S0271: KEYMARBLE
Analyst context for executives and security teams
KEYMARBLE is a Windows Trojan documented by MITRE as reportedly used by the North Korean government and related in ATT&CK to Lazarus Group. Its ATT&CK relationships show behavior that matters after initial compromise: discovering host, process, file, storage, and network details; using Windows command shell; modifying the Registry; capturing screens; transferring tools; deleting files; and using symmetric cryptography for command-and-control. For leaders, the value is not a single malware name—it is a checklist for whether Windows endpoint visibility, command-line monitoring, registry auditing, file activity, and network egress controls can support fast triage and containment.
Executive priority
Treat KEYMARBLE as a validation case for post-compromise readiness on Windows systems. The business question is whether the organization can prove, during an incident or audit, that it can detect discovery activity, suspicious command execution, registry changes, inbound tool transfer, encrypted outbound communications, and cleanup behavior. Prioritize coverage where Windows endpoints support critical operations, privileged administration, sensitive data access, or regulated evidence requirements.
Technical view
ATT&CK provides no dedicated detection text for KEYMARBLE, so defenders should map monitoring to the related techniques: T1059.003 Windows Command Shell, T1112 Modify Registry, discovery techniques T1016/T1057/T1082/T1083/T1680, T1105 Ingress Tool Transfer, T1113 Screen Capture, T1070.004 File Deletion, and T1573.001 Symmetric Cryptography. SOC and IR teams should validate that Windows endpoint telemetry captures process ancestry, command-line arguments, registry writes, file creation/deletion, local enumeration activity, screen capture indicators where available, and network egress metadata/content needed to investigate encrypted or unusual command-and-control-like traffic.
Likely telemetry
- Windows endpoint process creation events with parent/child process relationships and command-line arguments
- Registry modification events, especially changes tied to persistence or defense impairment investigation workflows
- File system telemetry for creation, transfer, enumeration, and deletion of non-native or suspicious files
- Host discovery evidence such as process listing, system information, network configuration, directory, and local storage enumeration
- Network egress logs, proxy/firewall/DNS metadata, and flow records to support investigation of external file transfer and encrypted communications
Detection direction
- Because official detection guidance is not provided, build detections from the related ATT&CK behaviors rather than the malware name alone.
- Correlate command shell execution with rapid host discovery, file/directory enumeration, registry changes, file deletion, and outbound network activity to reduce noise from normal administration.
- Tune false positives for legitimate IT scripts, software deployment, inventory tools, backup agents, and help desk activity that may also enumerate systems or modify registry keys.
- Validate visibility gaps: disabled command-line logging, incomplete EDR deployment, limited registry auditing, lack of file deletion telemetry, and network logs that cannot distinguish unusual encrypted egress patterns.
- Use the Lazarus Group relationship as threat-intelligence context for prioritization, not as proof of attribution in a local incident.
Mitigation priorities
- Start with visibility: ensure managed detection or internal SOC coverage for Windows process, registry, file, and network telemetry related to the mapped techniques.
- Harden Windows administration paths by restricting unnecessary command shell use, limiting privileged access, and reviewing where registry modification is allowed.
- Strengthen egress control and monitoring so external tool transfer and unusual encrypted communications are investigated quickly.
- Prepare IR playbooks for Windows Trojan activity that include host isolation, evidence preservation, timeline review, registry and file-system triage, and network scope analysis.
- Use vulnerability and asset prioritization to focus controls on Windows systems that support critical business services or hold sensitive data.
Analyst notes and limits
The supplied ATT&CK object is sparse: KEYMARBLE has a short description, Windows platform, no aliases, no malware-specific tactics listed, and no official detection section. The strongest defensive value comes from the ATT&CK relationships to techniques and the relationship noting Lazarus Group uses this object. Local baselining is required before converting these behaviors into high-confidence alerts.
This take uses only the supplied ATT&CK fields, references, and relationships. It does not establish current activity, customer exposure, specific indicators of compromise, guaranteed detection logic, or attribution for any observed event. Several related techniques list platforms beyond Windows in their own ATT&CK entries, but the KEYMARBLE object itself is supplied as Windows, so platform conclusions should remain Windows-focused unless local evidence shows otherwise.
KEYMARBLE
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | KEYMARBLE gathers the MAC address of the victim’s machine.CitationUS-CERT KEYMARBLE Aug 2018 |
| Enterprise | T1057 | Process Discovery | KEYMARBLE can obtain a list of running processes on the system.CitationUS-CERT KEYMARBLE Aug 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | KEYMARBLE can execute shell commands using cmd.exe.CitationUS-CERT KEYMARBLE Aug 2018 |
| Enterprise | T1083 | File and Directory Discovery | KEYMARBLE has a command to search for files on the victim’s machine.CitationUS-CERT KEYMARBLE Aug 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | KEYMARBLE can upload files to the victim’s machine and can download additional payloads.CitationUS-CERT KEYMARBLE Aug 2018 |
| Enterprise | T1082 | System Information Discovery | KEYMARBLE has the capability to collect the computer name, language settings, the OS version, CPU information, and time elapsed since system start.CitationUS-CERT KEYMARBLE Aug 2018 |
| Enterprise | T1680 | Local Storage Discovery | KEYMARBLE has the capability to collect information on disk devices.CitationUS-CERT KEYMARBLE Aug 2018 |
| Enterprise | T1113 | Screen Capture | KEYMARBLE can capture screenshots of the victim’s machine.CitationUS-CERT KEYMARBLE Aug 2018 |
| Enterprise | T1112 | Modify Registry | KEYMARBLE has a command to create Registry entries for storing data under |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | KEYMARBLE uses a customized XOR algorithm to encrypt C2 communications.CitationUS-CERT KEYMARBLE Aug 2018 |
| Enterprise | T1070.004 | File Deletion Sub-technique | KEYMARBLE has the capability to delete files off the victim’s machine.CitationUS-CERT KEYMARBLE Aug 2018 |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 68c785343977… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
US-CERT KEYMARBLE Aug 2018
US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018.
Open source URL -
[2]
KEYMARBLE
(Citation: US-CERT KEYMARBLE Aug 2018)
-
[3]
mitre-attack S0271Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.