S0263: TYPEFRAME
TYPEFRAME is a remote access tool that has been used by Lazarus Group. [1]
Analyst context for executives and security teams
TYPEFRAME is a Windows remote access tool documented by ATT&CK as used by Lazarus Group. Its value to defenders is not just the malware name; the mapped behaviors point to a Windows intrusion pattern involving user-executed malicious files, command execution, registry and service changes, obfuscation, file deletion, host firewall modification, and command-and-control through proxies or non-standard ports. For security leaders, this is a useful test case for whether Windows endpoint, network, and response telemetry can reconstruct a remote-access intrusion when the malware itself is not detected by name.
Executive priority
Prioritize TYPEFRAME as a coverage-validation scenario for Windows endpoint resilience and incident response readiness, especially where threat intelligence requirements include state-sponsored activity. Leaders should ask whether the SOC can prove visibility into service creation, registry modification, firewall changes, suspicious command shell or Visual Basic execution, file transfer, and unusual outbound communications. Because ATT&CK provides no official detection text for this object, assurance should come from tested telemetry and response playbooks rather than assumptions about signature coverage.
Technical view
ATT&CK lists TYPEFRAME as Windows malware and relates it to techniques spanning execution, persistence, defense evasion, discovery, and command-and-control. Detection engineering should validate behavior-based analytics around malicious file execution, cmd.exe and Visual Basic activity, Windows Registry modification, Windows service creation or modification, file deletion, encoded or encrypted artifacts, deobfuscation activity, local/file discovery, ingress tool transfer, proxy use, non-standard ports, and Windows host firewall changes. Treat the Lazarus Group relationship as threat-intelligence context, not as automatic attribution during an incident.
Likely telemetry
- Windows process creation and command-line logging, especially cmd.exe and Visual Basic-related execution
- Endpoint file telemetry for suspicious file creation, encoded/encrypted content, tool transfer, and file deletion
- Windows Registry auditing for persistence, configuration, and firewall-related changes
- Windows service creation, modification, and service configuration events
- Windows host firewall rule/profile change events
Detection direction
- Build behavior chains rather than relying on a TYPEFRAME malware name match, since no official ATT&CK detection guidance is provided.
- Correlate user-opened file execution with subsequent command shell or Visual Basic activity, registry/service changes, and outbound network connections.
- Tune for administrative false positives: registry edits, service changes, firewall changes, and file deletion can be legitimate, so prioritize rare parent processes, unusual users, new service paths, and temporal clustering.
- Validate egress monitoring for proxy use and protocol/port mismatches associated with non-standard port command-and-control behavior.
- Confirm that obfuscation-related coverage includes both encoded/encrypted artifacts and follow-on decode or deobfuscation activity.
Mitigation priorities
- Ensure Windows endpoints collect the telemetry needed to investigate command execution, registry modification, service changes, firewall changes, file activity, and network connections.
- Reduce exposure to malicious-file execution through user-awareness, attachment/download controls, and execution policy appropriate to the environment.
- Limit administrative privileges that allow registry, service, and host firewall modification.
- Harden and monitor Windows service creation and changes as a persistence and privilege-escalation control point.
- Apply egress filtering and proxy governance so unusual outbound traffic and non-standard port use are visible and reviewable.
Analyst notes and limits
The supplied ATT&CK object identifies TYPEFRAME as a Windows remote access tool and provides a relationship to Lazarus Group plus multiple technique relationships. The strongest practical use is as a validation map for Windows endpoint and network monitoring. The source reference is the US-CERT June 2018 malware analysis report cited by ATT&CK.
ATT&CK does not provide official detection text, aliases, labels, or object-level tactics for TYPEFRAME in the supplied fields. The relationship to Lazarus Group does not by itself establish attribution for any local incident. Local telemetry, malware analysis, and case evidence are required to confirm activity, scope, and impact.
TYPEFRAME
TYPEFRAME is a remote access tool that has been used by Lazarus Group. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.011 | Fileless Storage Sub-technique | TYPEFRAME can install and store encrypted configuration data under the Registry key |
| Enterprise | T1105 | Ingress Tool Transfer | TYPEFRAME can upload and download files to the victim’s machine.CitationUS-CERT TYPEFRAME June 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | APIs and strings in some TYPEFRAME variants are RC4 encrypted. Another variant is encoded with XOR.CitationUS-CERT TYPEFRAME June 2018 |
| Enterprise | T1686.003 | Windows Host Firewall Sub-technique | TYPEFRAME can open the Windows Firewall on the victim’s machine to allow incoming connections.CitationUS-CERT TYPEFRAME June 2018 |
| Enterprise | T1204.002 | Malicious File Sub-technique | A Word document delivering TYPEFRAME prompts the user to enable macro execution.CitationUS-CERT TYPEFRAME June 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | One TYPEFRAME variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value "0x35".CitationUS-CERT TYPEFRAME June 2018 |
| Enterprise | T1090 | Proxy | A TYPEFRAME variant can force the compromised system to function as a proxy server.CitationUS-CERT TYPEFRAME June 2018 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution.CitationUS-CERT TYPEFRAME June 2018 |
| Enterprise | T1543.003 | Windows Service Sub-technique | |
| Enterprise | T1112 | Modify Registry | TYPEFRAME can install encrypted configuration data under the Registry key |
| Enterprise | T1680 | Local Storage Discovery | TYPEFRAME can gather the disk volume information.CitationUS-CERT TYPEFRAME June 2018 |
| Enterprise | T1571 | Non-Standard Port | TYPEFRAME has used ports 443, 8080, and 8443 with a FakeTLS method.CitationUS-CERT TYPEFRAME June 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1070.004 | File Deletion Sub-technique | TYPEFRAME can delete files off the system.CitationUS-CERT TYPEFRAME June 2018 |
| Enterprise | T1083 | File and Directory Discovery | TYPEFRAME can search directories for files on the victim’s machine.CitationUS-CERT TYPEFRAME June 2018 |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 0d4506a26f86… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
US-CERT TYPEFRAME June 2018
US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018.
Open source URL -
[2]
TYPEFRAME
(Citation: US-CERT TYPEFRAME June 2018)
-
[3]
mitre-attack S0263Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.