S0340: Octopus
Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic Octopus to target government organizations in Central Asia since at least 2014.[1][2][3]
Analyst context for executives and security teams
Octopus matters because it is a Windows Trojan associated in ATT&CK with espionage-focused activity against government-related targets in Central Asia. For leaders, the practical issue is not the malware name alone, but the behavior pattern: user-driven malicious-file execution, persistence through Run keys or startup locations, host and user discovery, local collection and staging, screen capture, and exfiltration over web/C2 or cloud-storage channels. That combination can turn one opened attachment into a confidentiality and diplomatic/business-continuity incident if endpoint, email, identity, and egress evidence is incomplete.
Executive priority
Prioritize this as a validation case for Windows endpoint resilience, phishing response readiness, and data-loss visibility. Ask whether the organization can prove when a user opened a suspicious attachment, whether persistence was created, what local data was enumerated or staged, and whether outbound web or cloud-storage traffic carried unusual encoded or archived content. The ATT&CK object has no official detection guidance, so assurance should come from local control testing and incident-response evidence, not from assuming named-malware coverage.
Technical view
ATT&CK lists Octopus as Windows malware used by Nomadic Octopus and relates it to techniques spanning initial access/execution, persistence, discovery, collection, command and control, and exfiltration. SOC and IR teams should validate telemetry for malicious attachments and child-process execution, Registry Run key/startup folder changes, WMI execution, user/system/network/storage/file discovery, local staging and archive creation, screenshot activity, ingress tool transfer, encoded web-based C2, exfiltration over C2, and exfiltration to cloud storage. Detection engineering should build behavior-led coverage rather than relying only on static indicators, especially because the official object does not provide detection text.
Likely telemetry
- Email security and mail gateway records for spearphishing attachments and user delivery/open events
- Windows endpoint process creation, parent-child process chains, command-line, and file-write telemetry
- Registry monitoring for Run keys and startup folder persistence
- WMI activity logs and endpoint management telemetry
- File and directory enumeration, archive creation, local staging paths, and access to sensitive local files
Detection direction
- Start with ATT&CK relationships: correlate malicious-file execution with subsequent persistence, discovery, staging, archive, and outbound web/cloud activity on the same Windows host.
- Tune for suspicious Registry Run key/startup folder creation, especially when the referenced binary name or location resembles legitimate resources.
- Review WMI execution for unusual users, hosts, parent processes, or commands; account for legitimate administration tools to reduce false positives.
- Hunt for sequences of host discovery followed by file discovery, local staging, archive creation, and outbound transfer rather than treating each event as high confidence alone.
- Use egress analytics for uncommon destinations, unusual upload volumes, encoded payload patterns, or cloud-storage use inconsistent with the user or host baseline.
Mitigation priorities
- Reduce initial access risk with attachment controls, user-reporting workflows, and rapid phishing triage for targeted malicious files.
- Harden Windows persistence surfaces by monitoring and controlling Registry Run keys and startup folders, with change accountability.
- Limit unnecessary WMI use and ensure administrative activity is logged, attributable, and reviewed.
- Apply least privilege and data-access controls so a compromised user context exposes less local sensitive data.
- Control outbound web and cloud-storage access according to business need, with logging sufficient for investigation of uploads and C2-like traffic.
Analyst notes and limits
The most useful defensive framing is behavior-chain validation: attachment execution leading to persistence, discovery, collection/staging, and outbound transfer. The relationship to Nomadic Octopus provides threat-intelligence context, including Central Asia government and diplomatic targeting, but local prioritization should be based on the organization’s geography, sector, Windows exposure, email threat model, and data sensitivity.
This take uses only the supplied ATT&CK fields and relationships. The Octopus object lists Windows as the platform but does not specify tactics or official detection guidance. External source details were not expanded beyond the supplied references. No claim is made that Octopus is currently active, present in any environment, or detectable by any specific product.
