S0216: POORAIM
Analyst context for executives and security teams
POORAIM is a Windows backdoor that MITRE describes as used by APT37 since at least 2014. Its ATT&CK relationships show why it matters operationally: after access, it is associated with host discovery, file and directory discovery, screen capture, and bidirectional command-and-control over legitimate web services. For leaders, the key issue is not just the malware name, but whether the organization can see and investigate quiet post-compromise behavior that may look like normal user, admin, browser, or web traffic.
Executive priority
Treat POORAIM as a validation case for Windows endpoint visibility, web egress governance, and incident response readiness. The business question is whether security teams can prove they collect enough evidence to detect discovery, collection, and web-service-based command-and-control before a backdoor becomes an extended intrusion. This supports control prioritization around endpoint logging, proxy/DNS visibility, browser hardening, and documented response procedures for suspected backdoor activity.
Technical view
SOC and IR teams should map coverage to the supplied relationships: T1189 Drive-by Compromise for initial access context, T1057 Process Discovery, T1082 System Information Discovery, T1083 File and Directory Discovery, T1113 Screen Capture, and T1102.002 Bidirectional Communication. Because MITRE provides no official detection text for POORAIM, detection should be behavior-led rather than name-led: correlate Windows endpoint activity, discovery patterns, screenshot-related behavior, and outbound web traffic to legitimate external services that is unusual for the host or user.
Likely telemetry
- Windows endpoint process execution and command-line telemetry
- Process enumeration and system information query events
- File and directory enumeration activity, especially unusual breadth or sensitive paths
- Screen capture indicators from endpoint telemetry where available
- Browser, proxy, DNS, and firewall logs for outbound web communications
Detection direction
- Do not rely on a POORAIM signature alone; validate behavioral detections across discovery, collection, and command-and-control relationships.
- Tune discovery alerts to reduce noise from legitimate administration while preserving signals from unusual users, hosts, timing, or process ancestry.
- Review coverage for web-service-based C2, where traffic may blend with normal access to legitimate external services.
- Correlate possible screen capture activity with other discovery and outbound communication events before escalating severity.
- For drive-by compromise context, validate whether browser/proxy/endpoint telemetry can connect a suspicious web visit to subsequent host activity.
Mitigation priorities
- Prioritize reliable Windows endpoint logging and retention before attempting advanced analytics.
- Harden browsers and operating systems through timely patching and standard configuration management to reduce drive-by compromise exposure.
- Apply least privilege so process, system, and file discovery yields less useful information to an intruder.
- Govern outbound web access with proxy, DNS, and firewall controls that support investigation of unusual external service communications.
- Prepare IR playbooks for suspected backdoor activity, including host isolation, memory/process review, credential risk assessment, and network scoping.
Analyst notes and limits
MITRE identifies POORAIM as a backdoor associated with APT37 and cites the FireEye APT37 report. The most decision-useful content in the supplied data comes from the related ATT&CK techniques rather than from a detailed malware procedure description. Local baselining is required because discovery commands, screenshot tools, browser activity, and web service traffic can all have legitimate explanations.
The supplied object has no official detection guidance, no aliases, no labels, and no malware-specific procedure details beyond the relationship context. The object platform is Windows; related techniques list additional platforms, but those should not be treated as POORAIM platform coverage from this object alone. This take does not assert active exploitation or current customer exposure.
POORAIM
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | POORAIM can conduct file browsing.CitationFireEye APT37 Feb 2018 |
| Enterprise | T1113 | Screen Capture | POORAIM can perform screen capturing.CitationFireEye APT37 Feb 2018 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | POORAIM has used AOL Instant Messenger for C2.CitationFireEye APT37 Feb 2018 |
| Enterprise | T1057 | Process Discovery | POORAIM can enumerate processes.CitationFireEye APT37 Feb 2018 |
| Enterprise | T1082 | System Information Discovery | POORAIM can identify system information, including battery status.CitationFireEye APT37 Feb 2018 |
| Enterprise | T1189 | Drive-by Compromise | POORAIM has been delivered through compromised sites acting as watering holes.CitationFireEye APT37 Feb 2018 |
Groups, software, and campaigns
G0067: APT37
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | c88b5ba23144… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT37 Feb 2018
FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.
Open source URL -
[2]
POORAIM
(Citation: FireEye APT37 Feb 2018)
-
[3]
mitre-attack S0216Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.