S0257: VERMIN
Analyst context for executives and security teams
VERMIN matters because it is a Windows remote access tool built on the Microsoft .NET framework with ATT&CK relationships spanning discovery, credential collection, user activity capture, file transfer, obfuscation, and cleanup. For leaders, the practical risk is not just the malware name; it is whether the organization can recognize a post-compromise remote access capability collecting screenshots, clipboard data, audio, keystrokes, system details, and staged archives before evidence is deleted or traffic blends into normal web protocols.
Executive priority
Prioritize VERMIN as a validation case for endpoint visibility, incident response readiness, and evidence quality on Windows systems. The ATT&CK relationships point to behaviors that can affect credential exposure, sensitive data handling, investigation completeness, and operational resilience. Executives should ask whether SOC and IR teams can prove collection of endpoint process/file activity, user-context discovery, web-protocol network activity, and evidence of screen/clipboard/audio/keylogging behaviors—not simply whether a signature exists for VERMIN.
Technical view
Treat VERMIN as a Windows .NET remote access tool with related behaviors across discovery, collection, command-and-control, ingress tool transfer, obfuscation, deobfuscation, archiving, and file deletion. SOC teams should validate detections around unusual .NET executable behavior, packed or encoded files, decoding activity, system/user/process/security software discovery, web-protocol C2-like communications, inbound tool/file transfer, collection from clipboard/screen/audio/keystrokes, archive creation of collected data, and deletion of dropped or generated files. Because ATT&CK provides no official detection text for this software object, detection engineering should be behavior-led and mapped to the related techniques rather than dependent on a single malware indicator.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows file creation, modification, archive creation, and deletion events
- Endpoint security alerts or metadata for packed, encoded, or obfuscated executables
- .NET runtime/application execution context where available
- Network telemetry for HTTP/HTTPS or other web-protocol traffic from endpoints
Detection direction
- Map detections to the related ATT&CK techniques rather than relying on the VERMIN name alone, since no official ATT&CK detection guidance is provided.
- Correlate discovery activity with later collection, archiving, web-protocol communications, and file deletion to reduce false positives from normal administration.
- Tune for suspicious combinations: user/process/system/security-software discovery followed by screen, clipboard, audio, or keystroke collection behaviors.
- Review coverage for packed or encoded .NET executables and for deobfuscation/decoding activity that precedes execution or payload loading.
- Validate that web-protocol traffic from endpoints can be investigated with sufficient destination, timing, volume, and process attribution context.
Mitigation priorities
- Ensure Windows endpoints have centrally managed prevention, detection, and response telemetry with retention sufficient for incident reconstruction.
- Harden and monitor execution of unknown or packed .NET applications, especially from user-writable paths or untrusted delivery locations.
- Limit user privileges and reduce credential exposure so keylogging or user discovery has less downstream impact.
- Control and monitor outbound web-protocol traffic from endpoints, with proxy/firewall logging that supports investigation.
- Apply least-privilege access to sensitive data and monitor archive creation or bulk collection patterns before exfiltration.
Analyst notes and limits
The supplied ATT&CK object identifies VERMIN as a Microsoft .NET remote access tool and provides relationship context to multiple techniques, including System Network Configuration Discovery, System Owner/User Discovery, Keylogging, Process Discovery, File Deletion, Web Protocols, Ingress Tool Transfer, Screen Capture, Clipboard Data, Automated Collection, Audio Capture, Deobfuscate/Decode Files or Information, Security Software Discovery, Archive Collected Data, Software Packing, and Encrypted/Encoded File. This supports a behavior-based defensive framing, especially for Windows endpoint monitoring and IR playbooks.
ATT&CK does not provide official detection text, aliases, labels, or explicit tactics on the malware object itself. The assessment is therefore limited to the official description, external references, platform field, and supplied relationship context. Local prevalence, active exploitation, attribution, command-and-control indicators, and guaranteed detection coverage cannot be inferred from the supplied fields.
VERMIN
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | VERMIN gathers the local IP address.CitationUnit 42 VERMIN Jan 2018 |
| Enterprise | T1027.002 | Software Packing Sub-technique | VERMIN is initially packed.CitationUnit 42 VERMIN Jan 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | VERMIN uses HTTP for C2 communications.CitationUnit 42 VERMIN Jan 2018 |
| Enterprise | T1123 | Audio Capture | VERMIN can perform audio capture.CitationUnit 42 VERMIN Jan 2018 |
| Enterprise | T1070.004 | File Deletion Sub-technique | VERMIN can delete files on the victim’s machine.CitationUnit 42 VERMIN Jan 2018 |
| Enterprise | T1056.001 | Keylogging Sub-technique | VERMIN collects keystrokes from the victim machine.CitationUnit 42 VERMIN Jan 2018 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | VERMIN uses WMI to check for anti-virus software installed on the system.CitationUnit 42 VERMIN Jan 2018 |
| Enterprise | T1115 | Clipboard Data | VERMIN collects data stored in the clipboard.CitationUnit 42 VERMIN Jan 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | VERMIN decrypts code, strings, and commands to use once it's on the victim's machine.CitationUnit 42 VERMIN Jan 2018 |
| Enterprise | T1119 | Automated Collection | VERMIN saves each collected file with the automatically generated format {0:dd-MM-yyyy}.txt .CitationUnit 42 VERMIN Jan 2018 |
| Enterprise | T1560 | Archive Collected Data | VERMIN encrypts the collected files using 3-DES.CitationUnit 42 VERMIN Jan 2018 |
| Enterprise | T1113 | Screen Capture | VERMIN can perform screen captures of the victim’s machine.CitationUnit 42 VERMIN Jan 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | VERMIN is obfuscated using the obfuscation tool called ConfuserEx.CitationUnit 42 VERMIN Jan 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | VERMIN can download and upload files to the victim's machine.CitationUnit 42 VERMIN Jan 2018 |
| Enterprise | T1033 | System Owner/User Discovery | VERMIN gathers the username from the victim’s machine.CitationUnit 42 VERMIN Jan 2018 |
| Enterprise | T1082 | System Information Discovery | VERMIN collects the OS name, machine name, and architecture information.CitationUnit 42 VERMIN Jan 2018 |
| Enterprise | T1057 | Process Discovery | VERMIN can get a list of the processes and running tasks on the system.CitationUnit 42 VERMIN Jan 2018 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | b0965ecfc73f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 VERMIN Jan 2018
Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018.
Open source URL -
[2]
VERMIN
(Citation: Unit 42 VERMIN Jan 2018)
-
[3]
mitre-attack S0257Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.