Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0211: Linfo

Linfo is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts. [1] [2]

EnterpriseS0211MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Linfo is a Windows rootkit trojan described by ATT&CK as opening a backdoor on compromised hosts and being used by Elderwood. Its ATT&CK relationships make it relevant beyond simple malware identification: the mapped behaviors include local data collection, discovery of processes, system details, files and directories, command-shell execution, tool transfer, fallback command-and-control, scheduled transfer, and file deletion. For leaders, the practical issue is whether the organization can see and investigate a Windows host that is both hiding activity and enabling continued remote access.

Executive priority

Prioritize Linfo as a readiness test for endpoint visibility, incident response containment, and evidence quality rather than as a standalone malware signature problem. The business question is: if a Windows backdoor with rootkit characteristics performed discovery, collected local data, transferred tools, used fallback communications, scheduled transfer activity, and deleted files, would the SOC have enough host and network evidence to scope the incident and support audit or legal reporting decisions?

Technical view

For SOC, detection engineering, and IR teams, validate coverage around the related ATT&CK behaviors: T1059.003 Windows Command Shell, T1057 Process Discovery, T1082 System Information Discovery, T1083 File and Directory Discovery, T1005 Data from Local System, T1105 Ingress Tool Transfer, T1008 Fallback Channels, T1029 Scheduled Transfer, and T1070.004 File Deletion. Because ATT&CK provides no official detection text for Linfo, detections should be behavior-led and correlated across Windows endpoint activity, process execution, file activity, and outbound network communications rather than relying only on a malware name.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry, especially cmd.exe activity
  • Process enumeration and system information query evidence
  • File and directory enumeration activity on local systems
  • File creation, modification, transfer, and deletion events
  • Network connection logs showing outbound command-and-control-like communications and possible fallback destinations or protocols

Detection direction

  • Build detections around chains of behavior: command shell execution followed by discovery, local file access, tool transfer, outbound communication, and cleanup.
  • Tune for administrative false positives by comparing discovery and file enumeration activity against known management, backup, software deployment, and troubleshooting workflows.
  • Validate that file deletion telemetry is retained long enough to support post-incident reconstruction, since cleanup behavior can remove local artifacts.
  • Look for repeated or alternate outbound communication patterns that may indicate fallback channels, especially when paired with suspicious endpoint behavior.
  • Test whether scheduled or interval-based transfer activity is visible in both host and network telemetry.

Mitigation priorities

  • Ensure Windows endpoint monitoring and response coverage can collect process, file, and network evidence needed for backdoor and rootkit investigations.
  • Harden and monitor use of Windows command shell where feasible, focusing on unauthorized or unusual administrative execution patterns.
  • Apply least-privilege and administrative access controls so discovery, collection, deletion, and tool-transfer behaviors have less opportunity to succeed unnoticed.
  • Strengthen egress monitoring and control to reduce the reliability of fallback command-and-control and unauthorized transfer paths.
  • Retain logs and forensic evidence long enough to investigate scheduled transfer and file deletion activity.
Analyst notes and limits

The most useful way to operationalize this object is as a backdoor/rootkit behavior coverage review. The Elderwood reference is supplied by ATT&CK, but local prioritization should be based on whether Windows endpoints with sensitive data or privileged access have adequate monitoring and containment procedures.

ATT&CK provides a short description and no official detection guidance for Linfo. The object platform is Windows, while several related techniques list broader or non-Windows platforms in the supplied relationship context; this take applies the malware platform conservatively to Windows and uses the relationships only to frame likely behavior categories. No active exploitation, current campaign activity, or guaranteed detection coverage is implied.

Official MITRE ATT&CK definition

Linfo

Linfo is a rootkit trojan used by Elderwood to open a backdoor on compromised hosts. [1] [2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

9 rows
Domain ID Name Relationship / procedure
Enterprise T1082 System Information Discovery

Linfo creates a backdoor through which remote attackers can retrieve system information.CitationSymantec Linfo May 2012
Enterprise T1008 Fallback Channels

Linfo creates a backdoor through which remote attackers can change C2 servers.CitationSymantec Linfo May 2012
Enterprise T1105 Ingress Tool Transfer

Linfo creates a backdoor through which remote attackers can download files onto compromised hosts.CitationSymantec Linfo May 2012
Enterprise T1083 File and Directory Discovery

Linfo creates a backdoor through which remote attackers can list contents of drives and search for files.CitationSymantec Linfo May 2012
Enterprise T1070.004 File Deletion Sub-technique

Linfo creates a backdoor through which remote attackers can delete files.CitationSymantec Linfo May 2012
Enterprise T1029 Scheduled Transfer

Linfo creates a backdoor through which remote attackers can change the frequency at which compromised hosts contact remote C2 infrastructure.CitationSymantec Linfo May 2012
Enterprise T1059.003 Windows Command Shell Sub-technique

Linfo creates a backdoor through which remote attackers can start a remote shell.CitationSymantec Linfo May 2012
Enterprise T1057 Process Discovery

Linfo creates a backdoor through which remote attackers can retrieve a list of running processes.CitationSymantec Linfo May 2012
Enterprise T1005 Data from Local System

Linfo creates a backdoor through which remote attackers can obtain data from local systems.CitationSymantec Linfo May 2012
Associated objects

Groups, software, and campaigns

Group Enterprise

G0066: Elderwood

Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [1] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [2] [3]

Relationship explorer

All related ATT&CK context

uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1008: Fallback Channels Enterprise uses · Group G0066: Elderwood Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1029: Scheduled Transfer Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1005: Data from Local System Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
161585796446557a...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 161585796446…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Symantec Elderwood Sept 2012

    O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024.

    Open source URL
  2. [2]
    Symantec Linfo May 2012

    Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018.

    Open source URL
  3. [3]
    Linfo

    (Citation: Symantec Linfo May 2012)

  4. [4]
    mitre-attack S0211
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use