S0237: GravityRAT
GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. [1]
Analyst context for executives and security teams
GravityRAT is a Windows remote access tool documented by ATT&CK as under development since 2016, with reporting cited by Cisco Talos and India’s CERT indicating use against organizations and entities in India. Its value for defenders is less about a single signature and more about validating whether Windows endpoint, command execution, persistence, discovery, collection, and web-based command-and-control behaviors are observable across the environment.
Executive priority
Treat this as a readiness check for RAT-style intrusions on Windows systems: can the organization prove it can detect suspicious command execution, scheduled task persistence, local and removable-media data collection, system discovery, and web or non-standard-port command-and-control? Because ATT&CK provides no official detection guidance for GravityRAT, leadership should prioritize evidence of telemetry coverage, response playbooks, and control validation rather than assuming tool-name-based detection is sufficient.
Technical view
SOC and IR teams should validate coverage around the ATT&CK techniques linked to this malware: Windows Command Shell, WMI, Dynamic Data Exchange, Scheduled Task, multiple discovery behaviors, local/removable media collection, obfuscated or encoded files, system checks, web protocols, and non-standard ports. Since the object platform is Windows, prioritize Windows endpoint telemetry and network visibility. Detection engineering should focus on behavior chains such as discovery commands followed by file enumeration or collection, scheduled task creation, WMI activity, encoded/encrypted artifacts, and outbound web traffic on unusual ports.
Likely telemetry
- Windows process creation and command-line telemetry
- Scheduled task creation/modification events
- WMI activity logs and related process lineage
- File and directory enumeration activity where available
- Access to local files and removable media
Detection direction
- Do not rely only on malware family names; ATT&CK does not provide an official GravityRAT detection analytic in the supplied object.
- Correlate Windows execution behaviors with discovery and collection behaviors, especially command shell, WMI, scheduled tasks, process discovery, service discovery, user discovery, network configuration discovery, and file/directory discovery.
- Tune for administrative false positives: WMI, scheduled tasks, command shells, and discovery commands are legitimate in IT operations, so detections should consider parent process, user role, host baseline, timing, and follow-on network activity.
- Review outbound HTTP/S or web-like traffic over non-standard ports and unusual destinations, while accounting for legitimate business applications that may use alternate ports.
- Validate whether removable media activity is logged where relevant; lack of USB/removable-media visibility is a common blind spot for collection behaviors.
Mitigation priorities
- Prioritize Windows endpoint visibility: process command lines, script/command execution, scheduled tasks, WMI, file activity, and removable media events.
- Harden and monitor execution surfaces referenced by relationships, including command shell, WMI, DDE, and Task Scheduler, using least privilege and administrative control review.
- Restrict and monitor removable media use where business requirements allow, and ensure sensitive data handling policies are enforceable and auditable.
- Use network egress controls and logging to limit unauthorized outbound web traffic and identify protocol/port mismatches.
- Maintain incident response procedures for RAT-like activity: isolate affected Windows hosts, preserve endpoint and network evidence, review persistence mechanisms, and scope discovery and collection activity.
Analyst notes and limits
The most decision-useful context is the relationship set: GravityRAT is associated with execution, persistence, discovery, collection, stealth, and command-and-control behaviors. The official description also notes unknown actor identity and cites reporting related to targeting in India; this should inform threat-intelligence context but should not be treated as proof of current exposure in any specific environment.
ATT&CK provides no official detection text, no aliases, and no specified tactics on the malware object itself. Platform support for the malware object is Windows; related techniques may list broader platforms, but that should not be interpreted as evidence that GravityRAT itself operates on those platforms. Local telemetry, baselines, and incident evidence are required to determine actual coverage or exposure.
GravityRAT
GravityRAT is a remote access tool (RAT) and has been in ongoing development since 2016. The actor behind the tool remains unknown, but two usernames have been recovered that link to the author, which are "TheMartian" and "The Invincible." According to the National Computer Emergency Response Team (CERT) of India, the malware has been identified in attacks against organization and entities in India. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.005 | Indicator Removal from Tools Sub-technique | The author of GravityRAT submitted samples to VirusTotal for testing, showing that the author modified the code to try to hide the DDE object in a different part of the document.CitationTalos GravityRAT |
| Enterprise | T1082 | System Information Discovery | GravityRAT collects the MAC address, computer name, and CPU information.CitationTalos GravityRAT |
| Enterprise | T1016 | System Network Configuration Discovery | GravityRAT collects the victim IP address, MAC address, as well as the victim account domain name.CitationTalos GravityRAT |
| Enterprise | T1049 | System Network Connections Discovery | GravityRAT uses the |
| Enterprise | T1124 | System Time Discovery | GravityRAT can obtain the date and time of a system.CitationTalos GravityRAT |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | GravityRAT supports file encryption (AES with the key "lolomycin2017").CitationTalos GravityRAT |
| Enterprise | T1071.001 | Web Protocols Sub-technique | GravityRAT uses HTTP for C2.CitationTalos GravityRAT |
| Enterprise | T1057 | Process Discovery | GravityRAT lists the running processes on the system.CitationTalos GravityRAT |
| Enterprise | T1025 | Data from Removable Media | GravityRAT steals files based on an extension list if a USB drive is connected to the system.CitationTalos GravityRAT |
| Enterprise | T1497.001 | System Checks Sub-technique | GravityRAT uses WMI to check the BIOS and manufacturer information for strings like "VMWare", "Virtual", and "XEN" and another WMI request to get the current temperature of the hardware to determine if it's a virtual machine environment. CitationTalos GravityRAT |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | GravityRAT creates a scheduled task to ensure it is re-executed everyday.CitationTalos GravityRAT |
| Enterprise | T1083 | File and Directory Discovery | GravityRAT collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.CitationTalos GravityRAT |
| Enterprise | T1007 | System Service Discovery | GravityRAT has a feature to list the available services on the system.CitationTalos GravityRAT |
| Enterprise | T1005 | Data from Local System | GravityRAT steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf.CitationTalos GravityRAT |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | GravityRAT executes commands remotely on the infected host.CitationTalos GravityRAT |
| Enterprise | T1033 | System Owner/User Discovery | GravityRAT collects the victim username along with other account information (account type, description, full name, SID and status).CitationTalos GravityRAT |
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | GravityRAT has been delivered via Word documents using DDE for execution.CitationTalos GravityRAT |
| Enterprise | T1571 | Non-Standard Port | GravityRAT has used HTTP over a non-standard port, such as TCP port 46769.CitationTalos GravityRAT |
| Enterprise | T1047 | Windows Management Instrumentation | GravityRAT collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed).CitationTalos GravityRAT |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | d326ee5cd2b4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos GravityRAT
Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018.
Open source URL -
[2]
GravityRAT
(Citation: Talos GravityRAT)
-
[3]
mitre-attack S0237Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.