Octopus
Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic Octopus to target government organizations in Central Asia since at least 2014.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1005 | Data from Local System | Octopus can exfiltrate files from the system using a documents collector tool.CitationESET Nomadic Octopus 2018 |
| Enterprise | T1033 | System Owner/User Discovery | Octopus can collect the username from the victim’s machine.CitationSecurelist Octopus Oct 2018 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Octopus has encoded C2 communications in Base64.CitationSecurelist Octopus Oct 2018 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Octopus has uploaded stolen files and data from a victim's machine over its C2 channel.CitationSecurelist Octopus Oct 2018 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Octopus has been disguised as legitimate programs, such as Java and Telegram Messenger.CitationSecurelist Octopus Oct 2018CitationESET Nomadic Octopus 2018 |
| Enterprise | T1016 | System Network Configuration Discovery | Octopus can collect the host IP address from the victim’s machine.CitationSecurelist Octopus Oct 2018 |
| Enterprise | T1083 | File and Directory Discovery | Octopus can collect information on the Windows directory and searches for compressed RAR files on the host.CitationSecurelist Octopus Oct 2018CitationSecurity Affairs DustSquad Oct 2018CitationESET Nomadic Octopus 2018 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Octopus has exfiltrated data to file sharing sites.CitationESET Nomadic Octopus 2018 |
| Enterprise | T1082 | System Information Discovery | Octopus can collect the computer name, OS version, and OS architecture information.CitationSecurelist Octopus Oct 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Octopus achieved persistence by placing a malicious executable in the startup directory and has added the |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Octopus has stored collected information in the Application Data directory on a compromised host.CitationSecurelist Octopus Oct 2018CitationESET Nomadic Octopus 2018 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Octopus has compressed data before exfiltrating it using a tool called Abbrevia.CitationESET Nomadic Octopus 2018 |
| Enterprise | T1047 | Windows Management Instrumentation | Octopus has used wmic.exe for local discovery information.CitationSecurelist Octopus Oct 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Octopus has used HTTP GET and POST requests for C2 communications.CitationSecurelist Octopus Oct 2018CitationESET Nomadic Octopus 2018 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Octopus has been delivered via spearsphishing emails.CitationESET Nomadic Octopus 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | Octopus can download additional files and tools onto the victim’s machine.CitationSecurelist Octopus Oct 2018CitationSecurity Affairs DustSquad Oct 2018CitationESET Nomadic Octopus 2018 |
| Enterprise | T1680 | Local Storage Discovery | Octopus can collect system drive and disk size information.CitationSecurelist Octopus Oct 2018 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Octopus has relied upon users clicking on a malicious attachment delivered through spearphishing.CitationESET Nomadic Octopus 2018 |
| Enterprise | T1113 | Screen Capture | Octopus can capture screenshots of the victims’ machine.CitationSecurelist Octopus Oct 2018CitationSecurity Affairs DustSquad Oct 2018CitationESET Nomadic Octopus 2018 |
Groups, software, and campaigns
G0133: Nomadic Octopus
Nomadic Octopus is a Russian-speaking cyber espionage threat group that has primarily targeted Central Asia, including local governments, diplomatic missions, and individuals, since at least 2014. Nomadic Octopus has been observed conducting campaigns involving Android and Windows malware, mainly using the Delphi programming language, and building custom variants.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 468c6511b7f6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Securelist Octopus Oct 2018
Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018.
Open source URL -
[2]
Security Affairs DustSquad Oct 2018
Paganini, P. (2018, October 16). Russia-linked APT group DustSquad targets diplomatic entities in Central Asia. Retrieved August 24, 2021.
Open source URL -
[3]
ESET Nomadic Octopus 2018
Cherepanov, A. (2018, October 4). Nomadic Octopus Cyber espionage in Central Asia. Retrieved October 13, 2021.
Open source URL -
[4]
Octopus
(Citation: Securelist Octopus Oct 2018)(Citation: Security Affairs DustSquad Oct 2018)(Citation: ESET Nomadic Octopus 2018)
-
[5]
mitre-attack S0340Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.