S0218: SLOWDRIFT
Analyst context for executives and security teams
SLOWDRIFT matters because ATT&CK identifies it as a Windows backdoor associated with APT37 reporting and linked to discovery and command-and-control behaviors. For leaders, the practical issue is not the malware name alone; it is whether the organization can recognize a compromised Windows system collecting system details, communicating through legitimate external web services, and receiving additional tools or files.
Executive priority
Prioritize this as a readiness question for targeted-intrusion response: can the SOC prove it has Windows endpoint visibility, outbound web-service monitoring, and file-transfer evidence sufficient to investigate a backdoor quickly? The object is especially relevant to organizations concerned with strategic targeting, academic or research exposure, and audit evidence showing that command-and-control and tool-transfer scenarios are covered by logging, response playbooks, and escalation criteria.
Technical view
ATT&CK provides no dedicated detection text for SLOWDRIFT, so validation should be relationship-driven. On Windows endpoints, defenders should test whether they can observe system information discovery consistent with T1082, suspicious bidirectional communication over legitimate external web services consistent with T1102.002, and external file/tool transfer consistent with T1105. IR teams should confirm they can connect endpoint process/file activity with network sessions and downloaded artifacts without relying on the SLOWDRIFT name or a single indicator.
Likely telemetry
- Windows endpoint process execution and command-line or equivalent activity related to system and host information collection
- Endpoint file creation, modification, and download evidence for newly introduced tools or payloads
- Network proxy, DNS, firewall, and web gateway logs showing outbound connections to external web services
- HTTP/S metadata sufficient to correlate endpoints, users, destinations, timing, volume, and user-agent or request patterns where available
- EDR alerts and investigation artifacts tying process activity to outbound network connections
Detection direction
- Do not depend on malware-specific signatures alone; ATT&CK supplies no official SLOWDRIFT detection guidance.
- Tune for sequences: system information discovery followed by unusual outbound web-service communication or file transfer from the same Windows host.
- Baseline legitimate use of external web services to reduce false positives, because T1102.002 explicitly involves legitimate services that may also be normal business traffic.
- Validate that proxy and endpoint telemetry can be joined by host, user, and time; loss of correlation is a major blind spot for backdoor investigations.
- Review egress monitoring for cases where encrypted web traffic or sanctioned web services obscure command-and-control behavior.
Mitigation priorities
- Ensure Windows endpoint logging and EDR coverage are deployed and retained long enough to support backdoor investigations.
- Strengthen outbound web access governance with proxy logging, DNS visibility, and review of access to external web services based on business need.
- Implement controlled download and file-transfer monitoring so ingress tool transfer can be investigated and contained.
- Maintain incident response playbooks for suspected backdoor activity, including host isolation, artifact preservation, network scoping, and credential-risk review.
- Use asset criticality to prioritize monitoring and response for systems supporting research, academic, strategic, or sensitive business functions.
Analyst notes and limits
The supplied ATT&CK object describes SLOWDRIFT as a Windows backdoor used by APT37 against academic and strategic victims in South Korea, with relationships to System Information Discovery, Bidirectional Communication via web services, and Ingress Tool Transfer. The most defensible use of this object is as a coverage and readiness test for discovery plus command-and-control behaviors rather than as a standalone malware-detection recipe.
ATT&CK provides no official detection text, no aliases, no labels, and no object-level tactics for SLOWDRIFT in the supplied fields. Relationship descriptions are partial and technique platform lists do not all include Windows, while the malware platform is Windows. Local telemetry, approved web-service usage, asset criticality, and retained forensic evidence are required to determine actual exposure or coverage.
SLOWDRIFT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | SLOWDRIFT collects and sends system information to its C2.CitationFireEye APT37 Feb 2018 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | SLOWDRIFT uses cloud based services for C2.CitationFireEye APT37 Feb 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | SLOWDRIFT downloads additional payloads.CitationFireEye APT37 Feb 2018 |
Groups, software, and campaigns
G0067: APT37
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 0e7463f8a766… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT37 Feb 2018
FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved November 17, 2024.
Open source URL -
[2]
SLOWDRIFT
(Citation: FireEye APT37 Feb 2018)
-
[3]
mitre-attack S0218Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.