S0395: LightNeuron
LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.[1]
Analyst context for executives and security teams
LightNeuron matters because it represents backdoor activity against Microsoft Exchange servers, a high-value business communications platform. The ATT&CK relationships show a pattern that can combine Exchange transport-agent persistence, mail-protocol command and control, email collection, local staging, automated and scheduled exfiltration, obfuscation, and possible manipulation of transmitted data. For leaders, the practical issue is not only malware detection; it is whether the organization can prove control over Exchange extensibility, email access, mail-flow integrity, and outbound data movement.
Executive priority
Prioritize this as an Exchange and email-resilience control-validation scenario. Ask whether security teams have an authoritative inventory of Exchange transport agents, evidence of approved changes, logging that can reconstruct mail-flow and administrative activity, and an incident plan for preserving email evidence while maintaining business communications. This is especially relevant where email contains sensitive diplomatic, legal, executive, regulated, or operational information. Budget and audit discussions should focus on visibility into mail infrastructure, administrator activity, persistence mechanisms, and exfiltration paths rather than relying only on endpoint malware alerts.
Technical view
MITRE does not provide a dedicated detection section for LightNeuron, so SOC and IR teams should build coverage from the related behaviors. Validate monitoring for Microsoft Exchange transport agents and mail pipeline changes, Windows command shell execution, native API-driven execution indicators where available, local file collection and staging, archive creation, encoded or encrypted artifacts, file deletion, tool transfer, and outbound command-and-control or exfiltration over mail protocols. Because the object is associated with Windows and Linux platforms, confirm telemetry coverage on both where Exchange or related mail infrastructure is present. Relationship context also links this malware to Turla and to techniques spanning persistence, command and control, discovery, collection, exfiltration, stealth, execution, and impact.
Likely telemetry
- Exchange transport agent inventory, installation, configuration, and change history
- Exchange and mail-server administrative logs, including mail-flow and transport pipeline events
- SMTP/SMTPS, POP3/POP3S, and IMAP/IMAPS network and server logs where applicable
- Endpoint process creation telemetry for Windows command shell and administrative utilities
- File creation, modification, deletion, archive creation, and staging-directory activity on mail servers
Detection direction
- Baseline legitimate Exchange transport agents and alert on new, modified, unsigned, unexpected, or rarely used agents, especially where change records are absent.
- Correlate mail-server process activity with command shell execution, file staging, archive creation, decoding/deobfuscation behavior, and file deletion rather than treating each event independently.
- Inspect mail-protocol traffic patterns from mail servers for command-and-control or exfiltration indicators, with attention to scheduled timing and volume anomalies; content inspection may be limited by encryption or steganography.
- Tune false positives around legitimate mail security tools, journaling, archiving, backup jobs, compliance export workflows, and authorized administrator maintenance.
- Use relationship-driven hunting: persistence via Transport Agent, C2 via Mail Protocols and Symmetric Cryptography, collection via Remote Email Collection and Automated Collection, and exfiltration via Automated Exfiltration, Scheduled Transfer, and Exfiltration Over C2 Channel.
Mitigation priorities
- Establish strict governance for Exchange transport agents: inventory, approval, change control, and periodic validation against known-good configurations.
- Harden administrative access to mail servers using least privilege, strong authentication, privileged access review, and monitored administrative sessions.
- Ensure mail servers have endpoint, system, and mail-flow logging sufficient for incident reconstruction before an incident occurs.
- Restrict and monitor outbound network paths from mail infrastructure, especially mail-protocol and command-and-control-like traffic not required for business operations.
- Segment and protect mail infrastructure as a high-value asset, with tested backup, recovery, and forensic preservation procedures.
Analyst notes and limits
The official ATT&CK description states that LightNeuron is a sophisticated backdoor targeting Microsoft Exchange servers since at least 2014, used by Turla against diplomatic and foreign affairs-related organizations, and that strings suggest a Linux variant exists. The supplied relationships provide the main defensive value: they map the malware to Exchange transport-agent persistence, mail-protocol C2, discovery, collection, staging, exfiltration, obfuscation, and transmitted data manipulation behaviors.
ATT&CK provides no official detection text for this object and the object-level tactics are not specified. This take does not assert current exploitation, local exposure, or guaranteed detectability. Organizations must validate applicability against their actual Exchange deployment, Linux/Windows mail-server footprint, logging configuration, network architecture, and approved administrative workflows.
LightNeuron
LightNeuron is a sophisticated backdoor that has targeted Microsoft Exchange servers since at least 2014. LightNeuron has been used by Turla to target diplomatic and foreign affairs-related organizations. The presence of certain strings in the malware suggests a Linux variant of LightNeuron exists.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.004 | File Deletion Sub-technique | LightNeuron has a function to delete files.CitationESET LightNeuron May 2019 |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | LightNeuron uses SMTP for C2.CitationESET LightNeuron May 2019 |
| Enterprise | T1029 | Scheduled Transfer | LightNeuron can be configured to exfiltrate data during nighttime or working hours.CitationESET LightNeuron May 2019 |
| Enterprise | T1020 | Automated Exfiltration | LightNeuron can be configured to automatically exfiltrate files under a specified directory.CitationESET LightNeuron May 2019 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | LightNeuron exfiltrates data over its email C2 channel.CitationESET LightNeuron May 2019 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | LightNeuron encrypts its configuration files with AES-256.CitationESET LightNeuron May 2019 |
| Enterprise | T1001.002 | Steganography Sub-technique | LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods.CitationESET LightNeuron May 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | LightNeuron has used AES and XOR to decrypt configuration files and commands.CitationESET LightNeuron May 2019 |
| Enterprise | T1560 | Archive Collected Data | LightNeuron contains a function to encrypt and store emails that it collects.CitationESET LightNeuron May 2019 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files, such as |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | LightNeuron collects Exchange emails matching rules specified in its configuration.CitationESET LightNeuron May 2019 |
| Enterprise | T1082 | System Information Discovery | LightNeuron gathers the victim computer name using the Win32 API call |
| Enterprise | T1105 | Ingress Tool Transfer | LightNeuron has the ability to download and execute additional files.CitationESET LightNeuron May 2019 |
| Enterprise | T1119 | Automated Collection | LightNeuron can be configured to automatically collect files under a specified directory.CitationESET LightNeuron May 2019 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | LightNeuron uses AES to encrypt C2 traffic.CitationESET LightNeuron May 2019 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | LightNeuron can store email data in files and directories specified in its configuration, such as |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | LightNeuron is capable of executing commands via cmd.exe.CitationESET LightNeuron May 2019 |
| Enterprise | T1005 | Data from Local System | LightNeuron can collect files from a local system.CitationESET LightNeuron May 2019 |
| Enterprise | T1565.002 | Transmitted Data Manipulation Sub-technique | LightNeuron is capable of modifying email content, headers, and attachments during transit.CitationESET LightNeuron May 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | LightNeuron gathers information about network adapters using the Win32 API call |
| Enterprise | T1106 | Native API | LightNeuron is capable of starting a process using CreateProcess.CitationESET LightNeuron May 2019 |
| Enterprise | T1505.002 | Transport Agent Sub-technique | LightNeuron has used a malicious Microsoft Exchange transport agent for persistence.CitationESET LightNeuron May 2019 |
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 2cc5c37de1d9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET LightNeuron May 2019
Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019.
Open source URL -
[2]
mitre-attack S0395Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.