S0438: Attor
Analyst context for executives and security teams
Attor matters because ATT&CK describes it as a Windows-based espionage platform with loadable plugins, meaning its observed behaviors span discovery, persistence, collection, stealth, command-and-control, and exfiltration rather than a single easily contained action. For leaders, the practical issue is whether Windows monitoring can connect quiet endpoint changes, user-data collection, and outbound data movement into one incident story before sensitive information leaves the environment.
Executive priority
Treat this as a coverage-validation case for Windows endpoint resilience and data-loss readiness, not as evidence of current exposure. Ask whether the organization can prove visibility into scheduled tasks, logon scripts, registry changes, process injection, screen/clipboard/keylogging-related collection, local staging, and outbound C2/exfiltration paths. The decision value is in prioritizing controls and audit evidence around espionage-style intrusions that may rely on stealth, automation, and modular functionality.
Technical view
ATT&CK has no official detection text for Attor, so SOC and IR teams should validate detections against the related techniques: Application Window Discovery, Query/Modify Registry, Scheduled Task, Windows Logon Script, Process Injection including APC injection, Native API use, Keylogging, Screen Capture, Clipboard Data, Local Data Staging, Automated Collection/Exfiltration, Exfiltration Over C2 Channel, File Transfer Protocols, Multi-hop Proxy, Ingress Tool Transfer, File Deletion, Timestomp, Encrypted/Encoded File, and Masquerade Task or Service. Focus on correlations across Windows host telemetry and network egress rather than single indicators.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Scheduled task creation/modification events
- Windows service creation, modification, names, and display names
- Registry query and modification events, including logon-script related keys
- EDR memory/injection signals, including APC-style injection indicators where available
Detection direction
- Because no official ATT&CK detection guidance is provided, build coverage from the related techniques and test whether alerts link persistence, collection, stealth, and exfiltration behaviors into one investigation.
- Tune scheduled task, service, and logon-script detections for masquerading: suspicious names, paths, descriptions, unexpected parents, and uncommon users, while accounting for legitimate administration tools.
- Correlate registry modification/query activity with new persistence artifacts, process injection, and subsequent outbound communications.
- Hunt for local staging followed by automated outbound transfer; include encrypted or encoded files and file deletion as potential evasion context rather than standalone proof of malware.
- Validate visibility into screen capture, clipboard access, and keylogging-like behavior, recognizing these signals can be noisy, privacy-sensitive, or unavailable in some environments.
Mitigation priorities
- Prioritize Windows endpoint hardening and monitoring for persistence locations: scheduled tasks, services, logon scripts, and registry autostart or configuration changes.
- Limit administrative privileges and write access to persistence-sensitive registry keys, task locations, and service configuration paths.
- Use application control or allow-listing where feasible to reduce unauthorized plugin/tool execution and ingress tool transfer risk.
- Strengthen egress controls and logging for file-transfer protocols, proxy use, and unusual outbound data flows, especially from endpoints that do not normally communicate externally.
- Protect sensitive data through least privilege, segmentation, and data handling controls so collection or staging on one Windows host has limited business impact.
Analyst notes and limits
The ATT&CK object identifies Attor as a Windows-based espionage platform observed since 2013 with a loadable plugin architecture. The most useful defensive interpretation comes from the relationship context: it maps to discovery, persistence, privilege escalation, stealth, collection, credential access, command-and-control, and exfiltration techniques. Coverage should be assessed as a behavior chain rather than as a malware-name signature.
This take uses only the supplied ATT&CK fields, external references, and relationships. The object provides no official detection text, no ATT&CK tactics on the malware object itself, no indicators of compromise, no sectors, no vulnerabilities, and no current activity claim. Local telemetry, legal/privacy constraints, and environment-specific baselines are required to determine actual exposure or detection quality.
