S0217: SHUTTERSPEED
SHUTTERSPEED is a backdoor used by APT37. [1]
Analyst context for executives and security teams
SHUTTERSPEED is identified by ATT&CK as a backdoor associated with APT37, with documented behaviors tied to system information discovery, bringing tools into an environment, and screen capture. For leaders, the practical concern is not only the malware name; it is whether the organization can quickly prove what a compromised host learned about the environment, whether additional tooling was introduced, and whether sensitive on-screen information may have been collected.
Executive priority
Treat this as a readiness and evidence-quality issue for incident response and SOC operations. Because ATT&CK provides no official platform scope or detection guidance for SHUTTERSPEED itself, priority should be on validating coverage for the related behaviors: discovery of operating system and hardware details, external file/tool transfer into the environment, and screen capture. These behaviors can affect business continuity, data exposure assessment, and incident scoping, especially where sensitive operations, privileged administration, or regulated information may appear on user screens.
Technical view
SOC and IR teams should not rely on a malware-name alert alone. Validate detections around the relationship-linked techniques: T1082 System Information Discovery, T1105 Ingress Tool Transfer, and T1113 Screen Capture. The malware object does not specify platforms, but the related techniques span enterprise environments including Linux, macOS, Windows, ESXi, IaaS, and network devices depending on the technique. Detection engineering should therefore map local telemetry by platform and confirm whether endpoint, network, cloud, and file evidence can correlate discovery commands/API activity, suspicious inbound tool/file creation, and screenshot-related behavior during the same intrusion timeline.
Likely telemetry
- Endpoint process creation and command-line telemetry showing operating system, hardware, patch, hotfix, service pack, or architecture discovery activity
- Host inventory and configuration data useful for comparing legitimate administrative discovery against unusual post-compromise discovery
- Network connection, proxy, DNS, firewall, and flow logs that can show external file or tool transfer into the environment
- Endpoint file creation, modification, quarantine, and execution telemetry for newly introduced tools or payloads
- EDR or operating system events related to screen capture utilities, graphics APIs, desktop/session access, or screenshot file creation where available
Detection direction
- Build behavior-based analytics for the related techniques rather than a SHUTTERSPEED-only signature dependency, since ATT&CK provides no official detection text for this malware object.
- Correlate system information discovery followed by external file transfer or screen capture behavior, as single events may be legitimate in administrative or support workflows.
- Tune for context: administrative scripts, software management tools, monitoring agents, helpdesk screen-sharing, and patch-management activity can resemble parts of these behaviors.
- Check blind spots in non-Windows and infrastructure environments because related techniques include Linux, macOS, ESXi, IaaS, and network devices, while the malware object itself does not define a platform list.
- Ensure incident responders can reconstruct whether files were introduced after initial compromise and whether screen capture could have exposed sensitive data, credentials, operational dashboards, or regulated information.
Mitigation priorities
- Prioritize telemetry coverage and retention for the three related behaviors before assuming detection coverage for SHUTTERSPEED itself.
- Restrict and monitor outbound and inbound file transfer paths using controlled egress, proxy inspection, and approved administrative channels where appropriate.
- Use least privilege and application/control policies to reduce unauthorized tool execution and limit access to sensitive desktop sessions.
- Maintain accurate asset, OS, patch, and configuration inventories so discovery activity can be interpreted quickly during an investigation.
- Prepare IR playbooks that include evidence collection for introduced files, network transfer paths, and possible screenshot exposure.
Analyst notes and limits
The supplied ATT&CK object is sparse: SHUTTERSPEED is described as a backdoor used by APT37, with one cited FireEye report and relationships to three ATT&CK techniques. The most defensible Glexia value is to translate those relationships into coverage validation questions for SOC, IR, and control owners rather than to infer detailed malware functionality beyond the official fields.
No official ATT&CK detection guidance, aliases, labels, tactics, or platforms are provided for the SHUTTERSPEED malware object. Platform references in this take come only from the related techniques and should not be read as confirmed SHUTTERSPEED platform support. Local environment evidence is required to determine exposure, detection coverage, and response priority.
SHUTTERSPEED
SHUTTERSPEED is a backdoor used by APT37. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | SHUTTERSPEED can collect system information.CitationFireEye APT37 Feb 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | SHUTTERSPEED can download and execute an arbitary executable.CitationFireEye APT37 Feb 2018 |
| Enterprise | T1113 | Screen Capture | SHUTTERSPEED can capture screenshots.CitationFireEye APT37 Feb 2018 |
Groups, software, and campaigns
G0067: APT37
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6971b8013c30… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT37 Feb 2018
FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.
Open source URL -
[2]
mitre-attack S0217Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.