S0247: NavRAT
Analyst context for executives and security teams
NavRAT is a Windows remote access tool described by ATT&CK as capable of uploading, downloading, and executing files, with reporting noting attacks targeting South Korea. For leaders, the material issue is not the tool name alone; it is the combination of remote control, credential collection via keylogging, persistence through Run keys or Startup folders, file transfer, local staging, and mail-protocol command-and-control behaviors mapped in ATT&CK relationships.
Executive priority
Prioritize NavRAT as a validation case for Windows endpoint resilience, credential protection, and SOC visibility. The ATT&CK relationships show behaviors that can affect incident scoping and business continuity: persistence, command execution, data staging, tool transfer, and credential access. Executives should ask whether teams can prove they collect the endpoint, identity, and network evidence needed to reconstruct these behaviors, especially where mail protocols are permitted and where Windows startup persistence is common. Because ATT&CK links this software to APT37 and notes South Korea targeting, threat intelligence teams may treat it as relevant for sector or geography-based risk discussions, but local exposure must be established with internal evidence.
Technical view
Defenders should validate coverage on Windows systems for the related behaviors: Process Injection, Keylogging, Process Discovery, Windows Command Shell execution, Mail Protocols for command and control, Local Data Staging, System Information Discovery, Ingress Tool Transfer, and Registry Run Keys / Startup Folder persistence. Since ATT&CK provides no dedicated detection text for NavRAT, detection engineering should focus on behavior chaining: unusual persistence entries plus command shell activity, file transfer or staging, process enumeration, and mail-protocol traffic inconsistent with the host’s role. Incident responders should use these behaviors to guide triage of affected Windows endpoints, credential-risk assessment, and containment decisions.
Likely telemetry
- Windows endpoint process creation and command-line logging
- Windows Registry monitoring for Run key changes
- Startup folder file creation or modification events
- Endpoint alerts or behavioral telemetry for process injection
- Keyboard-hook or keylogging-related endpoint detections where available
Detection direction
- Build detections around behavior combinations rather than the malware name, because no official ATT&CK detection guidance is provided for this object.
- Tune for suspicious Windows command shell execution associated with newly created persistence entries, unusual parent processes, or remote-control activity.
- Monitor Run keys and Startup folders, accounting for legitimate software installers and user logon utilities to reduce false positives.
- Validate whether endpoint tooling can surface process injection signals and whether those signals are retained long enough for incident response.
- Review mail-protocol egress from endpoints that are not expected to send or retrieve mail directly; mail protocols may blend with normal traffic in permissive environments.
Mitigation priorities
- Ensure Windows endpoint logging and EDR coverage are deployed and retained for systems with business-critical access.
- Restrict and monitor autorun persistence locations such as Registry Run keys and Startup folders where operationally feasible.
- Limit unnecessary outbound mail protocols from endpoints and route required mail traffic through controlled infrastructure.
- Apply least privilege and credential-protection practices to reduce the value of captured keystrokes and post-compromise access.
- Harden script and command shell usage with administrative controls, monitoring, and review of legitimate business exceptions.
Analyst notes and limits
This take is based on the ATT&CK software object for NavRAT, its official description, external references, and listed relationships. The most decision-useful content comes from the related techniques, which describe the behaviors defenders should validate rather than relying on static malware identification.
ATT&CK does not provide official detection text, aliases, labels, or explicit tactics for the NavRAT object itself. The object supports Windows as the platform and notes South Korea targeting, but it does not establish current activity, customer exposure, or guaranteed detection methods. Local telemetry, asset roles, and incident evidence are required to determine relevance and priority.
NavRAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1074.001 | Local Data Staging Sub-technique | NavRAT writes multiple outputs to a TMP file using the >> method.CitationTalos NavRAT May 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | NavRAT can download files remotely.CitationTalos NavRAT May 2018 |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | NavRAT uses the email platform, Naver, for C2 communications, leveraging SMTP.CitationTalos NavRAT May 2018 |
| Enterprise | T1055 | Process Injection | NavRAT copies itself into a running Internet Explorer process to evade detection.CitationTalos NavRAT May 2018 |
| Enterprise | T1082 | System Information Discovery | NavRAT uses |
| Enterprise | T1056.001 | Keylogging Sub-technique | NavRAT logs the keystrokes on the targeted system.CitationTalos NavRAT May 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | NavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.CitationTalos NavRAT May 2018 |
| Enterprise | T1057 | Process Discovery | NavRAT uses |
Groups, software, and campaigns
G0067: APT37
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 9b9d7fa8c622… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos NavRAT May 2018
Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018.
Open source URL -
[2]
NavRAT
(Citation: Talos NavRAT May 2018)
-
[3]
mitre-attack S0247Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.