S0335: Carbon
Analyst context for executives and security teams
Carbon matters because ATT&CK describes it as a sophisticated second-stage Windows backdoor/framework used to steal sensitive information. For leaders, the key issue is not only malware prevention: a second-stage tool implies defenders need evidence that they can identify post-compromise discovery, persistence, command-and-control, staging, and exfiltration behavior before sensitive data loss becomes an incident response and compliance problem.
Executive priority
Treat Carbon-like behavior as a readiness test for high-value Windows environments and sensitive-data operations. Executives should ask whether SOC and IR teams can prove visibility into Windows service and scheduled task persistence, suspicious discovery activity, process injection indicators, outbound web or non-application-layer communications, local data staging, and exfiltration over unencrypted protocols. The Turla relationship and cited targeting of government and foreign-affairs-related organizations make this especially relevant for organizations with similar mission, policy, research, or diplomatic exposure, but local risk should be validated with environment-specific threat intelligence.
Technical view
ATT&CK provides no official detection text for Carbon, so defensive validation should be built from the mapped behaviors. On Windows, prioritize detection engineering around T1053.005 Scheduled Task, T1543.003 Windows Service, T1055.001 DLL Injection, T1012 Registry querying, T1057 Process Discovery, T1016/T1018/T1049 network and remote system discovery, T1069 permission group discovery, T1074.001 local staging, T1048.003 exfiltration over unencrypted non-C2 protocols, and C2 patterns involving T1071.001 Web Protocols, T1102 Web Service, T1095 Non-Application Layer Protocol, and T1573.002 Asymmetric Cryptography. Because T1027 and T1140 are also mapped, teams should expect analysis resistance and avoid depending on static signatures alone.
Likely telemetry
- Windows event logs for service creation or modification and scheduled task registration or execution
- Endpoint process telemetry including command line, parent-child process relationships, loaded modules, and suspicious cross-process activity relevant to DLL injection
- Registry access and modification telemetry, especially around service configuration and system discovery patterns
- File creation, rename, archive, and unusual directory activity that could indicate local data staging
- Network telemetry from proxy, firewall, DNS, NetFlow, and packet metadata for outbound web traffic, web-service use, non-application-layer protocols, and unencrypted exfiltration paths
Detection direction
- Build detections around behavior chains rather than a single indicator: persistence change followed by discovery, staging, C2-like outbound traffic, or exfiltration is more decision-useful than any event alone.
- Baseline legitimate administrative use of scheduled tasks, services, registry queries, process listings, network configuration commands, and group enumeration to reduce false positives without suppressing rare activity on sensitive hosts.
- Validate egress monitoring for both common web protocols and less common non-application-layer communications; Carbon’s mapped C2 techniques indicate that network controls should not rely only on destination reputation or protocol allowlisting.
- Hunt for local staging followed by outbound transfer over unencrypted non-C2 protocols, especially from systems that normally should not aggregate or transmit sensitive files.
- Account for obfuscation and deobfuscation: detections should include behavioral and memory/process evidence, not just file hashes or readable strings.
Mitigation priorities
- Start with visibility assurance: confirm Windows endpoint logging, EDR coverage, network egress telemetry, and retention are sufficient to reconstruct persistence, discovery, C2, staging, and exfiltration activity.
- Harden and monitor persistence surfaces by controlling who can create or modify Windows services and scheduled tasks, and by reviewing changes on high-value systems.
- Limit outbound connectivity from sensitive Windows hosts to required destinations and protocols, with special attention to web traffic, web services, non-application-layer protocols, and unencrypted transfer paths.
- Apply least privilege and identity hygiene so permission group discovery yields less useful follow-on targeting information and administrative actions are easier to distinguish from normal user behavior.
- Prepare IR playbooks for second-stage backdoor scenarios: scope discovery activity, collect volatile endpoint evidence, review outbound traffic, identify staged data, and preserve audit evidence for legal, regulatory, or executive decision-making.
Analyst notes and limits
Carbon is represented here as ATT&CK software S0335, a Windows malware object described as a second-stage backdoor and framework. The relationship set is rich enough to support a defensive coverage plan across discovery, persistence, stealth, command-and-control, collection, and exfiltration behaviors. The relationship to Turla provides useful prioritization context, but attribution should remain evidence-led during any investigation.
MITRE does not provide official detection guidance for this object, and the supplied object does not include aliases, labels, or malware-specific tactics. Several related techniques list broad platforms, but Carbon’s supplied platform is Windows, so platform-specific conclusions should be limited to Windows unless local evidence shows otherwise. Any detection logic requires local baselines, telemetry validation, and environment-specific tuning.
Carbon
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Carbon creates several tasks for later execution to continue persistence on the victim’s machine.CitationESET Carbon Mar 2017 |
| Enterprise | T1102 | Web Service | Carbon can use Pastebin to receive C2 commands.CitationAccenture HyperStack October 2020 |
| Enterprise | T1049 | System Network Connections Discovery | Carbon uses the |
| Enterprise | T1012 | Query Registry | Carbon enumerates values in the Registry.CitationESET Carbon Mar 2017 |
| Enterprise | T1069 | Permission Groups Discovery | Carbon uses the |
| Enterprise | T1124 | System Time Discovery | Carbon uses the command |
| Enterprise | T1016 | System Network Configuration Discovery | Carbon can collect the IP address of the victims and other computers on the network using the commands: |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Carbon creates a base directory that contains the files and folders that are collected.CitationESET Carbon Mar 2017 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine.CitationESET Carbon Mar 2017 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Carbon has used RSA encryption for C2 communications.CitationAccenture HyperStack October 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Carbon decrypts task and configuration files for execution.CitationESET Carbon Mar 2017CitationAccenture HyperStack October 2020 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | Carbon uses HTTP to send data to the C2 server.CitationESET Carbon Mar 2017 |
| Enterprise | T1018 | Remote System Discovery | Carbon uses the |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Carbon can use HTTP in C2 communications.CitationAccenture HyperStack October 2020 |
| Enterprise | T1027 | Obfuscated Files or Information | Carbon encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.CitationESET Carbon Mar 2017CitationAccenture HyperStack October 2020 |
| Enterprise | T1095 | Non-Application Layer Protocol | Carbon uses TCP and UDP for C2.CitationESET Carbon Mar 2017 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Carbon has a command to inject code into a process.CitationESET Carbon Mar 2017 |
| Enterprise | T1057 | Process Discovery | Carbon can list the processes on the victim’s machine.CitationESET Carbon Mar 2017 |
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | dd9f4e0a991e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Carbon Mar 2017
ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018.
Open source URL -
[2]
Securelist Turla Oct 2018
Kaspersky Lab's Global Research & Analysis Team. (2018, October 04). Shedding Skin – Turla’s Fresh Faces. Retrieved November 7, 2018.
Open source URL -
[3]
Carbon
(Citation: ESET Carbon Mar 2017)(Citation: Securelist Turla Oct 2018)
-
[4]
mitre-attack S0335Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.