S0351: Cannon
Analyst context for executives and security teams
Cannon is a Windows Trojan documented by ATT&CK as having C# and Delphi variants and first observed in 2018. Its business significance is less about a single malware name and more about the behaviors ATT&CK associates with it: host discovery, file and storage enumeration, screen capture, command-and-control over mail protocols, tool transfer, exfiltration over C2, and Windows Winlogon-based persistence. For leaders, this points to the need to validate whether Windows endpoint, email-protocol network traffic, and persistence monitoring can support timely triage if similar behavior appears.
Executive priority
Treat Cannon as a readiness test case for Windows intrusion visibility rather than as a standalone risk score. The ATT&CK relationship to APT28 raises threat-intelligence relevance, but local priority should be based on whether the organization can prove coverage for discovery, persistence, C2, collection, and exfiltration behaviors. Security leaders should ask whether SOC playbooks, incident response evidence collection, and audit artifacts can show monitoring of Winlogon registry abuse, unusual mail-protocol command-and-control patterns, screenshot collection, tool transfer, and outbound data movement over an established C2 channel.
Technical view
ATT&CK does not provide a Cannon-specific detection section, so defenders should validate coverage against the mapped techniques. On Windows, prioritize endpoint evidence for process, user, system, file, directory, storage, and time discovery; registry monitoring for Winlogon helper DLL persistence; suspicious file creation or transfer activity; and screen capture behavior. Network and email security teams should review visibility into SMTP/S, POP3/S, and IMAP traffic where permitted, especially for abnormal client behavior, unusual destinations, encoded content patterns, or nonstandard use by endpoints. IR teams should be prepared to correlate host discovery activity with C2, tool ingress, collection, and exfiltration indicators rather than relying on a Cannon malware signature alone.
Likely telemetry
- Windows endpoint process execution and process lineage telemetry
- Windows registry change telemetry for Winlogon-related keys under HKLM and HKCU paths referenced by ATT&CK technique T1547.004
- File creation, modification, directory enumeration, and local storage enumeration evidence
- User/session and system information discovery artifacts
- Screen capture-related process, API, or file artifacts where endpoint tooling supports them
Detection direction
- Because ATT&CK provides no official Cannon detection guidance, build detections around the related techniques rather than the malware name alone.
- Validate alerting for Winlogon helper DLL persistence, including registry writes in expected Winlogon locations and execution following user logon.
- Correlate bursts of discovery activity, such as user, process, system, file, directory, local storage, and system time queries, with later C2, screen capture, file transfer, or exfiltration behavior.
- Review whether mail protocols are normal from workstations in the environment; false positives are likely where legitimate clients use SMTP/S, POP3/S, or IMAP, so baselines by host role and user context are important.
- Tune for suspicious tool transfer and outbound data movement over the same channel used for command and control, while avoiding assumptions that all mail-protocol traffic is malicious.
Mitigation priorities
- Prioritize Windows endpoint hardening and monitoring for persistence locations associated with Winlogon helper DLL abuse.
- Restrict and monitor unnecessary outbound mail protocol use from endpoints, allowing only approved clients, servers, and business workflows where feasible.
- Maintain endpoint controls capable of detecting or blocking suspicious tool transfer, unauthorized execution, and collection behaviors such as screen capture.
- Ensure least-privilege and application control decisions reduce the ability of malware to persist, enumerate sensitive data locations, and run unauthorized utilities.
- Prepare incident response procedures to collect registry, process, file-system, network, and user-session evidence quickly from affected Windows systems.
Analyst notes and limits
The supplied ATT&CK data identifies Cannon as malware for Windows, with variants in C# and Delphi, and provides relationships to APT28 and multiple ATT&CK techniques. The strongest defensive value is in mapping Cannon to observable behaviors: discovery, persistence, command-and-control over mail protocols, tool transfer, screen capture, and exfiltration over C2. Any prioritization should be refined with local exposure, endpoint coverage, email-protocol use, and threat-intelligence requirements.
No official ATT&CK detection text, aliases, labels, or malware-level tactics were supplied. The relationship context supports technique-focused guidance but does not prove current activity, customer exposure, or detection coverage in any environment. Several related techniques list broader platforms, but the Cannon object itself is supplied as Windows; platform claims here are therefore limited to Windows for Cannon-specific guidance.
Cannon
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | Cannon can obtain a list of processes running on the system.CitationUnit42 Cannon Nov 2018CitationUnit42 Sofacy Dec 2018 |
| Enterprise | T1680 | Local Storage Discovery | Cannon can gather drive information from the victim's machine.CitationUnit42 Cannon Nov 2018CitationUnit42 Sofacy Dec 2018 |
| Enterprise | T1113 | Screen Capture | Cannon can take a screenshot of the desktop.CitationUnit42 Cannon Nov 2018 |
| Enterprise | T1033 | System Owner/User Discovery | Cannon can gather the username from the system.CitationUnit42 Cannon Nov 2018 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Cannon exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.CitationUnit42 Cannon Nov 2018 |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | Cannon uses SMTP/S and POP3/S for C2 communications by sending and receiving emails.CitationUnit42 Cannon Nov 2018 |
| Enterprise | T1124 | System Time Discovery | Cannon can collect the current time zone information from the victim’s machine.CitationUnit42 Cannon Nov 2018 |
| Enterprise | T1083 | File and Directory Discovery | Cannon can obtain victim drive information as well as a list of folders in C:\Program Files.CitationUnit42 Cannon Nov 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | Cannon can download a payload for execution.CitationUnit42 Cannon Nov 2018 |
| Enterprise | T1082 | System Information Discovery | Cannon can gather system information from the victim’s machine such as the OS version, and machine name.CitationUnit42 Cannon Nov 2018CitationUnit42 Sofacy Dec 2018 |
| Enterprise | T1547.004 | Winlogon Helper DLL Sub-technique | Cannon adds the Registry key |
Groups, software, and campaigns
G0007: APT28
APT28 is a threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) 85th Main Special Service Center (GTsSS) military unit 26165.[1][2] This group has been active since at least 2004.[3][4][5][6][7][8][9][10][11][12][13]
APT28 reportedly compromised the Hillary Clinton campaign, the Democratic National Committee, and the Democratic Congressional Campaign Committee in 2016 in an attempt to interfere with the U.S. presidential election.[5] In 2018, the US indicted five GRU Unit 26165 officers associated with APT28 for cyber operations (including close-access operations) conducted between 2014 and 2018 against the World Anti-Doping Agency (WADA), the US Anti-Doping Agency, a US nuclear facility, the Organization for the Prohibition of Chemical Weapons (OPCW), the Spiez Swiss Chemicals Laboratory, and other organizations.[14] Some of these were conducted with the assistance of GRU Unit 74455, which is also referred to as Sandworm Team.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | a8bf0b7de9c0… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit42 Cannon Nov 2018
Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018.
Open source URL -
[2]
Unit42 Sofacy Dec 2018
Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019.
Open source URL -
[3]
Cannon
(Citation: Unit42 Cannon Nov 2018)
-
[4]
mitre-attack S0351Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.