Attor
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | Attor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files.CitationESET Attor Oct 2019 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | Attor encrypts collected data with a custom implementation of Blowfish and RSA ciphers.CitationESET Attor Oct 2019 |
| Enterprise | T1010 | Application Window Discovery | Attor can obtain application window titles and then determines which windows to perform Screen Capture on.CitationESET Attor Oct 2019 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Attor has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key.CitationESET Attor Oct 2019 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Attor's dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legitimate).CitationESET Attor Oct 2019 |
| Enterprise | T1497.001 | System Checks Sub-technique | Attor can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts, such as communication with I/O ports and using VM-specific instructions.CitationESET Attor Oct 2019 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | |
| Enterprise | T1037.001 | Logon Script (Windows) Sub-technique | Attor's dispatcher can establish persistence via adding a Registry key with a logon script |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Attor's installer plugin can schedule rundll32.exe to load the dispatcher.CitationESET Attor Oct 2019 |
| Enterprise | T1115 | Clipboard Data | Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs.CitationESET Attor Oct 2019 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Attor's Blowfish key is encrypted with a public RSA key.CitationESET Attor Oct 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | Attor can download additional plugins, updates and other files. CitationESET Attor Oct 2019 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Attor has staged collected data in a central upload directory prior to exfiltration.CitationESET Attor Oct 2019 |
| Enterprise | T1120 | Peripheral Device Discovery | Attor has a plugin that collects information about inserted storage devices, modems, and phone devices.CitationESET Attor Oct 2019 |
| Enterprise | T1112 | Modify Registry | Attor's dispatcher can modify the Run registry key.CitationESET Attor Oct 2019 |
| Enterprise | T1113 | Screen Capture | Attor's has a plugin that captures screenshots of the target applications.CitationESET Attor Oct 2019 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Attor has exfiltrated data over the C2 channel.CitationESET Attor Oct 2019 |
| Enterprise | T1129 | Shared Modules | Attor's dispatcher can execute additional plugins by loading the respective DLLs.CitationESET Attor Oct 2019 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Attor's dispatcher can establish persistence by registering a new service.CitationESET Attor Oct 2019 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Strings in Attor's components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA.CitationESET Attor Oct 2019 |
| Enterprise | T1071.002 | File Transfer Protocols Sub-technique | Attor has used FTP protocol for C2 communication.CitationESET Attor Oct 2019 |
| Enterprise | T1119 | Automated Collection | Attor has automatically collected data about the compromised system.CitationESET Attor Oct 2019 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Attor's installer plugin can schedule a new task that loads the dispatcher on boot/logon.CitationESET Attor Oct 2019 |
| Enterprise | T1070.006 | Timestomp Sub-technique | Attor has manipulated the time of last access to files and registry keys after they have been created or modified.CitationESET Attor Oct 2019 |
| Enterprise | T1055 | Process Injection | Attor's dispatcher can inject itself into running processes to gain higher privileges and to evade detection.CitationESET Attor Oct 2019 |
| Enterprise | T1056.001 | Keylogging Sub-technique | One of Attor's plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process.CitationESET Attor Oct 2019 |
| Enterprise | T1569.002 | Service Execution Sub-technique | Attor's dispatcher can be executed as a service.CitationESET Attor Oct 2019 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Attor can set attributes of log files and directories to HIDDEN, SYSTEM, ARCHIVE, or a combination of those.CitationESET Attor Oct 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Attor’s plugin deletes the collected files and log files after exfiltration.CitationESET Attor Oct 2019 |
| Enterprise | T1123 | Audio Capture | Attor's has a plugin that is capable of recording audio using available input sound devices.CitationESET Attor Oct 2019 |
| Enterprise | T1106 | Native API | Attor's dispatcher has used CreateProcessW API for execution.CitationESET Attor Oct 2019 |
| Enterprise | T1020 | Automated Exfiltration | Attor has a file uploader plugin that automatically exfiltrates the collected data and log files to the C2 server.CitationESET Attor Oct 2019 |
| Enterprise | T1055.004 | Asynchronous Procedure Call Sub-technique | Attor performs the injection by attaching its code into the APC queue using NtQueueApcThread API.CitationESET Attor Oct 2019 |
| Enterprise | T1680 | Local Storage Discovery | Attor monitors the free disk space on the system.CitationESET Attor Oct 2019 |
| Enterprise | T1012 | Query Registry | Attor has opened the registry and performed query searches.CitationESET Attor Oct 2019 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 101444c4e97e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Attor Oct 2019
Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.
Open source URL -
[2]
Attor
(Citation: ESET Attor Oct 2019)
-
[3]
mitre-attack S0438Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.