S0353: NOKKI
Analyst context for executives and security teams
NOKKI matters because ATT&CK describes it as a Windows modular remote access tool with behaviors that span discovery, credential collection, persistence, stealth, local staging, tool transfer, and command-and-control over web or file-transfer protocols. For leaders, the decision value is not the malware name alone; it is whether the organization can recognize a Windows host that is being inventoried, made persistent, used to stage data, and controlled through traffic that may resemble normal web or file-transfer activity.
Executive priority
Treat NOKKI as a readiness test for Windows endpoint visibility, identity exposure, and incident response triage. The ATT&CK relationships show behaviors that can affect business continuity and investigation quality: credential API hooking can increase identity risk, Run Key or Startup Folder persistence can extend dwell time, file deletion and obfuscation can reduce forensic evidence, and local data staging plus C2/file transfer behaviors can complicate containment decisions. Security leaders should ask whether SOC and IR teams can connect host discovery, suspicious rundll32 use, persistence changes, staged files, and unusual outbound protocols into one incident narrative instead of handling each alert in isolation.
Technical view
ATT&CK provides no official detection text for NOKKI, so defenders should validate coverage through the related techniques rather than relying on a malware-specific analytic. Focus on Windows telemetry for: system and user discovery, network and storage discovery, Run Key or Startup Folder changes, rundll32-mediated execution, credential API hooking indicators where available, obfuscated or decoded payload artifacts, file deletion after execution, local staging paths, ingress tool transfer, and outbound C2 using web or file-transfer protocols. Relationship context also notes Kimsuky uses this malware and the description says there is some evidence potentially linking NOKKI to APT37, but those links should be used for threat-intelligence enrichment, not as proof of attribution in a local incident.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially rundll32.exe and discovery utilities
- Windows Registry and Startup Folder modification events for persistence validation
- File creation, modification, deletion, and staging-location telemetry
- Endpoint security alerts or memory/behavioral telemetry relevant to API hooking and credential-access behavior
- Network connection, proxy, DNS, and web request logs for HTTP/S or other web-protocol C2 patterns
Detection direction
- Build behavior-based correlation around the ATT&CK-linked techniques rather than depending on the NOKKI name or hash alone.
- Tune for suspicious rundll32 execution, but account for legitimate administrative and software activity to reduce false positives.
- Monitor Run Key and Startup Folder changes with parent process, user context, and file path reputation to distinguish normal installers from suspicious persistence.
- Correlate discovery commands or API calls with subsequent staging, tool transfer, persistence, or outbound network activity; discovery alone can be noisy.
- Review web and file-transfer egress controls and logs for uncommon destinations, unusual user-agent or timing patterns, and unexpected transfer activity from Windows endpoints.
Mitigation priorities
- Prioritize Windows endpoint visibility for process, registry, file, and network events before relying on malware-family-specific detections.
- Harden and monitor persistence locations such as Registry Run Keys and Startup Folders, with change-review processes for high-value systems.
- Restrict and monitor unnecessary outbound file-transfer protocols and ensure web egress is logged through controlled paths where feasible.
- Apply least privilege and credential protection practices to reduce the value of credential-access behavior such as API hooking.
- Improve incident response playbooks for modular RAT activity: preserve volatile evidence, collect persistence artifacts, review staged data, and scope related C2 and tool-transfer activity.
Analyst notes and limits
The object is a malware entry for NOKKI, described by ATT&CK as a modular remote access tool first observed in January 2018 with significant code overlap with KONNI. ATT&CK also states there is some evidence potentially linking NOKKI to APT37, and the supplied relationship context says Kimsuky uses this object. These relationships are useful for prioritizing intelligence review and hunt hypotheses, but they are not sufficient by themselves for attribution or impact assessment.
ATT&CK provides no official detection guidance for NOKKI, and the object’s own platform field is Windows while several related techniques list broader platforms. This take therefore emphasizes Windows validation and technique-based coverage. Local environment evidence is required to determine whether telemetry exists, whether controls are effective, and whether any observed activity is malicious.
