S0431: HotCroissant
HotCroissant is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.[1] HotCroissant shares numerous code similarities with Rifdoor.[2]
Analyst context for executives and security teams
HotCroissant is a Windows remote access trojan described by ATT&CK as associated with HIDDEN COBRA activity and related to Lazarus Group usage. Its value to defenders is not just the malware name: the mapped behaviors show a post-compromise tool that can discover the host and user environment, execute through Windows command shell/native APIs, persist with scheduled tasks, transfer files, capture screens, exfiltrate over command-and-control, and hide or clean up artifacts.
Executive priority
Treat this as a readiness test for Windows endpoint visibility, incident response triage, and resilience against remote-access malware. Leaders should ask whether the organization can prove coverage for scheduled task abuse, command execution, discovery activity, suspicious outbound encrypted C2, file transfer/exfiltration, screen capture, and service disruption—not just whether a specific malware signature exists. Because ATT&CK provides no official detection guidance for this object, control assurance should be based on behavior coverage and evidence quality.
Technical view
SOC and IR teams should validate detection around the related behaviors: System Service Discovery, Application Window Discovery, System Network Configuration Discovery, System Owner/User Discovery, Process Discovery, System Information Discovery, File and Directory Discovery, Software Discovery, Windows Command Shell, Native API execution, Scheduled Task persistence, Ingress Tool Transfer, Exfiltration Over C2 Channel, Screen Capture, Service Stop, File Deletion, Hidden Window, Software Packing, Encrypted/Encoded File, and Symmetric Cryptography for C2. Prioritize Windows host telemetry and network evidence that can connect process activity, persistence creation, file movement, and outbound communications into a single investigation timeline.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows scheduled task creation, modification, and execution records
- Service enumeration and service stop events
- File creation, modification, deletion, and suspicious transfer artifacts
- Endpoint signals for packed or encoded executables where available
Detection direction
- Do not rely only on malware names or static signatures; ATT&CK provides no official detection text for HotCroissant.
- Correlate clusters of discovery behavior with subsequent command shell/native API execution, scheduled task activity, file transfer, and outbound network connections.
- Tune for administrative false positives: service queries, process listing, software inventory, and scheduled tasks can be legitimate, so prioritize unusual parent processes, timing, user context, destination patterns, and sequences of behavior.
- Validate whether packed or encrypted/encoded files reduce static detection effectiveness and whether sandboxing or endpoint behavior analytics still produce useful evidence.
- Check blind spots around encrypted C2, hidden windows, file deletion, and screen capture because these behaviors may leave limited or indirect telemetry.
Mitigation priorities
- Ensure Windows endpoints have durable logging for process execution, scheduled tasks, file activity, service changes, and network connections.
- Harden and monitor scheduled task creation and command shell usage, especially from unusual users, paths, or parent processes.
- Restrict unnecessary outbound communications and review egress monitoring for suspicious encrypted command-and-control patterns.
- Apply least privilege so malware operating in a user context has reduced ability to persist, stop services, collect sensitive data, or stage tools.
- Maintain incident response playbooks for RAT activity that cover host isolation, credential review, persistence removal, outbound traffic scoping, and evidence preservation.
Analyst notes and limits
The supplied ATT&CK object identifies HotCroissant as a Windows RAT attributed by U.S. government entities to malicious North Korean government cyber activity tracked as HIDDEN COBRA, with a relationship showing Lazarus Group uses this software. The most useful defensive interpretation is the behavior set: discovery-heavy host reconnaissance, execution, persistence, stealth, C2, collection, exfiltration, and potential service impact.
ATT&CK does not provide an official detection section for this malware, and the object-level tactics are not specified. Some related technique descriptions are broad platform-wide ATT&CK entries, while the software platform supplied for HotCroissant is Windows. Local environment baselines, telemetry availability, and incident evidence are required before drawing conclusions about exposure, detection coverage, or attribution.
HotCroissant
HotCroissant is a remote access trojan (RAT) attributed by U.S. government entities to malicious North Korean government cyber activity, tracked collectively as HIDDEN COBRA.[1] HotCroissant shares numerous code similarities with Rifdoor.[2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1041 | Exfiltration Over C2 Channel | HotCroissant has the ability to download files from the infected host to the command and control (C2) server.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | HotCroissant has compressed network communications and encrypted them with a custom stream cipher.CitationCarbon Black HotCroissant April 2020CitationUS-CERT HOTCROISSANT February 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | HotCroissant has the ability to clean up installed files, delete files, and delete itself from the victim’s machine.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1106 | Native API | HotCroissant can perform dynamic DLL importing and API lookups using |
| Enterprise | T1027.002 | Software Packing Sub-technique | HotCroissant has used the open source UPX executable packer.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1083 | File and Directory Discovery | HotCroissant has the ability to retrieve a list of files in a given directory as well as drives and drive types.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1489 | Service Stop | HotCroissant has the ability to stop services on the infected host.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | HotCroissant has the ability to upload a file from the command and control (C2) server to the victim machine.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | HotCroissant can remotely open applications on the infected host with the |
| Enterprise | T1057 | Process Discovery | HotCroissant has the ability to list running processes on the infected host.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1007 | System Service Discovery | HotCroissant has the ability to retrieve a list of services on the infected host.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1033 | System Owner/User Discovery | HotCroissant has the ability to collect the username on the infected host.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | HotCroissant has encrypted strings with single-byte XOR and base64 encoded RC4.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1010 | Application Window Discovery | HotCroissant has the ability to list the names of all open windows on the infected host.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1518 | Software Discovery | HotCroissant can retrieve a list of applications from the |
| Enterprise | T1082 | System Information Discovery | HotCroissant has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host.CitationUS-CERT HOTCROISSANT February 2020 |
| Enterprise | T1113 | Screen Capture | HotCroissant has the ability to do real time screen viewing on an infected host.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | HotCroissant has the ability to identify the IP address of the compromised machine.CitationUS-CERT HOTCROISSANT February 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | HotCroissant has attempted to install a scheduled task named “Java Maintenance64” on startup to establish persistence.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | HotCroissant has the ability to hide the window for operations performed on a given file.CitationCarbon Black HotCroissant April 2020 |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 9b8bc1d0999a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
US-CERT HOTCROISSANT February 2020
US-CERT. (2020, February 20). MAR-10271944-1.v1 – North Korean Trojan: HOTCROISSANT. Retrieved May 1, 2020.
Open source URL -
[2]
Carbon Black HotCroissant April 2020
Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
Open source URL -
[3]
mitre-attack S0431Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.