activity to reduce noise from legitimate administration.
- Tune carefully around administrative software deployment and service management activity, which can resemble Windows Service persistence or command-shell execution.
- Look for blind spots where service configuration logs, process lineage, endpoint memory/injection signals, or proxy/DNS records are not retained long enough for incident scoping.
- Use the Elderwood association only as context from the official description; do not treat it as attribution for local incidents without independent evidence.
Mitigation priorities
- Confirm baseline hardening and monitoring for Windows services, including reviewable evidence of service creation and modification.
- Restrict and monitor unnecessary command-shell usage on sensitive Windows systems using existing administrative control processes.
- Ensure endpoint controls can observe or prevent suspicious process injection behavior where supported by deployed tooling.
- Maintain network and endpoint visibility for external file transfers into Windows hosts and preserve logs for IR timelines.
- Prepare IR playbooks that collect service configuration, process lineage, file artifacts, and network indicators from suspected backdoor hosts.
Analyst notes and limits
The supplied ATT&CK object identifies Wiarp as a Windows trojan/backdoor used by Elderwood and provides relationships to four techniques: Process Injection, Windows Command Shell, Ingress Tool Transfer, and Windows Service. The most useful defensive takeaway is to validate telemetry and detections across those behaviors, especially persistence and execution evidence on Windows systems.
ATT&CK supplies no official detection text, no aliases, no explicit tactics on the malware object, and limited descriptive detail. Local conclusions require environment-specific telemetry, malware analysis, incident evidence, and validation against legitimate administrative activity.
Wiarp
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | Wiarp creates a backdoor through which remote attackers can download files.CitationSymantec Wiarp May 2012 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Wiarp creates a backdoor through which remote attackers can open a command line interface.CitationSymantec Wiarp May 2012 |
| Enterprise | T1055 | Process Injection | Wiarp creates a backdoor through which remote attackers can inject files into running processes.CitationSymantec Wiarp May 2012 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Wiarp creates a backdoor through which remote attackers can create a service.CitationSymantec Wiarp May 2012 |
Groups, software, and campaigns
G0066: Elderwood
Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [1] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [2] [3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | f8577806a852… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Elderwood Sept 2012
O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024.
Open source URL -
[2]
Symantec Wiarp May 2012
Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018.
Open source URL -
[3]
Wiarp
(Citation: Symantec Wiarp May 2012)
-
[4]
mitre-attack S0206Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.