S0376: HOPLIGHT
Analyst context for executives and security teams
HOPLIGHT matters because ATT&CK describes it as a Windows backdoor Trojan with relationships to North Korea-linked groups and a broad set of post-compromise behaviors. For leaders, the decision value is not just “detect this malware,” but whether Windows monitoring, identity controls, command-and-control visibility, and incident response playbooks can handle a backdoor that may discover the environment, alter registry/WMI/service settings, move via stolen hashes, transfer tools, and exfiltrate over its C2 channel.
Executive priority
Prioritize HOPLIGHT as a coverage-validation use case for Windows endpoint resilience, credential protection, and egress monitoring. The related techniques touch credential access, execution, persistence, defense impairment, discovery, lateral movement, command and control, and exfiltration, which makes it useful for testing whether security investments produce usable evidence across the full intrusion lifecycle. Financial institutions and organizations with high-value Windows environments should especially confirm that SAM access, pass-the-hash indicators, WMI persistence, service execution, and unusual outbound channels are covered by policy, monitoring, and IR procedures.
Technical view
ATT&CK provides no official detection text for HOPLIGHT, so SOC and detection teams should map coverage from the related techniques rather than relying on a single malware signature. Validate Windows telemetry for command shell execution, WMI execution and event subscriptions, registry query/modify activity, service creation or execution, process injection indicators, SAM database access, pass-the-hash authentication patterns, firewall modification, discovery commands, ingress tool transfer, proxy use, fallback C2, standard encoding in C2 traffic, non-standard protocol/port pairings, and exfiltration over an existing C2 channel. Treat the Lazarus Group and APT38 relationships as threat-intelligence context from ATT&CK, not proof of local exposure or current activity.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- WMI operational logs, WMI repository changes, and event subscription artifacts
- Windows Registry access and modification events, especially security-sensitive keys
- Service Control Manager events and service creation or execution records
- Credential access evidence involving SAM database access or dumping attempts
Detection direction
- Build behavior-based detections around the related ATT&CK techniques because the object has no official detection guidance.
- Correlate Windows execution activity with discovery, registry/WMI changes, service execution, and outbound network sessions instead of alerting on each behavior in isolation.
- Tune for administrative false positives: WMI, registry, services, command shell, firewall changes, and system discovery are common in legitimate operations, so detections need actor, host role, timing, parent process, and change-control context.
- Validate identity detections for local credential material access and pass-the-hash-like authentication patterns, especially where privileged or local administrator accounts are used across systems.
- Review egress visibility for encoded traffic, proxying, fallback channels, and protocol/port mismatches; lack of DNS/proxy/firewall logging is a material blind spot.
Mitigation priorities
- Reduce credential exposure first: limit local administrator reuse, protect access to SAM-related credential material, and monitor privileged authentication paths.
- Harden Windows administration surfaces used by related techniques, including WMI, command shell usage, service control, registry modification, and firewall configuration changes.
- Apply least privilege and change control around service creation, WMI event subscriptions, registry persistence locations, and host firewall policy.
- Strengthen egress controls and monitoring for non-standard ports, unexpected proxies, fallback channels, and tool transfers from external systems.
- Ensure endpoint protection and logging are configured to retain process, command-line, registry, WMI, service, authentication, and network evidence needed for investigation.
Analyst notes and limits
The most useful defensive interpretation of HOPLIGHT is as a Windows backdoor behavior cluster. The ATT&CK relationships show behaviors spanning credential access, execution, discovery, persistence, defense impairment, lateral movement, command and control, ingress tool transfer, and exfiltration. The group relationships to Lazarus Group and APT38 provide context for threat modeling and intelligence prioritization, but local risk decisions still require asset exposure, telemetry quality, and business process context.
The supplied ATT&CK object has a short description, no official detection section, no aliases, and no object-level tactics listed. This take is therefore derived from the official description, external references, and relationship context only. It does not assert current exploitation, customer exposure, complete detection coverage, or platform applicability beyond the supplied Windows malware platform and related ATT&CK technique context.
HOPLIGHT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1652 | Device Driver Discovery | HOPLIGHT can enumerate device drivers located in the registry at `HKLM\Software\WBEM\WDM`.CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1112 | Modify Registry | HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system.CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1008 | Fallback Channels | HOPLIGHT has multiple C2 channels in place in case one fails.CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1012 | Query Registry | A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key |
| Enterprise | T1090 | Proxy | HOPLIGHT has multiple proxy options that mask traffic between the malware and the remote operators.CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1571 | Non-Standard Port | HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | HOPLIGHT has been observed loading several APIs associated with Pass the Hash.CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1686 | Disable or Modify System Firewall | |
| Enterprise | T1083 | File and Directory Discovery | HOPLIGHT has been observed enumerating system drives and partitions.CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | HOPLIGHT has the capability to harvest credentials and passwords from the SAM database.CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | HOPLIGHT can launch cmd.exe to execute commands on the system.CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | HOPLIGHT has used its C2 channel to exfiltrate data.CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | HOPLIGHT has utilized Zlib compression to obfuscate the communications payload. CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1082 | System Information Discovery | HOPLIGHT has been observed collecting victim machine information like OS version.CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | HOPLIGHT can use WMI event subscriptions to create persistence.CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1569.002 | Service Execution Sub-technique | HOPLIGHT has used svchost.exe to execute a malicious DLL .CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1680 | Local Storage Discovery | HOPLIGHT has been observed collecting victim machine volume information.CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | HOPLIGHT has the ability to connect to a remote host in order to upload and download files.CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1047 | Windows Management Instrumentation | HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository.CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1124 | System Time Discovery | HOPLIGHT has been observed collecting system time from victim machines.CitationUS-CERT HOPLIGHT Apr 2019 |
| Enterprise | T1055 | Process Injection | HOPLIGHT has injected into running processes.CitationUS-CERT HOPLIGHT Apr 2019 |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
G0082: APT38
APT38 is a North Korean state-sponsored threat group that specializes in financial cyber operations; it has been attributed to the Reconnaissance General Bureau.[1] Active since at least 2014, APT38 has targeted banks, financial institutions, casinos, cryptocurrency exchanges, SWIFT system endpoints, and ATMs in at least 38 countries worldwide. Significant operations include the 2016 Bank of Bangladesh heist, during which APT38 stole $81 million, as well as attacks against Bancomext [2] and Banco de Chile [2]; some of their attacks have been destructive.[1][2][3][4]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | 198cb5dd5a14… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
US-CERT HOPLIGHT Apr 2019
US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019.
Open source URL -
[2]
HOPLIGHT
(Citation: US-CERT HOPLIGHT Apr 2019)
-
[3]
mitre-attack S0376Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.