S0241: RATANKBA
RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. [1] [2]
Analyst context for executives and security teams
RATANKBA matters because it represents a Windows remote controller capability associated in ATT&CK with Lazarus Group and reported use against financial institutions and multiple enterprise sectors. For leaders, the key risk is not just “malware present,” but an operator-controlled foothold that can run jobs, discover users, services, systems, network connections, and configuration details, and potentially transfer additional tools.
Executive priority
Prioritize this as a resilience and incident-readiness use case for Windows estates, especially where financial services, telecommunications, aviation, education, insurance, IT, or consulting operations are material. Executives should ask whether the SOC can prove visibility into Windows discovery, command execution, WMI, PowerShell, web-based command-and-control, and file transfer behaviors—not just whether malware signatures exist. This object is also useful for audit and risk discussions because it maps to concrete control evidence: endpoint logging, egress monitoring, administrative tool governance, and response procedures for suspected remote access malware.
Technical view
ATT&CK does not provide a detection section for RATANKBA, so defensive validation should be driven by the related techniques. On Windows, teams should test whether they can observe and correlate service discovery, registry queries, network and remote system discovery, user and account discovery, process discovery, WMI execution, PowerShell and cmd execution, DLL injection indicators, web-protocol command-and-control, and ingress tool transfer. The most useful analytic view is likely behavioral: unusual discovery followed by command execution, outbound web traffic, or new file/tool creation from a non-administrative or unexpected host context.
Likely telemetry
- Windows process creation and command-line telemetry for cmd.exe, PowerShell, discovery utilities, and administrative commands
- PowerShell logging where enabled, including script block/module activity relevant to execution and discovery
- WMI activity logs and endpoint telemetry showing local or remote WMI execution
- Windows Registry access/query telemetry where available
- Service, process, local account, logged-on user, network configuration, and network connection discovery evidence
Detection direction
- Do not rely on a RATANKBA-specific signature alone; ATT&CK provides no official detection text for this software object.
- Build and tune detections around clusters of related behaviors: discovery commands, registry queries, WMI, PowerShell/cmd execution, outbound HTTP/S-like traffic, and new tool/file introduction.
- Baseline legitimate administrative use of WMI, PowerShell, service queries, registry queries, and network discovery to reduce false positives from IT operations.
- Pay attention to sequencing: discovery across users, processes, services, network configuration, and remote systems can be more meaningful when followed by command execution or external communications.
- Validate visibility on Windows endpoints specifically, since Windows is the platform supplied for RATANKBA.
Mitigation priorities
- Confirm endpoint detection and logging coverage for Windows command execution, PowerShell, WMI, registry access, process activity, and file creation.
- Restrict and monitor administrative tooling such as WMI, PowerShell, and command shell usage according to least privilege and operational need.
- Apply egress controls and proxy/DNS/firewall monitoring so web-protocol command-and-control and tool transfer are reviewable and enforceable.
- Use application control or execution governance where practical to reduce unauthorized tool execution and DLL abuse opportunities.
- Segment sensitive systems and financial or operationally critical environments to limit the value of discovery and reduce lateral movement options after compromise.
Analyst notes and limits
The strongest source-supported points are that RATANKBA is a Windows remote controller tool, is associated by ATT&CK with Lazarus Group, has been reported in activity affecting financial institutions and other enterprise sectors, and is related to multiple discovery, execution, command-and-control, ingress transfer, and DLL injection techniques. Glexia’s defensive emphasis is therefore on proving behavioral coverage across those related techniques rather than treating this as a single malware-name detection problem.
ATT&CK does not supply official detection guidance, aliases, labels, or explicit tactics for the RATANKBA object itself. The telemetry and control guidance above is inferred from the supplied relationships to ATT&CK techniques and must be validated against the local Windows environment, logging configuration, administrative practices, and network architecture. No claim is made that RATANKBA is currently active in any specific environment.
RATANKBA
RATANKBA is a remote controller tool used by Lazarus Group. RATANKBA has been used in attacks targeting financial institutions in Poland, Mexico, Uruguay, the United Kingdom, and Chile. It was also seen used against organizations related to telecommunications, management consulting, information technology, insurance, aviation, and education. RATANKBA has a graphical user interface to allow the attacker to issue jobs to perform on the infected machines. [1] [2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | RATANKBA runs the |
| Enterprise | T1049 | System Network Connections Discovery | RATANKBA uses |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | RATANKBA uses cmd.exe to execute commands.CitationLazarus RATANKBACitationRATANKBA |
| Enterprise | T1007 | System Service Discovery | RATANKBA uses |
| Enterprise | T1071.001 | Web Protocols Sub-technique | RATANKBA uses HTTP/HTTPS for command and control communication.CitationLazarus RATANKBACitationRATANKBA |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | RATANKBA performs a reflective DLL injection using a given pid.CitationLazarus RATANKBACitationRATANKBA |
| Enterprise | T1047 | Windows Management Instrumentation | RATANKBA uses WMI to perform process monitoring.CitationLazarus RATANKBACitationRATANKBA |
| Enterprise | T1087.001 | Local Account Sub-technique | RATANKBA uses the |
| Enterprise | T1057 | Process Discovery | RATANKBA lists the system’s processes.CitationLazarus RATANKBACitationRATANKBA |
| Enterprise | T1016 | System Network Configuration Discovery | RATANKBA gathers the victim’s IP address via the |
| Enterprise | T1018 | Remote System Discovery | RATANKBA runs the |
| Enterprise | T1012 | Query Registry | RATANKBA uses the command |
| Enterprise | T1105 | Ingress Tool Transfer | RATANKBA uploads and downloads information.CitationLazarus RATANKBACitationRATANKBA |
| Enterprise | T1059.001 | PowerShell Sub-technique | There is a variant of RATANKBA that uses a PowerShell script instead of the traditional PE form.CitationLazarus RATANKBACitationRATANKBA |
| Enterprise | T1082 | System Information Discovery | RATANKBA gathers information about the OS architecture, OS name, and OS version/Service pack.CitationLazarus RATANKBACitationRATANKBA |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 29a4dcced589… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Lazarus RATANKBA
Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018.
Open source URL -
[2]
RATANKBA
Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018.
Open source URL -
[3]
mitre-attack S0241Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.