Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0383: FlawedGrace

FlawedGrace is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.[1]

EnterpriseS0383MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

FlawedGrace is a Windows remote access tool (RAT) documented by ATT&CK and first observed in late 2017. Its practical significance is that a RAT represents hands-on remote control potential, so leaders should treat coverage as an endpoint visibility, containment, and incident-response readiness question rather than only a malware-signature question.

Executive priority

Prioritize whether Windows endpoints can be monitored, isolated, and investigated quickly if this or similar RAT activity appears. The TA505 relationship raises threat-intelligence relevance for criminal malware tracking, but the supplied data does not justify claims about current activity or local exposure. This object is also useful for audit and resilience discussions: can the organization prove it collects the endpoint and network evidence needed to investigate remote-access malware that may use encoded or encrypted files to hinder detection?

Technical view

ATT&CK lists FlawedGrace as Windows malware and relates it to Encrypted/Encoded File (T1027.013), with no official detection text and no tactics specified for the malware object. SOC and IR teams should validate Windows endpoint coverage for suspicious executable activity, file creation/modification, encoded or encrypted artifacts, and network connections associated with remote-access behavior. Detection engineering should avoid relying only on static file signatures because the related technique indicates file content may be concealed.

Likely telemetry

  • Windows endpoint process execution and parent/child process events
  • File creation, modification, and scanning results for suspicious or encoded/encrypted artifacts
  • Endpoint security/EDR alerts and quarantine events
  • Network connection metadata from Windows hosts, including destination, port, timing, and volume
  • DNS, proxy, firewall, or egress logs that can support host-to-external communication analysis

Detection direction

  • Confirm that Windows endpoint telemetry is complete enough to reconstruct malware execution and related file activity.
  • Tune detections to combine endpoint behavior with network egress patterns instead of depending only on known hashes or strings.
  • Account for T1027.013-style blind spots: encoded or encrypted file contents can reduce the value of simple content matching.
  • Use the TA505 relationship as threat-intelligence context for prioritization, not as proof of attribution in a local incident.
  • Document false-positive handling for legitimate remote administration tools and legitimate encrypted files so analysts can separate approved activity from suspicious RAT-like behavior.

Mitigation priorities

  • Maintain strong endpoint prevention and monitoring coverage on Windows systems.
  • Restrict unnecessary outbound connectivity and preserve egress logs for investigation.
  • Ensure rapid host isolation, evidence preservation, and malware triage procedures are tested before an incident.
  • Use least-privilege and application-control principles where appropriate to reduce the chance that untrusted remote-access malware can execute broadly.
  • Track this as a malware/IR readiness issue rather than a vulnerability-management item unless local evidence identifies an exploited vulnerability.
Analyst notes and limits

The most decision-relevant supplied facts are: FlawedGrace is a C++ RAT, the platform is Windows, TA505 is documented as using it, and the malware uses Encrypted/Encoded File (T1027.013). That combination makes endpoint telemetry, egress visibility, and obfuscation-aware detection validation the key defensive questions.

ATT&CK provides no official detection guidance for this object, no tactics for the malware object, no aliases, and only limited relationship context. The supplied fields do not support claims about active exploitation, current campaigns, delivery method, specific command-and-control protocols, persistence, privilege escalation, impact, or customer exposure. Local telemetry and intelligence are required to determine relevance in any environment.

Official MITRE ATT&CK definition

FlawedGrace

FlawedGrace is a fully featured remote access tool (RAT) written in C++ that was first observed in late 2017.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

1 rows
Domain ID Name Relationship / procedure
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

FlawedGrace encrypts its C2 configuration files with AES in CBC mode.CitationProofpoint TA505 Jan 2019
Associated objects

Groups, software, and campaigns

Group Enterprise

G0092: TA505

TA505 is a cyber criminal group that has been active since at least 2014. TA505 is known for frequently changing malware, driving global trends in criminal malware distribution, and ransomware campaigns involving Clop.[1][2][3][4][5]

Relationship explorer

All related ATT&CK context

uses · Group G0092: TA505 Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
8425f39f77138b4c...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 8425f39f7713…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Proofpoint TA505 Jan 2019

    Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019.

    Open source URL
  2. [2]
    mitre-attack S0383
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use