S0350: zwShell
zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during Night Dragon.[1]
Analyst context for executives and security teams
zwShell is a Windows remote access tool associated in ATT&CK with the Night Dragon campaign, which targeted oil, energy, and petrochemical organizations and collected information from SCADA systems. Its business relevance is less about a single malware name and more about the post-compromise behaviors ATT&CK links to it: discovery, command execution, persistence through scheduled tasks or services, registry modification, lateral movement over RDP/SMB, and file deletion. Those behaviors can affect incident scope, executive decision-making, and operational resilience, especially in environments where enterprise IT connects to energy or industrial operations.
Executive priority
Leaders should treat this object as a validation point for Windows intrusion readiness: can the organization prove it can detect and investigate remote access, lateral movement, persistence, and discovery activity before sensitive operational or business data is exposed? For energy, petrochemical, or SCADA-adjacent environments, the priority is confirming segmentation, logging, and incident response playbooks across IT and operationally sensitive systems. Because ATT&CK provides no detection text for zwShell itself, budget and assurance should focus on behavior coverage rather than signature-only confidence.
Technical view
ATT&CK lists zwShell as Windows malware and relates it to techniques covering discovery, execution, persistence, privilege escalation, lateral movement, defense impairment, and stealth. SOC and IR teams should validate visibility for Windows Command Shell activity, scheduled task creation or modification, Windows service creation or modification, registry changes, RDP logons, SMB/admin share access, system/user/network/file discovery, and file deletion. Detection engineering should map these behaviors to available Windows endpoint, identity, and network telemetry, then test whether alerts preserve enough context to distinguish administration from suspicious chained activity.
Likely telemetry
- Windows process creation and command-line telemetry, especially cmd.exe and administrative utilities
- Windows scheduled task creation, modification, and execution records
- Windows service creation or modification events and related registry paths
- Registry modification telemetry
- RDP authentication and session logs
Detection direction
- Do not rely only on a zwShell malware signature; ATT&CK does not provide official detection guidance for this object.
- Prioritize behavior chains: discovery followed by command shell execution, persistence creation, RDP/SMB movement, registry modification, or cleanup via file deletion.
- Tune false positives around legitimate Windows administration by baselining approved admin hosts, service accounts, scheduled task names, service paths, and expected RDP/SMB patterns.
- Validate that lateral movement telemetry ties user, source host, destination host, protocol, and time together for investigation.
- For energy or SCADA-adjacent environments, verify that monitoring covers enterprise systems that can access operational data or bridge toward sensitive production environments.
Mitigation priorities
- Restrict and monitor RDP, SMB, and Windows admin share use, especially between workstations and sensitive servers.
- Apply least-privilege administration and review accounts with rights to create services, modify scheduled tasks, or change registry persistence locations.
- Centralize Windows endpoint, authentication, and network logs needed to investigate discovery, lateral movement, and persistence behaviors.
- Harden persistence surfaces by controlling who can create scheduled tasks and Windows services and by reviewing unauthorized or unusual entries.
- Maintain incident response procedures for Windows RAT activity that include host isolation, account review, lateral movement scoping, and evidence preservation.
Analyst notes and limits
The supplied ATT&CK object identifies zwShell as a Delphi-based RAT seen since spring 2010 and used during Night Dragon. Relationship context is the strongest source of defensive value here: it links zwShell to Windows-focused behaviors such as RDP, SMB/admin shares, command shell, scheduled tasks, registry modification, Windows services, discovery, and file deletion. Night Dragon context supports extra attention for energy, petrochemical, and SCADA-related environments, but local exposure must be determined from architecture and telemetry.
ATT&CK does not provide official detection text, aliases, labels, or object-level tactics for zwShell in the supplied fields. Several related techniques have broader platform lists, but the malware object itself is supplied as Windows, so this take does not extend zwShell activity to other platforms. No active exploitation, current campaign activity, attribution, customer exposure, or guaranteed detection coverage is asserted.
zwShell
zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during Night Dragon.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | zwShell has used RDP for lateral movement.CitationMcAfee Night Dragon |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | zwShell has been copied over network shares to move laterally.CitationMcAfee Night Dragon |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | zwShell has used SchTasks for execution.CitationMcAfee Night Dragon |
| Enterprise | T1543.003 | Windows Service Sub-technique | zwShell has established persistence by adding itself as a new service.CitationMcAfee Night Dragon |
| Enterprise | T1083 | File and Directory Discovery | zwShell can browse the file system.CitationMcAfee Night Dragon |
| Enterprise | T1070.004 | File Deletion Sub-technique | zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots.CitationMcAfee Night Dragon |
| Enterprise | T1082 | System Information Discovery | zwShell can obtain the victim PC name and OS version.CitationMcAfee Night Dragon |
| Enterprise | T1016 | System Network Configuration Discovery | zwShell can obtain the victim IP address.CitationMcAfee Night Dragon |
| Enterprise | T1112 | Modify Registry | zwShell can modify the Registry.CitationMcAfee Night Dragon |
| Enterprise | T1033 | System Owner/User Discovery | zwShell can obtain the name of the logged-in user on the victim.CitationMcAfee Night Dragon |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | zwShell can launch command-line shells.CitationMcAfee Night Dragon |
Groups, software, and campaigns
C0002: Night Dragon
Night Dragon was a cyber espionage campaign that targeted oil, energy, and petrochemical companies, along with individuals and executives in Kazakhstan, Taiwan, Greece, and the United States. The unidentified threat actors searched for information related to oil and gas field production systems, financials, and collected data from SCADA systems. Based on the observed techniques, tools, and network activities, security researchers assessed the campaign involved a threat group based in China.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 90b4dcf79a5d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
McAfee Night Dragon
McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
Open source URL -
[2]
mitre-attack S0350Open source URL
-
[3]
zwShell
(Citation: McAfee Night Dragon)
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.