S0215: KARAE
Analyst context for executives and security teams
KARAE matters because it is documented as a Windows backdoor and first-stage malware associated in ATT&CK with APT37 reporting. First-stage backdoors are business-relevant because they can be the entry point for later discovery, command-and-control, and tool transfer activity. For leaders, the practical question is not whether a tool name is present in alerts, but whether the organization can detect the behaviors ATT&CK links to it: drive-by compromise, system information discovery, web-service-based C2, and inbound transfer of additional tools.
Executive priority
Treat KARAE as a test case for early intrusion readiness on Windows endpoints. Priority decisions should focus on whether web browsing risk, endpoint visibility, outbound web traffic monitoring, and incident response triage can identify and contain a first-stage backdoor before follow-on tooling is introduced. This is useful for control prioritization, SOC validation, and audit evidence around endpoint detection, egress monitoring, and incident escalation processes. ATT&CK does not provide a specific detection analytic for KARAE, so coverage should be proven through behavior-based validation rather than name-based signatures alone.
Technical view
The supplied ATT&CK relationships link KARAE to System Information Discovery, Bidirectional Communication via legitimate external web services, Ingress Tool Transfer, and Drive-by Compromise. SOC and IR teams should validate collection and correlation across Windows endpoint process activity, browser-originated execution, host discovery commands or API activity, outbound web connections to external services, and file creation or download events consistent with new tool transfer. Because the object has no official detection text and no explicit tactics on the malware object itself, detection engineering should map to the related techniques rather than assuming a complete KARAE-specific detection path.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Browser and web content interaction telemetry where available
- Endpoint file creation, download, and write events
- Network proxy, secure web gateway, DNS, and firewall logs for outbound web activity
- EDR telemetry showing parent-child process relationships around browsers, scripts, and downloaded files
Detection direction
- Validate behavior-based detections for unusual system information discovery from newly observed or suspicious processes on Windows hosts.
- Tune monitoring for browser-to-execution chains consistent with drive-by compromise while accounting for legitimate software installers and enterprise web applications.
- Correlate outbound web traffic with endpoint process context; legitimate external web services can create blind spots if proxy logs are not tied back to host and process activity.
- Look for suspicious inbound file transfers or new executable/script artifacts following outbound C2-like communication.
- Avoid relying only on malware names or hashes; the ATT&CK object provides no official KARAE detection logic.
Mitigation priorities
- Prioritize Windows endpoint monitoring and response coverage for first-stage malware behaviors.
- Harden web browsing paths with patching, web filtering, and controls that reduce drive-by compromise risk where applicable.
- Maintain egress controls and logging for outbound web communications, including visibility into legitimate external services used for command-and-control patterns.
- Restrict and monitor execution from user-writable and download locations where business operations allow.
- Ensure IR playbooks include rapid triage for suspicious browser-originated execution, host discovery, and follow-on file transfer.
Analyst notes and limits
KARAE is described by ATT&CK as a backdoor typically used by APT37 as first-stage malware, based on the cited FireEye report. The most useful defensive framing is behavioral: initial access via drive-by compromise, discovery of system information, command-and-control through legitimate web services, and ingress transfer of tools. The malware object is scoped to Windows, while some related techniques list broader platforms; local validation should focus first on Windows because that is the supplied platform for KARAE.
Official ATT&CK detection guidance is not provided for this malware object. Tactics are not specified directly on the object, and the relationship descriptions are technique-level context rather than a complete KARAE procedure. This summary does not establish active exploitation, current targeting, customer exposure, or guaranteed detection coverage; those require local intelligence, telemetry, and incident evidence.
KARAE
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1189 | Drive-by Compromise | KARAE was distributed through torrent file-sharing websites to South Korean victims, using a YouTube video downloader application as a lure.CitationFireEye APT37 Feb 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | KARAE can upload and download files, including second-stage malware.CitationFireEye APT37 Feb 2018 |
| Enterprise | T1082 | System Information Discovery | KARAE can collect system information.CitationFireEye APT37 Feb 2018 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | KARAE can use public cloud-based storage providers for command and control.CitationFireEye APT37 Feb 2018 |
Groups, software, and campaigns
G0067: APT37
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | c2d2731dfc3d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT37 Feb 2018
FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.
Open source URL -
[2]
KARAE
(Citation: FireEye APT37 Feb 2018)
-
[3]
mitre-attack S0215Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.