NOKKI
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1124 | System Time Discovery | NOKKI can collect the current timestamp of the victim's machine.CitationUnit 42 NOKKI Sept 2018 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | NOKKI has established persistence by writing the payload to the Registry key |
| Enterprise | T1105 | Ingress Tool Transfer | NOKKI has downloaded a remote module for execution.CitationUnit 42 NOKKI Sept 2018 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | NOKKI is written to %LOCALAPPDATA%\MicroSoft Updatea\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.CitationUnit 42 NOKKI Sept 2018 |
| Enterprise | T1027 | Obfuscated Files or Information | NOKKI uses Base64 encoding for strings.CitationUnit 42 NOKKI Sept 2018 |
| Enterprise | T1070.004 | File Deletion Sub-technique | NOKKI can delete files to cover tracks.CitationUnit 42 NOKKI Sept 2018 |
| Enterprise | T1033 | System Owner/User Discovery | NOKKI can collect the username from the victim’s machine.CitationUnit 42 NOKKI Sept 2018 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | NOKKI has used rundll32 for execution.CitationUnit 42 NOKKI Sept 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | NOKKI uses a unique, custom de-obfuscation technique.CitationUnit 42 NOKKI Sept 2018 |
| Enterprise | T1680 | Local Storage Discovery | NOKKI can gather information on drives on the victim’s machine.CitationUnit 42 NOKKI Sept 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | NOKKI has used HTTP for C2 communications.CitationUnit 42 NOKKI Sept 2018 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | NOKKI can collect data from the victim and stage it in |
| Enterprise | T1016 | System Network Configuration Discovery | NOKKI can gather information on the victim IP address.CitationUnit 42 NOKKI Sept 2018 |
| Enterprise | T1056.004 | Credential API Hooking Sub-technique | NOKKI uses the Windows call SetWindowsHookEx and begins injecting it into every GUI process running on the victim's machine.CitationUnit 42 NOKKI Sept 2018 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | NOKKI has used FTP for C2 communications.CitationUnit 42 NOKKI Sept 2018 |
| Enterprise | T1082 | System Information Discovery | NOKKI can gather information on the operating system on the victim’s machine.CitationUnit 42 NOKKI Sept 2018 |
Groups, software, and campaigns
G0094: Kimsuky
Kimsuky is a Democratic People's Republic of Korea (DPRK)-based cyber espionage group that has been active since at least 2012. The group initially targeted South Korean government agencies, think tanks, and subject-matter experts in various fields. Its operations expanded to include the United Nations and organizations in the government, education, business services, and manufacturing sectors across the United States, Japan, Russia, and Europe. Kimsuky has focused collection on foreign policy and national security issues tied to the Korean Peninsula, nuclear policy, and sanctions. Kimsuky operations have overlapped with those of other North Korean state-sponsored cyber espionage actors as a result of ad hoc collaborations or other limited resource sharing.[1][2][3][4][5][6]
Kimsuky was assessed to be responsible for the 2014 Korea Hydro & Nuclear Power Co. compromise; other notable campaigns include Operation STOLEN PENCIL (2018), Operation Kabar Cobra (2019), and Operation Smoke Screen (2019).[7][8][9] In 2023, Kimsuky was observed using commercial large language models (LLMs) to assist with vulnerability research, scripting, social engineering and reconnaissance.[10]
DPRK threat actor cluster boundaries overlap in open source reporting, with some security researchers consolidating all attributed North Korean state-sponsored cyber activity under Lazarus Group, rather than tracking operationally distinct subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 60c5b9506005… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 NOKKI Sept 2018
Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018.
Open source URL -
[2]
Unit 42 Nokki Oct 2018
Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018.
Open source URL -
[3]
NOKKI
(Citation: Unit 42 NOKKI Sept 2018)
-
[4]
mitre-attack S0353Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.