S0375: Remexi
Analyst context for executives and security teams
Remexi matters because it is not just a named Windows Trojan; the ATT&CK relationships show a post-compromise toolset pattern that can support persistence, credential collection, user monitoring, discovery, command execution, and exfiltration over command-and-control traffic. For leaders, the decision value is whether Windows endpoint, identity, and network monitoring can prove visibility across that chain rather than relying on a malware name or signature alone.
Executive priority
Prioritize Remexi as a resilience and evidence question: can the organization detect and investigate a Windows host that persists through startup mechanisms, collects sensitive user activity such as keystrokes, clipboard data, and screenshots, stages data, and sends it through web-style C2 traffic? This is especially relevant for SOC readiness, incident response scoping, privileged account protection, and audit evidence around endpoint logging, egress monitoring, and persistence control validation. ATT&CK also relates Remexi to APT39, so threat intelligence teams should consider whether the related industry and regional context from that group relationship is relevant to local risk without assuming current exposure.
Technical view
Validate coverage around the behaviors ATT&CK associates with Remexi: WMI, Windows command shell, Visual Basic execution, scheduled tasks, Registry Run keys, Winlogon helper DLL changes, file and directory discovery, application window discovery, keylogging, clipboard access, screen capture, local archiving, obfuscation/deobfuscation, and exfiltration over C2 using web protocols. Because MITRE provides no official detection text for this malware object, detection engineering should map detections to the related techniques rather than to the malware name alone, with emphasis on correlated host process, registry, task scheduler, user-activity collection, file staging, and outbound network events.
Likely telemetry
- Windows endpoint process creation and command-line telemetry for cmd, WMI, script/VB-related execution, and child-process chains
- Windows Event Logs and endpoint telemetry for scheduled task creation or modification
- Registry auditing or EDR telemetry for Run key and Winlogon-related persistence changes
- File system telemetry for discovery, staging, encoded/encrypted files, and archive creation
- Endpoint behavior telemetry for screenshot, clipboard, window enumeration, and keylogging-like activity where available
Detection direction
- Do not depend on a Remexi signature alone; build behavior coverage around the ATT&CK technique relationships supplied for this object.
- Correlate persistence events with subsequent command execution, discovery, collection, archive creation, and outbound web traffic to reduce false positives from normal administration.
- Tune WMI, scheduled task, Run key, and Winlogon detections against known enterprise management tools and approved software deployment workflows.
- Review whether user-activity collection telemetry is actually available; screen capture, clipboard access, and keylogging behaviors are common blind spots in endpoint logging.
- For web-protocol C2 and exfiltration over C2, validate egress visibility, destination reputation/context, unusual beaconing, and data transfer patterns, while accounting for normal encrypted web traffic volume.
Mitigation priorities
- Harden Windows persistence surfaces by controlling and monitoring scheduled tasks, startup folders, Run keys, and Winlogon-related registry locations.
- Restrict and monitor administrative execution paths such as WMI, command shell usage, and script/VB execution according to business need.
- Maintain endpoint protection and logging coverage capable of capturing process, registry, file, and network behaviors tied to the related techniques.
- Apply least privilege and account monitoring to reduce the value of captured keystrokes or user-session data.
- Improve outbound network control and logging for web protocols so suspicious C2 and exfiltration patterns can be investigated.
Analyst notes and limits
The supplied ATT&CK object identifies Remexi as a Windows-based Trojan written in C and references Securelist reporting. ATT&CK relationships provide the practical behavioral map: persistence, execution, discovery, collection, obfuscation, C2, and exfiltration. The strongest defensive use is to validate technique-level coverage and incident response readiness for those behaviors.
MITRE provides no official detection guidance for this object, no tactics directly on the malware object, and no aliases or labels in the supplied fields. Local conclusions about exposure, exploitation, attribution, or detection coverage require environment-specific telemetry and investigation evidence.
Remexi
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Remexi utilizes scheduled tasks as a persistence mechanism.CitationSecurelist Remexi Jan 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Remexi silently executes received commands with cmd.exe.CitationSecurelist Remexi Jan 2019 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Remexi gathers and exfiltrates keystrokes from the machine.CitationSecurelist Remexi Jan 2019 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Remexi obfuscates its configuration data with XOR.CitationSecurelist Remexi Jan 2019 |
| Enterprise | T1115 | Clipboard Data | Remexi collects text from the clipboard.CitationSecurelist Remexi Jan 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism.CitationSecurelist Remexi Jan 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1047 | Windows Management Instrumentation | Remexi executes received commands with wmic.exe (for WMI commands). CitationSecurelist Remexi Jan 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Remexi decrypts the configuration data using XOR with 25-character keys.CitationSecurelist Remexi Jan 2019 |
| Enterprise | T1547.004 | Winlogon Helper DLL Sub-technique | Remexi achieves persistence using Userinit by adding the Registry key |
| Enterprise | T1010 | Application Window Discovery | Remexi has a command to capture active windows on the machine and retrieve window titles.CitationSecurelist Remexi Jan 2019 |
| Enterprise | T1560 | Archive Collected Data | Remexi encrypts and adds all gathered browser data into files for upload to C2.CitationSecurelist Remexi Jan 2019 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Remexi uses AutoIt and VBS scripts throughout its execution process.CitationSecurelist Remexi Jan 2019 |
| Enterprise | T1113 | Screen Capture | Remexi takes screenshots of windows of interest.CitationSecurelist Remexi Jan 2019 |
| Enterprise | T1083 | File and Directory Discovery | Remexi searches for files on the system. CitationSecurelist Remexi Jan 2019 |
Groups, software, and campaigns
G0087: APT39
APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 07342e836fe1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Securelist Remexi Jan 2019
Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019.
Open source URL -
[2]
mitre-attack S0375Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.