S0253: RunningRAT
RunningRAT is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with Gold Dragon and Brave Prince. [1]
Analyst context for executives and security teams
RunningRAT is a Windows remote access tool documented by ATT&CK from reporting around the 2018 Pyeongchang Winter Olympics. Its ATT&CK relationships matter because they describe a full intrusion-support pattern: persistence through Run keys/startup folders, command execution, discovery, collection of keystrokes and clipboard data, archiving collected data, and attempts to reduce evidence by deleting files or clearing Windows logs.
Executive priority
Treat this as a readiness check for whether Windows endpoint, identity, and SOC controls can prove coverage across credential capture, persistence, data collection, and evidence destruction. The business decision value is not the malware name alone; it is whether incident responders can quickly answer: which users were exposed, what data may have been collected, whether startup persistence exists, and whether logs were tampered with. Because ATT&CK provides no official detection text here, leaders should require evidence from local telemetry and response procedures rather than assume tool-specific coverage.
Technical view
Validate Windows-focused detections and response playbooks against the related ATT&CK behaviors: T1547.001 Registry Run Keys / Startup Folder, T1059.003 Windows Command Shell, T1056.001 Keylogging, T1115 Clipboard Data, T1082 System Information Discovery, T1680 Local Storage Discovery, T1560 Archive Collected Data, T1070.004 File Deletion, T1685 Disable or Modify Tools, and T1685.005 Clear Windows Event Logs. SOC teams should correlate persistence changes, suspicious shell execution, collection staging/archive activity, file deletion, and event log clearing rather than depending on a single malware signature.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe activity
- Registry modification events for Run keys and startup folder file creation
- Windows Event Log status and log-clearing events
- File creation, deletion, and archive/compression activity on endpoints
- Clipboard and keylogging-related behavioral signals where endpoint tooling supports them
Detection direction
- Build behavior chains that join persistence, command shell execution, discovery, collection, archiving, and cleanup activity on the same Windows host or user session.
- Prioritize high-confidence alerts for Windows event log clearing and security-tool impairment, because these behaviors can reduce later forensic visibility.
- Tune Run key and startup folder monitoring to distinguish authorized software updaters and administration tools from unusual user-context persistence.
- Review command shell detections for remote or unusual execution context, but avoid assuming every cmd.exe invocation is malicious.
- Look for collection staging patterns, such as clipboard/keylogging indicators followed by archive creation and file deletion, when telemetry is available.
Mitigation priorities
- Ensure Windows endpoint logging, EDR/AV, and event forwarding are enabled and protected against tampering.
- Restrict and monitor persistence locations such as Registry Run keys and startup folders, especially for standard user contexts.
- Harden administrative privileges so clearing Windows logs or disabling tools requires controlled, auditable access.
- Maintain incident response procedures for suspected credential capture, including user scoping, password reset decisions, and session/token review where applicable.
- Use application control or allowlisting where feasible to reduce unauthorized remote access tooling and unexpected command execution.
Analyst notes and limits
The supplied ATT&CK object identifies RunningRAT as Windows malware and provides one reporting source plus relationships to multiple techniques. The strongest defensive value comes from those relationships, especially persistence, credential/data collection, command execution, and defense impairment. This take intentionally avoids attribution or current exploitation claims beyond the supplied historical description.
Official ATT&CK detection text is not provided, tactics are not specified on the malware object itself, and no indicators, hashes, command examples, or C2 details were supplied. Coverage decisions require local validation of endpoint telemetry, logging retention, EDR visibility, and authorized administrative behavior.
RunningRAT
RunningRAT is a remote access tool that appeared in operations surrounding the 2018 Pyeongchang Winter Olympics along with Gold Dragon and Brave Prince. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1680 | Local Storage Discovery | RunningRAT gathers logical drives information and volume information.CitationMcAfee Gold Dragon |
| Enterprise | T1685 | Disable or Modify Tools | RunningRAT kills antimalware running process.CitationMcAfee Gold Dragon |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | RunningRAT uses a batch file to kill a security program task and then attempts to remove itself.CitationMcAfee Gold Dragon |
| Enterprise | T1056.001 | Keylogging Sub-technique | RunningRAT captures keystrokes and sends them back to the C2 server.CitationMcAfee Gold Dragon |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | RunningRAT adds itself to the Registry key |
| Enterprise | T1070.004 | File Deletion Sub-technique | RunningRAT contains code to delete files from the victim’s machine.CitationMcAfee Gold Dragon |
| Enterprise | T1082 | System Information Discovery | RunningRAT gathers the OS version and processor information.CitationMcAfee Gold Dragon |
| Enterprise | T1560 | Archive Collected Data | RunningRAT contains code to compress files.CitationMcAfee Gold Dragon |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | RunningRAT contains code to clear event logs.CitationMcAfee Gold Dragon |
| Enterprise | T1115 | Clipboard Data | RunningRAT contains code to open and copy data from the clipboard.CitationMcAfee Gold Dragon |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 776e4f1d9f63… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
McAfee Gold Dragon
Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018.
Open source URL -
[2]
RunningRAT
(Citation: McAfee Gold Dragon)
-
[3]
mitre-attack S0253Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.