S0343: Exaramel for Windows
Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.[1]
Analyst context for executives and security teams
Exaramel for Windows is an ATT&CK-tracked Windows backdoor. Its decision value is less about a single malware name and more about the behaviors ATT&CK associates with it: Windows services, Registry changes, command shell and Visual Basic execution, fileless storage, local staging, and archiving of collected data. For leaders, this is a useful test case for whether Windows endpoint monitoring can prove persistence, stealth, collection preparation, and operator activity quickly enough to support incident response decisions.
Executive priority
Prioritize this as a Windows backdoor readiness scenario, especially because ATT&CK relates it to Sandworm Team. Do not assume exposure or active exploitation from this object alone, but use it to validate whether SOC and IR teams can answer: which Windows systems had suspicious service or Registry changes, what accounts made them, whether data was staged or archived locally, and whether evidence is retained for audit and incident timelines. For organizations where Windows systems support operational or business-critical environments, these checks matter to continuity and cyber-physical risk triage.
Technical view
ATT&CK provides no official detection text for this malware, so defensive validation should be built from the related techniques. Confirm coverage for Windows service creation or modification, masqueraded service/task names, Registry modification, cmd.exe execution, Visual Basic execution, fileless storage locations such as Registry, event logs, or WMI repository, local data staging, and archive creation. Detection engineering should correlate these behaviors by host, account, parent process, and time sequence rather than relying only on malware signatures.
Likely telemetry
- Windows service creation, modification, configuration, and service start events
- Windows Registry modification telemetry, especially persistence- or service-related keys
- Process creation telemetry for cmd.exe and Visual Basic-related execution
- EDR or host telemetry showing parent-child process chains from services or scripts
- File and directory activity showing local staging of collected data
Detection direction
- Build behavior-based detections around the related ATT&CK techniques rather than depending on a named Exaramel signature.
- Tune for unusual Windows service names, display names, descriptions, or binary paths that resemble legitimate services but deviate from baselines.
- Correlate service or Registry changes with subsequent cmd.exe or Visual Basic execution.
- Review local staging and archive creation in unusual directories or by unusual service-launched processes.
- Account for false positives from legitimate administration, software deployment, backup, and endpoint management tools; baselining approved service and Registry change sources is essential.
Mitigation priorities
- Restrict who can create or modify Windows services and sensitive Registry locations using least privilege and administrative control review.
- Baseline legitimate services, scheduled tasks, service paths, and Registry persistence locations so masquerading is easier to identify.
- Harden and monitor script and command shell usage, especially when launched by services or unusual parent processes.
- Ensure endpoint logging and EDR policies capture process creation, service changes, Registry changes, and file/archive activity.
- Prepare IR playbooks for Windows backdoor investigations that include service inventory, Registry review, staged data search, and account scoping.
Analyst notes and limits
The supplied ATT&CK object is sparse: it identifies Exaramel for Windows as a Windows backdoor, cites ESET reporting, and provides relationships to techniques and to Sandworm Team. The most defensible Glexia value is to translate those relationships into control validation and telemetry requirements. The Sandworm relationship raises prioritization context, but this summary does not claim current activity, customer exposure, or guaranteed detection.
No official ATT&CK detection text, malware labels, aliases, or tactics are provided for the object itself. Network indicators, command-and-control details, file names, hashes, and specific Registry or service artifacts are not supplied here. Local environment baselines and incident evidence are required before drawing conclusions about compromise.
Exaramel for Windows
Exaramel for Windows is a backdoor used for targeting Windows systems. The Linux version is tracked separately under Exaramel for Linux.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1560 | Archive Collected Data | Exaramel for Windows automatically encrypts files before sending them to the C2 server.CitationESET TeleBots Oct 2018 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Exaramel for Windows has a command to execute VBS scripts on the victim’s machine.CitationESET TeleBots Oct 2018 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | Exaramel for Windows stores the backdoor's configuration in the Registry in XML format.CitationESET TeleBots Oct 2018 |
| Enterprise | T1543.003 | Windows Service Sub-technique | The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV.”CitationESET TeleBots Oct 2018 |
| Enterprise | T1112 | Modify Registry | Exaramel for Windows adds the configuration to the Registry in XML format.CitationESET TeleBots Oct 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Exaramel for Windows has a command to launch a remote shell and executes commands on the victim’s machine.CitationESET TeleBots Oct 2018 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV” in an apparent attempt to masquerade as a legitimate service.CitationESET TeleBots Oct 2018 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Exaramel for Windows specifies a path to store files scheduled for exfiltration.CitationESET TeleBots Oct 2018 |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.2 | Current bundle | c90ccd7d0a8a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET TeleBots Oct 2018
Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018.
Open source URL -
[2]
Exaramel for Windows
(Citation: ESET TeleBots Oct 2018)
-
[3]
mitre-attack S0343Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.