S0339: Micropsia
Analyst context for executives and security teams
Micropsia is a Windows remote access tool. Its ATT&CK relationships make it material because the behavior spans persistence, command execution, discovery, credential collection through keylogging, screen/audio capture, automated collection, archiving, tool transfer, and web-protocol command and control. For leaders, the practical question is not whether one malware name is blocked; it is whether Windows endpoint, identity, network, and incident response controls can expose a remote-access intrusion as it moves from foothold to surveillance and data collection.
Executive priority
Prioritize Micropsia as a readiness test for remote-access malware on Windows systems. The linked behaviors touch business continuity and sensitive-information risk: adversaries can discover users and systems, inspect security tooling, persist through shortcut modification, collect keystrokes and screen/audio content, stage data with archives, and communicate over common web protocols. Executives should ask whether SOC coverage can correlate these behaviors into an incident narrative, whether IR playbooks include credential reset and host containment decisions, and whether audit evidence proves collection of the endpoint and network logs needed to investigate this class of activity.
Technical view
Validate Windows-focused detections and response procedures around the related ATT&CK techniques: encoded or encrypted files, WMI execution, Windows command shell activity, user/system/file/security-software discovery, keylogging, screen and audio capture, automated collection, ingress tool transfer, archive creation, hidden files/directories, shortcut-based persistence, and web-protocol command and control. Because ATT&CK provides no official detection text for Micropsia, defenders should not rely on a malware-name alert alone. Build behavior-based coverage that correlates suspicious process execution, persistence changes, discovery commands, collection artifacts, archive staging, and outbound HTTP/S-like traffic from unusual processes or hosts.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and WMI-related execution
- WMI activity logs and management instrumentation events
- File creation, modification, hidden attribute changes, and encoded/encrypted artifact evidence
- Startup folder and shortcut creation or modification events
- Endpoint security alerts for keylogging, screen capture, audio capture, or suspicious access to input/peripheral capabilities where available
Detection direction
- Correlate multiple behaviors rather than treating each as a standalone alert: discovery followed by command shell or WMI execution, persistence changes, collection, archiving, and outbound web-protocol traffic is more meaningful than any single event.
- Tune WMI and command shell detections to distinguish routine administration from unusual parent processes, user context, host role, timing, and destinations.
- Review visibility for shortcut modification in startup-related locations; this can be a blind spot if endpoint telemetry focuses only on registry persistence.
- Confirm whether endpoint tooling records file attribute changes and hidden files/directories, not only executable launches.
- Treat keylogging, screen capture, and audio capture as high-sensitivity collection behaviors; validate both technical detection and privacy/legal handling in IR processes.
Mitigation priorities
- Start with containment and monitoring priorities for Windows endpoints that can execute remote-access tooling: EDR coverage, process logging, WMI visibility, and network egress observability.
- Harden persistence paths by monitoring and controlling startup folders and shortcut modifications where operationally feasible.
- Reduce credential exposure by strengthening identity controls and preparing rapid credential reset workflows when keylogging is suspected.
- Limit unnecessary WMI and command shell abuse through administrative control review, least privilege, and scrutiny of remote administration patterns.
- Improve egress governance and proxy/network logging so web-protocol command and control can be investigated by host, user, process, and destination.
Analyst notes and limits
The supplied ATT&CK object identifies Micropsia as a Delphi-written remote access tool for Windows and provides relationships to multiple techniques that describe how the malware has been observed or documented to behave. The strongest defensive value is to use those relationships as a coverage checklist across execution, persistence, discovery, collection, stealth, command and control, and tool transfer. Local baselining is essential because many related behaviors, such as WMI, command shell usage, archiving, and web traffic, also occur during legitimate administration.
MITRE does not provide official detection guidance for this object, and the malware object itself lists no tactics. Several related techniques have broader platform lists, but the Micropsia object platform supplied here is Windows; coverage statements should therefore be validated against Windows telemetry for this take. External references are limited to the cited Talos and Radware reporting plus the MITRE entry; no claim of current activity, customer exposure, or guaranteed detection is supported by the supplied fields.
Micropsia
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | Micropsia gathers the hostname and OS version from the victim’s machine.CitationTalos Micropsia June 2017CitationRadware Micropsia July 2018 |
| Enterprise | T1119 | Automated Collection | Micropsia executes an RAR tool to recursively archive files based on a predefined list of file extensions (*.xls, *.xlsx, *.csv, *.odt, *.doc, *.docx, *.ppt, *.pptx, *.pdf, *.mdb, *.accdb, *.accde, *.txt).CitationRadware Micropsia July 2018 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.CitationTalos Micropsia June 2017CitationRadware Micropsia July 2018 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Micropsia has keylogging capabilities.CitationRadware Micropsia July 2018 |
| Enterprise | T1083 | File and Directory Discovery | Micropsia can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths.CitationRadware Micropsia July 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Micropsia creates a command-line shell using cmd.exe.CitationRadware Micropsia July 2018 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | Micropsia creates a shortcut to maintain persistence.CitationTalos Micropsia June 2017 |
| Enterprise | T1033 | System Owner/User Discovery | Micropsia collects the username from the victim’s machine.CitationTalos Micropsia June 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | Micropsia can download and execute an executable from the C2 server.CitationTalos Micropsia June 2017CitationRadware Micropsia July 2018 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Micropsia creates a RAR archive based on collected files on the victim's machine.CitationRadware Micropsia July 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Micropsia uses HTTP and HTTPS for C2 network communications.CitationTalos Micropsia June 2017CitationRadware Micropsia July 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Micropsia obfuscates the configuration with a custom Base64 and XOR.CitationTalos Micropsia June 2017CitationRadware Micropsia July 2018 |
| Enterprise | T1113 | Screen Capture | Micropsia takes screenshots every 90 seconds by calling the Gdi32.BitBlt API.CitationRadware Micropsia July 2018 |
| Enterprise | T1123 | Audio Capture | Micropsia can perform microphone recording.CitationRadware Micropsia July 2018 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Micropsia creates a new hidden directory to store all components' outputs in a dedicated sub-folder for each.CitationRadware Micropsia July 2018 |
| Enterprise | T1047 | Windows Management Instrumentation | Micropsia searches for anti-virus software and firewall products installed on the victim’s machine using WMI.CitationTalos Micropsia June 2017CitationRadware Micropsia July 2018 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 1e96501c9d87… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos Micropsia June 2017
Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018.
Open source URL -
[2]
Radware Micropsia July 2018
Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018.
Open source URL -
[3]
Micropsia
(Citation: Talos Micropsia June 2017)(Citation: Radware Micropsia July 2018)
-
[4]
mitre-attack S0339Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.