S0433: Rifdoor
Rifdoor is a remote access trojan (RAT) that shares numerous code similarities with HotCroissant.[1]
Analyst context for executives and security teams
Rifdoor is a Windows remote access trojan in ATT&CK, noted by MITRE as sharing code similarities with HotCroissant. Its ATT&CK relationships make it operationally relevant because they span phishing-delivered malicious files, Windows startup persistence, host and user discovery, file obfuscation, and encrypted command-and-control. For leaders, the value is not the malware name alone; it is whether email, endpoint, identity, and network controls can prove they would expose this behavior chain before a remote-access foothold becomes an incident-response problem.
Executive priority
Treat Rifdoor as a validation case for resilience against targeted RAT activity on Windows endpoints. Priority questions are: can the organization detect malicious attachments reaching users, confirm execution of suspicious files, identify unauthorized Run Key or Startup Folder persistence, and investigate encrypted outbound communications from a compromised host? Because ATT&CK links this malware to Andariel, a state-sponsored group, security leaders should ensure threat intelligence, SOC triage, and incident response playbooks can connect malware indicators to behavior-based evidence without depending only on file hashes or static signatures.
Technical view
ATT&CK does not provide a dedicated detection section for Rifdoor, so defenders should validate coverage through its related techniques. On Windows, focus on T1566.001 and T1204.002 for attachment delivery and user-opened malicious files, T1547.001 for Registry Run Keys or Startup Folder persistence, T1016/T1033/T1082 for network, user, and system discovery, T1027.001/T1027.013 for padded or encrypted/encoded files, and T1573.001 for symmetrically encrypted command-and-control. SOC and IR teams should correlate email attachment events, endpoint process creation, file metadata anomalies, registry modifications, local discovery commands or API-driven discovery, and outbound network sessions from newly executed binaries.
Likely telemetry
- Email security logs for spearphishing attachments, attachment names, hashes, detonation results, sender and recipient context
- Endpoint process creation and parent-child process telemetry for files opened by users
- Windows registry auditing or EDR telemetry for Run Key changes and Startup Folder file creation
- File creation and modification metadata, including unusually large binaries or files with encoded/encrypted content indicators
- Host discovery evidence such as network configuration, system information, and user/account discovery activity
Detection direction
- Do not rely only on hashes; Binary Padding and Encrypted/Encoded File relationships indicate static matching may be brittle.
- Tune detections for suspicious persistence writes to Windows Run Keys and Startup Folder paths, especially shortly after a user opens an attachment or downloaded file.
- Correlate discovery behavior with initial execution context: user-launched files that quickly enumerate user, system, or network configuration details should receive higher priority.
- Review outbound encrypted traffic from newly created or rarely seen binaries; the ATT&CK relationship to symmetric cryptography supports inspecting metadata and behavioral context rather than assuming protocol visibility.
- Separate administrative noise from suspicious discovery by considering parent process, user role, host baseline, and timing after attachment execution.
Mitigation priorities
- Prioritize phishing attachment controls, user reporting workflows, and attachment sandboxing or detonation where available.
- Harden Windows endpoint execution controls so untrusted or user-downloaded files are restricted according to organizational policy.
- Monitor and restrict unauthorized Run Key and Startup Folder persistence changes through endpoint hardening and least-privilege practices.
- Maintain endpoint visibility sufficient for process, file, registry, and network correlation during incident response.
- Use behavior-based detections and allow/block decisions that account for obfuscation, padding, and encoded content rather than relying solely on known hashes.
Analyst notes and limits
The supplied ATT&CK object identifies Rifdoor as a Windows RAT and provides relationships to techniques across initial access, execution, persistence, discovery, defense evasion, and command-and-control. ATT&CK also states it is used by Andariel and cites VMware Carbon Black reporting. This take intentionally frames defensive validation around those relationships rather than asserting current activity, victim exposure, or guaranteed detection.
MITRE provides no official detection text for Rifdoor, no explicit tactics on the malware object itself, and no aliases. Several related techniques list non-Windows platforms in the supplied relationship context, while the Rifdoor object itself lists Windows; this assessment therefore treats Windows as the supported malware platform and uses technique relationships for behavior-oriented validation. Local telemetry, baselines, and incident artifacts are required to determine actual exposure or coverage.
Rifdoor
Rifdoor is a remote access trojan (RAT) that shares numerous code similarities with HotCroissant.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Rifdoor has encrypted strings with a single byte XOR algorithm.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1082 | System Information Discovery | Rifdoor has the ability to identify the Windows version on the compromised host.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | Rifdoor has added four additional bytes of data upon launching, then saved the changed version as |
| Enterprise | T1016 | System Network Configuration Discovery | Rifdoor has the ability to identify the IP address of the compromised host.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Rifdoor has created a new registry entry at |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Rifdoor has been distributed in e-mails with malicious Excel or Word documents.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Rifdoor has encrypted command and control (C2) communications with a stream cipher.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1033 | System Owner/User Discovery | Rifdoor has the ability to identify the username on the compromised host.CitationCarbon Black HotCroissant April 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Rifdoor has been executed from malicious Excel or Word documents containing macros.CitationCarbon Black HotCroissant April 2020 |
Groups, software, and campaigns
G0138: Andariel
Andariel is a North Korean state-sponsored threat group that has been active since at least 2009. Andariel has primarily focused its operations--which have included destructive attacks--against South Korean government agencies, military organizations, and a variety of domestic companies; they have also conducted cyber financial operations against ATMs, banks, and cryptocurrency exchanges. Andariel's notable activity includes Operation Black Mine, Operation GoldenAxe, and Campaign Rifle.[1][2][3][4][5]
Andariel is considered a sub-set of Lazarus Group, and has been attributed to North Korea's Reconnaissance General Bureau.[6]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 5a84c2ccab44… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Carbon Black HotCroissant April 2020
Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020.
Open source URL -
[2]
mitre-attack S0433Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.