S0207: Vasport
Analyst context for executives and security teams
Vasport is a Windows backdoor trojan associated in ATT&CK with Elderwood. Its business significance is not the malware family name itself, but the behaviors linked to it: web-based command-and-control, proxy use, inbound tool transfer, and Windows Run Key or Startup Folder persistence. For leaders, this is a reminder that backdoors often survive by looking like normal web traffic and by using common Windows autostart locations, so resilience depends on whether the organization can see endpoint persistence changes and correlate them with unusual outbound network activity.
Executive priority
Prioritize validation of Windows endpoint visibility, egress monitoring, and persistence control evidence. Because ATT&CK provides no dedicated detection guidance for Vasport, executives should ask whether SOC and IR teams can prove they collect the telemetry needed to identify backdoor persistence, web-protocol command-and-control, proxy-mediated traffic, and follow-on tool transfer. This supports incident decision-making, audit evidence for endpoint monitoring, and practical budget prioritization around managed detection, endpoint logging, and network visibility rather than malware-name-only alerting.
Technical view
SOC and IR teams should treat Vasport as a behavior-led detection problem. Validate coverage for Windows Registry Run Keys and Startup Folder changes tied to T1547.001, outbound web protocol communications tied to T1071.001, proxy-style intermediary communications tied to T1090, and file/tool ingress activity tied to T1105. Since the object has no official ATT&CK detection text and no tactics listed directly on the malware object, detection engineering should map alerts to the related techniques rather than rely on a Vasport signature alone. Investigations should correlate suspicious autostart entries, newly written executables, outbound HTTP/S-like sessions, proxy indicators, and subsequent file downloads on the same host.
Likely telemetry
- Windows endpoint telemetry for process creation, file writes, and executable creation
- Windows Registry monitoring for Run Key changes
- Startup Folder file creation or modification events
- Network proxy, firewall, DNS, and web gateway logs for outbound web-protocol communications
- Evidence of proxy or intermediary network paths where available
Detection direction
- Validate that detections are mapped to the related ATT&CK techniques: T1071.001, T1090, T1105, and T1547.001.
- Tune Windows persistence detections for unusual Run Key or Startup Folder entries, while accounting for legitimate software installers and user logon utilities as false positives.
- Correlate persistence changes with outbound web traffic and subsequent file ingress rather than alerting on any single weak signal.
- Review network monitoring blind spots where HTTP/S traffic, proxy chaining, or web gateway exclusions could hide command-and-control activity.
- Avoid assuming malware-family detection coverage; ATT&CK does not provide official Vasport detection logic in the supplied object.
Mitigation priorities
- Harden and monitor Windows autostart locations, especially Registry Run Keys and Startup Folder paths.
- Maintain endpoint controls and logging capable of recording process, file, and registry activity on Windows hosts.
- Apply egress control and web/proxy logging sufficient to investigate unusual outbound web-protocol communication.
- Ensure IR playbooks include host isolation, persistence review, and scoping for downloaded tools when a backdoor is suspected.
- Use the related ATT&CK techniques to drive control validation and detection testing rather than relying only on named-malware signatures.
Analyst notes and limits
The supplied ATT&CK object identifies Vasport as a trojan used by Elderwood to open a backdoor on compromised hosts. The relationship context supplies the most useful defensive direction: web protocols, proxy, ingress tool transfer, and Registry Run Keys/Startup Folder. Local environment baselines are required to distinguish legitimate web traffic, proxy behavior, software installation, and normal startup entries from suspicious activity.
ATT&CK provides no official detection text for this object, no aliases, no labels, and no direct tactics listed on the malware object. The platform explicitly supplied for Vasport is Windows; broader platforms shown in related technique records should not be treated as Vasport platform claims. Conclusions should be validated against local telemetry and incident evidence.
Vasport
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | Vasport creates a backdoor by making a connection using a HTTP POST.CitationSymantec Vasport May 2012 |
| Enterprise | T1105 | Ingress Tool Transfer | Vasport can download files.CitationSymantec Vasport May 2012 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Vasport copies itself to disk and creates an associated run key Registry entry to establish.CitationSymantec Vasport May 2012 |
| Enterprise | T1090 | Proxy | Vasport is capable of tunneling though a proxy.CitationSymantec Vasport May 2012 |
Groups, software, and campaigns
G0066: Elderwood
Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [1] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [2] [3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 5f35c4928d53… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Elderwood Sept 2012
O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024.
Open source URL -
[2]
Symantec Vasport May 2012
Zhou, R. (2012, May 15). Backdoor.Vasport. Retrieved February 22, 2018.
Open source URL -
[3]
Vasport
(Citation: Symantec Vasport May 2012)
-
[4]
mitre-attack S0207Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.