S0437: Kivars
Analyst context for executives and security teams
Kivars matters because it is a Windows modular remote access tool associated in ATT&CK with BlackTech and with behaviors that support post-compromise access, credential collection, discovery, tool transfer, screen capture, and stealth. For leaders, the practical issue is not the malware name alone; it is whether the organization can recognize a RAT operating inside Windows endpoints before it enables credential theft, lateral movement, and loss of investigative evidence.
Executive priority
Treat Kivars as a validation case for Windows endpoint visibility, remote access governance, and incident response readiness. The ATT&CK object has no official detection guidance, so priority should be on proving that SOC and IR teams can collect and correlate evidence for the related behaviors: Remote Services, Keylogging, File Deletion, File and Directory Discovery, Ingress Tool Transfer, Screen Capture, and Hidden Window. This supports resilience, audit evidence, and control prioritization without assuming current exposure or active exploitation.
Technical view
For SOC and detection engineering, use the ATT&CK relationships as the coverage map. Validate Windows telemetry for unusual remote service logons or sessions, suspicious file and directory enumeration, inbound tool/file staging, deletion of intrusion artifacts, screen capture activity, hidden or non-interactive windows, and signs of keystroke capture. Because Kivars is described as a modular RAT, detections should focus on behavior chains rather than a single indicator. IR teams should also assume that keylogging may create credential exposure and that file deletion may reduce forensic evidence.
Likely telemetry
- Windows endpoint process creation and parent/child process context
- Windows authentication and remote service logon/session records
- Endpoint file creation, modification, transfer, and deletion events
- Network connection and egress metadata from Windows hosts
- EDR or host telemetry for screen capture, hidden windows, and suspicious user-session activity
Detection direction
- Build detections around the related ATT&CK techniques rather than relying on a Kivars-specific signature, since official detection text is not provided.
- Correlate remote service access with subsequent discovery, file transfer, collection, and deletion activity on the same Windows host or account.
- Tune for administrative false positives: remote services, file enumeration, file deletion, and hidden windows can have legitimate IT uses, so context such as account, host role, timing, and sequence is important.
- Prioritize behavior chains that include credential-access or collection behaviors such as keylogging or screen capture followed by remote access or tool transfer.
- Check blind spots in endpoint telemetry retention, especially for deleted files, user-session activity, and events that occur under legitimate accounts.
Mitigation priorities
- Harden and monitor remote services, including account hygiene, least privilege, and strong authentication where applicable.
- Ensure Windows endpoint protection and logging can capture suspicious execution, file transfer, file deletion, screen capture, and hidden-window behavior.
- Prepare IR playbooks for RAT findings that include credential exposure assessment because Keylogging is one of the related techniques.
- Maintain sufficient log and forensic retention so File Deletion does not erase the only evidence of activity.
- Use the relationship to BlackTech as threat-intelligence context for prioritization, not as proof of attribution in a local incident.
Analyst notes and limits
ATT&CK identifies Kivars as a modular RAT derived from Bifrost RAT and used by BlackTech in a 2010 campaign, with Windows as the supported platform. The most useful defensive value comes from the linked techniques: Remote Services, Keylogging, File Deletion, File and Directory Discovery, Ingress Tool Transfer, Screen Capture, and Hidden Window.
The supplied ATT&CK object does not provide official detection guidance, malware tactics, aliases, labels, or detailed procedure examples. This take does not assert current activity, customer exposure, or guaranteed detection. Local telemetry, baselines, and incident evidence are required to determine relevance and coverage.
Kivars
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.004 | File Deletion Sub-technique | Kivars has the ability to uninstall malware from the infected host.CitationTrendMicro BlackTech June 2017 |
| Enterprise | T1083 | File and Directory Discovery | Kivars has the ability to list drives on the infected host.CitationTrendMicro BlackTech June 2017 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Kivars has the ability to initiate keylogging on the infected host.CitationTrendMicro BlackTech June 2017 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Kivars has the ability to conceal its activity through hiding active windows.CitationTrendMicro BlackTech June 2017 |
| Enterprise | T1113 | Screen Capture | Kivars has the ability to capture screenshots on the infected host.CitationTrendMicro BlackTech June 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | Kivars has the ability to download and execute files.CitationTrendMicro BlackTech June 2017 |
| Enterprise | T1021 | Remote Services | Kivars has the ability to remotely trigger keyboard input and mouse clicks. CitationTrendMicro BlackTech June 2017 |
Groups, software, and campaigns
G0098: BlackTech
BlackTech is a suspected Chinese cyber espionage group that has primarily targeted organizations in East Asia--particularly Taiwan, Japan, and Hong Kong--and the US since at least 2013. BlackTech has used a combination of custom malware, dual-use tools, and living off the land tactics to compromise media, construction, engineering, electronics, and financial company networks.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 180b976df056… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro BlackTech June 2017
Bermejo, L., et al. (2017, June 22). Following the Trail of BlackTech’s Cyber Espionage Campaigns. Retrieved May 5, 2020.
Open source URL -
[2]
mitre-attack S0437Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.