S0256: Mosquito
Analyst context for executives and security teams
Mosquito matters because ATT&CK describes it as a Windows backdoor used by Turla, with behavior spanning execution, discovery, persistence, defense evasion, and command-and-control. For leaders, the value is not a malware name alone; it is a checklist for whether Windows endpoint, registry, scripting, WMI, DLL execution, and encrypted outbound traffic controls can support a fast investigation if a stealthy backdoor is suspected.
Executive priority
Prioritize this as a Windows endpoint and incident-readiness validation issue. The mapped behaviors touch persistence through Registry/COM/run keys, execution through WMI, PowerShell, command shell, rundll32, and native APIs, plus discovery of users, processes, network configuration, and security tools. Executives should ask whether the SOC can prove visibility across those areas, whether IR can preserve evidence when files are deleted or stored in non-file locations, and whether control investments reduce abuse of legitimate Windows administration features without disrupting operations.
Technical view
ATT&CK does not provide an official detection section for Mosquito, so defenders should validate coverage through the related techniques rather than a single signature. On Windows, focus on suspicious parent-child process chains involving PowerShell, cmd.exe, WMI, and rundll32; DLL loading patterns consistent with backdoor launch behavior; Registry modifications involving persistence or COM references; Run key/startup folder changes; evidence of file transfer and subsequent deletion; and discovery activity against users, processes, network configuration, and security tooling. Because the object is described as a Win32 backdoor made of installer, launcher, and CommanderDLL components, triage should correlate installation, launch, persistence, and outbound communications rather than treating each event in isolation.
Likely telemetry
- Windows process creation and command-line telemetry for PowerShell, cmd.exe, WMI activity, rundll32.exe, and child processes
- Registry auditing for Run keys, startup-related entries, COM object references, and other suspicious modifications
- DLL/module load telemetry and endpoint events related to launcher/backdoor execution
- File creation, transfer, rename, and deletion events, including short-lived artifacts
- Network connection and proxy/DNS/firewall logs for unusual outbound command-and-control patterns, including encrypted traffic not explained by business use
Detection direction
- Build detections around behavior clusters mapped to the relationships, not just malware indicators: discovery followed by script or WMI execution, Registry persistence, rundll32 DLL execution, tool transfer, deletion, and outbound encrypted communications.
- Tune carefully for administrative noise. WMI, PowerShell, cmd.exe, Registry changes, and rundll32 are legitimate Windows mechanisms, so detections should use baselines, uncommon parent processes, unusual paths, rare command lines, abnormal user context, and sequence-based correlation.
- Check blind spots in fileless and obfuscated storage paths. ATT&CK relationships include Fileless Storage and Encrypted/Encoded File, so confirm whether endpoint tooling inspects Registry/WMI/event-log-like storage and captures enough content or metadata to investigate encoded artifacts.
- Validate telemetry retention for cleanup behavior. File deletion can remove local evidence quickly, so central log collection and EDR historical search are important for IR reconstruction.
- Use the Turla relationship as threat-intelligence context for prioritization and hunting, but do not treat attribution as proven from local telemetry without corroborating evidence.
Mitigation priorities
- Start with Windows hardening that reduces abuse of built-in execution paths: constrain unnecessary PowerShell, WMI, cmd, rundll32, and script execution where business processes allow.
- Apply least privilege and change control to Registry areas used for persistence, including Run keys, startup locations, and COM-related references.
- Use application control or allowlisting strategies to limit unauthorized DLL and tool execution while accounting for legitimate administrative software.
- Strengthen outbound egress monitoring and control so unusual encrypted command-and-control-like communications can be investigated and contained.
- Ensure endpoint logging, centralized retention, and IR collection procedures cover deleted files, Registry changes, WMI activity, and DLL/module execution.
Analyst notes and limits
The most defensible Glexia use of this object is as a Windows backdoor behavior coverage review. The ATT&CK relationship set provides practical hunt and control themes: execution through Windows management and shell components, persistence through Registry/COM/startup mechanisms, discovery of host and security context, stealth through fileless or encoded storage and deletion, and command-and-control through tool transfer and symmetric cryptography. This supports managed detection, IR readiness, and control validation discussions without requiring unsupported claims about current campaigns.
ATT&CK provides no official detection text for Mosquito, and the malware object itself has no specified tactics. Some related techniques list broader platforms, but the Mosquito object is supplied as Windows, so platform-specific conclusions should remain Windows-focused. Local baselines, endpoint telemetry quality, network architecture, and business use of administration tools are required before determining actual exposure or detection coverage.
Mosquito
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1047 | Windows Management Instrumentation | Mosquito's installer uses WMI to search for antivirus display names.CitationESET Turla Mosquito Jan 2018 |
| Enterprise | T1033 | System Owner/User Discovery | Mosquito runs |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Mosquito's launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.CitationESET Turla Mosquito Jan 2018 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Mosquito deletes files using DeleteFileW API call.CitationESET Turla Mosquito Jan 2018 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Mosquito uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.CitationESET Turla Mosquito Jan 2018 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Mosquito's installer searches the Registry and system to see if specific antivirus tools are installed on the system.CitationESET Turla Mosquito Jan 2018 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Mosquito can launch PowerShell Scripts.CitationESET Turla Mosquito Jan 2018 |
| Enterprise | T1112 | Modify Registry | |
| Enterprise | T1105 | Ingress Tool Transfer | Mosquito can upload and download files to the victim.CitationESET Turla Mosquito Jan 2018 |
| Enterprise | T1546.015 | Component Object Model Hijacking Sub-technique | Mosquito uses COM hijacking as a method of persistence.CitationESET Turla Mosquito Jan 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Mosquito’s installer is obfuscated with a custom crypter to obfuscate the installer.CitationESET Turla Mosquito Jan 2018 |
| Enterprise | T1057 | Process Discovery | Mosquito runs |
| Enterprise | T1016 | System Network Configuration Discovery | Mosquito uses the |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Mosquito executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.CitationESET Turla Mosquito Jan 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Mosquito establishes persistence under the Registry key |
| Enterprise | T1106 | Native API | Mosquito leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions.CitationESET Turla Mosquito Jan 2018 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | Mosquito stores configuration values under the Registry key |
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 03bfe8ab6bb0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Turla Mosquito Jan 2018
ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018.
Open source URL -
[2]
Mosquito
(Citation: ESET Turla Mosquito Jan 2018)
-
[3]
mitre-attack S0256Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.