S0416: RDFSNIFFER
RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.[1]
Analyst context for executives and security teams
RDFSNIFFER matters because it targets trust in legitimate remote IT support and management workflows. As a Windows module loaded by BOOSTWRITE, it is described as monitoring and tampering with legitimate connections made through an application used by remote IT technicians. For leaders, the practical issue is not just malware on an endpoint; it is whether remote administration channels, credential handling, and forensic evidence are protected well enough to support business continuity and incident response decisions.
Executive priority
Prioritize validation around remote IT management access, privileged credential exposure, and endpoint evidence retention. The relationship to FIN7 and to techniques for Credential API Hooking, Native API use, and File Deletion makes this object relevant to organizations that depend on remote support tools for operations. Executives should ask whether remote access tooling is inventoried, tightly governed, monitored, and able to produce audit-quality evidence during an incident.
Technical view
RDFSNIFFER is a Windows malware object with no ATT&CK-provided detection text. Defensive validation should therefore be relationship-driven: look for suspicious behavior around legitimate remote management applications, API hooking patterns that could expose credentials, low-level/native API activity associated with process or memory manipulation, and deletion of files that may remove intrusion artifacts. SOC and IR teams should also account for the loader context, since the official description says the module is loaded by BOOSTWRITE.
Likely telemetry
- Windows endpoint process execution and module/DLL load telemetry
- Remote IT management application logs and connection records
- Endpoint detection telemetry for API hooking or abnormal interaction with credential-related APIs
- File creation, modification, and deletion events on Windows hosts
- Process-to-process interaction, memory, and native API-related behavioral telemetry where available
Detection direction
- Confirm visibility into approved remote IT management tools, especially unusual child processes, injected modules, unexpected network activity, or tampering indicators around those applications.
- Tune detections around Credential API Hooking carefully because legitimate security, accessibility, and management tools may also interact deeply with processes; prioritize suspicious combinations involving remote access sessions and credential-handling processes.
- Correlate file deletion events with preceding suspicious execution, tool staging, or remote administration activity to reduce false positives from normal cleanup or software update behavior.
- Validate whether endpoint telemetry captures module loading and native API-adjacent behaviors; gaps here may make this malware family difficult to distinguish from legitimate administrative activity.
- Because ATT&CK provides no official detection guidance for this object, test coverage using internal telemetry and benign simulations rather than assuming tool alerts exist.
Mitigation priorities
- Maintain an authoritative inventory of approved remote IT support and management applications on Windows systems.
- Restrict and monitor privileged use of remote administration tooling, including strong access controls and reviewable session logging.
- Harden credential exposure paths by reducing unnecessary privileged sessions and validating controls around credential access and process tampering.
- Preserve incident evidence by ensuring endpoint logging, centralized log retention, and file deletion telemetry are enabled where operationally feasible.
- Include remote IT tools in incident response playbooks, tabletop exercises, and compliance evidence reviews because abuse of trusted administration channels can complicate scoping and containment.
Analyst notes and limits
The supplied ATT&CK data identifies RDFSNIFFER as a module loaded by BOOSTWRITE and links it to FIN7 usage plus three techniques: Credential API Hooking, File Deletion, and Native API. The strongest defensive value is to treat this as a test of governance and monitoring around trusted remote management software, not as a standalone signature problem.
ATT&CK does not provide official detection text, aliases, labels, or explicit tactics on the malware object itself. The description is brief and based on the cited FireEye reporting. Local environment details are required to determine which remote IT applications, logs, controls, and false-positive patterns are relevant.
RDFSNIFFER
RDFSNIFFER is a module loaded by BOOSTWRITE which allows an attacker to monitor and tamper with legitimate connections made via an application designed to provide visibility and system management capabilities to remote IT techs.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1056.004 | Credential API Hooking Sub-technique | RDFSNIFFER hooks several Win32 API functions to hijack elements of the remote system management user-interface.CitationFireEye FIN7 Oct 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | RDFSNIFFER has the capability of deleting local files.CitationFireEye FIN7 Oct 2019 |
| Enterprise | T1106 | Native API | RDFSNIFFER has used several Win32 API functions to interact with the victim machine.CitationFireEye FIN7 Oct 2019 |
Groups, software, and campaigns
G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5c834315938c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye FIN7 Oct 2019
Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019.
Open source URL -
[2]
mitre-attack S0416Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.