S0212: CORALDECK
Analyst context for executives and security teams
CORALDECK matters because ATT&CK describes it as a Windows exfiltration tool used by APT37, with linked behavior covering file discovery, archiving, and exfiltration over unencrypted non-C2 protocols. For leaders, the practical issue is not the malware name itself but whether the organization can prove it would notice staged data collection and outbound data movement before it becomes a reportable data-loss event.
Executive priority
Treat this as a data-loss readiness check. Security leaders should ask whether sensitive file locations are monitored, whether archive creation on Windows endpoints is visible, and whether outbound unencrypted protocols are governed and logged well enough to support incident response and compliance evidence. Because ATT&CK provides no official detection guidance for CORALDECK, coverage should be validated through the related techniques rather than assumed from malware signatures alone.
Technical view
For SOC, detection engineering, and IR teams, map CORALDECK coverage to its ATT&CK relationships: T1083 File and Directory Discovery, T1560.001 Archive via Utility, and T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol. Validate Windows endpoint telemetry for file enumeration and archive utility execution, then correlate with network evidence of outbound unencrypted traffic to destinations that are not expected business services. Since the object has no official detection text, detections should be behavior-led and tuned against local administrative, backup, compression, and data-transfer activity.
Likely telemetry
- Windows endpoint process creation and command-line logging
- File system activity showing enumeration of directories, sensitive paths, or network shares
- Archive creation events and execution of compression or packaging utilities
- Outbound network flow, proxy, DNS, HTTP, FTP, or other unencrypted protocol logs where available
- Data transfer volume, destination, and timing metadata
Detection direction
- Build coverage around the related behaviors rather than the malware family name alone, because official ATT&CK detection guidance is not provided.
- Correlate file and directory discovery followed by archive creation and outbound unencrypted transfer from the same Windows host or user context.
- Tune out expected enterprise activity such as software deployment, backup jobs, administrative scripts, and approved bulk file transfers.
- Review blind spots in unmanaged Windows endpoints, limited command-line logging, encrypted archive contents, proxy bypass paths, and network segments without egress visibility.
- Use the APT37 reference as threat-intelligence context, but do not rely on attribution as a detection condition.
Mitigation priorities
- Prioritize visibility first: confirm endpoint, file, archive, and egress telemetry is collected and retained for investigation.
- Restrict and monitor outbound unencrypted protocols where business need is limited, especially from endpoints or servers that store sensitive data.
- Apply least-privilege access to sensitive file repositories so discovery and staging attempts have less data to reach.
- Control or monitor archive utilities and unusual compression behavior on Windows systems, while allowing documented business use.
- Maintain incident response playbooks for suspected data staging and exfiltration, including containment, scoping, legal/compliance notification inputs, and evidence preservation.
Analyst notes and limits
The supplied ATT&CK object is sparse: CORALDECK is identified as an exfiltration tool, with Windows as the platform and a cited FireEye APT37 report. The most useful defensive interpretation comes from the relationships to discovery, archiving, and unencrypted non-C2 exfiltration techniques.
No official ATT&CK detection text, aliases, labels, or object-level tactics were supplied. Relationship technique platform lists are broader than the CORALDECK object and should not be treated as proof that this malware runs outside Windows. Local telemetry, normal business transfer patterns, and sensitive-data locations are required to determine real coverage.
CORALDECK
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | CORALDECK has exfiltrated data in HTTP POST headers.CitationFireEye APT37 Feb 2018 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | CORALDECK has created password-protected RAR, WinImage, and zip archives to be exfiltrated.CitationFireEye APT37 Feb 2018 |
| Enterprise | T1083 | File and Directory Discovery | CORALDECK searches for specified files.CitationFireEye APT37 Feb 2018 |
Groups, software, and campaigns
G0067: APT37
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 7c2a450bd257… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT37 Feb 2018
FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.
Open source URL -
[2]
CORALDECK
(Citation: FireEye APT37 Feb 2018)
-
[3]
mitre-attack S0212Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.