S0267: FELIXROOT
Analyst context for executives and security teams
FELIXROOT is a Windows backdoor documented by ATT&CK as having targeted Ukrainian victims. Its ATT&CK relationships show behavior that matters operationally: discovery of users, processes, system details, storage, network configuration, time, registry and security tools; execution through Windows command shell, WMI, and rundll32; persistence through registry run keys/startup mechanisms and shortcut modification; web-protocol command-and-control; tool transfer; archive creation; file deletion; and registry modification. For leaders, the value is not just naming the malware, but using it as a validation case for whether Windows endpoint, network, and registry telemetry can reconstruct a backdoor intrusion from initial execution through persistence, discovery, C2, staging, and cleanup.
Executive priority
Prioritize FELIXROOT as a Windows backdoor coverage test for SOC and incident response readiness, especially where business operations depend on Windows endpoints or where regional/geopolitical exposure is a concern. The object’s relationships point to controls and evidence auditors often ask about: endpoint monitoring, registry change visibility, command-line logging, WMI/rundll32 oversight, web egress monitoring, and retention sufficient to investigate file deletion and staged archives. Executives should ask whether teams can prove coverage for these behaviors, not whether a single malware name is blocked.
Technical view
ATT&CK provides no standalone detection text for FELIXROOT, so defenders should pivot from the software object to its mapped techniques. Validate Windows visibility for registry query and modification, run key/startup and shortcut persistence, command shell execution, WMI activity, rundll32 proxy execution, discovery commands or API activity, file transfer, archive creation, file deletion, and web-protocol C2-like traffic. Detection engineering should focus on behavior chains: discovery of host/user/security tooling followed by persistence changes, suspicious LOLBin execution, external web communications, transferred tools, archived data, or cleanup. IR playbooks should include registry and startup artifact collection, WMI/rundll32 process lineage review, network egress review, and timeline reconstruction around deleted files and staged archives.
Likely telemetry
- Windows process creation events with command line and parent/child process lineage
- Registry query and modification events, especially run keys and startup-related locations
- Startup folder and shortcut creation or modification evidence
- WMI activity logs and process execution context
- rundll32.exe execution details including loaded DLL/path and command line where available
Detection direction
- Build detections around combinations of mapped behaviors rather than the FELIXROOT name alone, because the official ATT&CK object does not provide detection guidance.
- Tune for suspicious command shell, WMI, and rundll32 activity by examining parent process, command line, execution path, user context, and proximity to discovery or persistence activity.
- Monitor registry run key/startup changes and shortcut modifications, while accounting for legitimate software installation and administrative activity as common false-positive sources.
- Correlate discovery activity across user, process, system, network, time, local storage, and security software enumeration; single discovery commands may be benign, but clusters can indicate post-compromise reconnaissance.
- Review outbound web-protocol traffic from unusual processes or newly persistent binaries, using proxy/DNS/firewall logs where endpoint visibility is incomplete.
Mitigation priorities
- Harden Windows endpoint visibility first: process command lines, registry auditing, WMI activity, startup locations, file operations, and network egress logging.
- Restrict and monitor administrative execution paths such as WMI, command shell usage, and rundll32 where business operations allow, with exceptions documented and reviewed.
- Control persistence surfaces by monitoring registry run keys and startup folders, and by validating change-management coverage for legitimate modifications.
- Apply least privilege so registry modification, persistence creation, and broad discovery actions are constrained to authorized users and tools.
- Strengthen egress controls and web traffic inspection policies to make web-protocol command-and-control harder to blend into normal traffic.
Analyst notes and limits
The supplied ATT&CK data identifies FELIXROOT as a Windows backdoor and provides relationships to many ATT&CK techniques, but no official detection text and no tactics directly on the malware object. The relationships are therefore the best source for defensive planning. External references include FireEye reporting on Microsoft Office vulnerabilities used to distribute FELIXROOT and ESET GreyEnergy reporting, but this take avoids adding details not present in the supplied fields.
This assessment is constrained to the supplied ATT&CK fields, references, and relationships. It does not assert current activity, attribution, victim exposure beyond the official description, specific indicators, exploitability in any environment, or guaranteed detection coverage. Local validation is required to determine whether relevant Windows endpoint, registry, WMI, file, and network telemetry is actually collected and retained.
FELIXROOT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | FELIXROOT collects a list of running processes.CitationESET GreyEnergy Oct 2018 |
| Enterprise | T1112 | Modify Registry | FELIXROOT deletes the Registry key |
| Enterprise | T1680 | Local Storage Discovery | FELIXROOT collects the victim’s volume serial number.CitationFireEye FELIXROOT July 2018CitationESET GreyEnergy Oct 2018 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | FELIXROOT checks for installed security software like antivirus and firewall.CitationESET GreyEnergy Oct 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.CitationFireEye FELIXROOT July 2018CitationESET GreyEnergy Oct 2018 |
| Enterprise | T1082 | System Information Discovery | FELIXROOT collects the victim’s computer name, processor architecture, OS version, and system type.CitationFireEye FELIXROOT July 2018CitationESET GreyEnergy Oct 2018 |
| Enterprise | T1012 | Query Registry | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | FELIXROOT uses HTTP and HTTPS to communicate with the C2 server.CitationFireEye FELIXROOT July 2018CitationESET GreyEnergy Oct 2018 |
| Enterprise | T1016 | System Network Configuration Discovery | FELIXROOT collects information about the network including the IP address and DHCP server.CitationESET GreyEnergy Oct 2018 |
| Enterprise | T1047 | Windows Management Instrumentation | FELIXROOT uses WMI to query the Windows Registry.CitationESET GreyEnergy Oct 2018 |
| Enterprise | T1124 | System Time Discovery | FELIXROOT gathers the time zone information from the victim’s machine.CitationESET GreyEnergy Oct 2018 |
| Enterprise | T1560 | Archive Collected Data | FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server.CitationFireEye FELIXROOT July 2018 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | FELIXROOT uses Rundll32 for executing the dropper program.CitationFireEye FELIXROOT July 2018CitationESET GreyEnergy Oct 2018 |
| Enterprise | T1033 | System Owner/User Discovery | FELIXROOT collects the username from the victim’s machine.CitationFireEye FELIXROOT July 2018CitationESET GreyEnergy Oct 2018 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | FELIXROOT creates a .LNK file for persistence.CitationESET GreyEnergy Oct 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | FELIXROOT downloads and uploads files to and from the victim’s machine.CitationFireEye FELIXROOT July 2018CitationESET GreyEnergy Oct 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | FELIXROOT executes batch scripts on the victim’s machine, and can launch a reverse shell for command execution.CitationFireEye FELIXROOT July 2018CitationESET GreyEnergy Oct 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | FELIXROOT adds a shortcut file to the startup folder for persistence.CitationESET GreyEnergy Oct 2018 |
| Enterprise | T1070.004 | File Deletion Sub-technique | FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components.CitationFireEye FELIXROOT July 2018 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | 0b6eadca5508… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye FELIXROOT July 2018
Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved November 17, 2024.
Open source URL -
[2]
ESET GreyEnergy Oct 2018
Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.
Open source URL -
[3]
FELIXROOT
(Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)
-
[4]
GreyEnergy mini
(Citation: ESET GreyEnergy Oct 2018)
-
[5]
mitre-attack S0267Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.