S0439: Okrum
Analyst context for executives and security teams
Okrum is a Windows backdoor documented by ATT&CK with strong links to Ke3chang. Its decision value is not just the malware name; the mapped behaviors show a backdoor that can support credential access, discovery, persistence through scheduled tasks, command execution, covert command-and-control, tool transfer, and exfiltration over its C2 channel. For leaders, this makes Okrum relevant to questions about how quickly the organization can detect and contain a compromised Windows endpoint before credentials, internal topology, and data access are used for follow-on activity.
Executive priority
Prioritize validation of Windows endpoint visibility, credential-theft defenses, and network monitoring for disguised web/C2 traffic. The relationship to Ke3chang is relevant for threat intelligence and risk briefings, especially for organizations in sectors or regions named in ATT&CK’s Ke3chang description, but local exposure should be confirmed with internal intelligence and telemetry. This object is also useful for audit and resilience discussions: can the organization prove it monitors scheduled tasks, LSASS access, command shell execution, suspicious discovery, file deletion, and outbound web traffic that may carry encoded or obfuscated data?
Technical view
ATT&CK does not provide an official detection section for Okrum, so SOC and detection engineering should pivot from the malware-to-technique relationships. Validate Windows coverage for scheduled task creation or modification, cmd.exe execution, LSASS memory access, cached credential access attempts, token impersonation indicators, keylogging-related behavior, file and directory discovery, user and system discovery, network configuration and connection discovery, file deletion, tool ingress, and outbound C2 over web protocols. Network detections should account for protocol/service impersonation, standard encoding, data obfuscation, external proxy use, steganography-related content handling, and exfiltration over the same C2 channel.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows scheduled task creation, modification, and execution logs
- Security events and EDR signals for LSASS access, token impersonation, cached credential access, and keylogging-like behavior
- File creation, deletion, rename, and directory enumeration telemetry
- User, host, system time, network configuration, and network connection discovery evidence
Detection direction
- Build behavior-based detections around the related ATT&CK techniques rather than relying on an Okrum-specific signature, because no official ATT&CK detection text is provided.
- Tune Windows scheduled task detections to distinguish administrative automation from unusual task names, locations, or execution chains consistent with masquerading.
- Correlate command shell execution with discovery commands, credential access signals, file deletion, and outbound network activity to reduce false positives from routine administration.
- Review outbound web traffic analytics for unusual destinations, encoded payload patterns, protocol or service impersonation, proxy chaining, and possible C2/exfiltration over established channels.
- Validate that EDR or equivalent telemetry can observe sensitive access to LSASS and token impersonation attempts; absence of this telemetry is a material blind spot for this behavior set.
Mitigation priorities
- Harden Windows endpoints first: restrict unnecessary administrative privileges, protect credential material, and monitor or limit access to LSASS where operationally feasible.
- Control persistence paths by governing scheduled task creation and regularly reviewing task names, descriptions, authors, and execution targets for masquerading.
- Improve egress control and monitoring for web protocols, external proxy use, and outbound connections that can carry C2 or exfiltrated data.
- Strengthen least privilege and identity monitoring so credential theft or token abuse does not automatically become broad lateral access.
- Ensure incident response playbooks collect endpoint, credential, scheduled task, and network artifacts quickly enough to assess discovery, exfiltration, and cleanup behavior.
Analyst notes and limits
This take is based on ATT&CK S0439, its official description, the ESET external reference, and supplied relationships showing Okrum uses multiple ATT&CK techniques. The malware object itself has no ATT&CK tactics listed and no official detection guidance, so the practical guidance is relationship-driven and should be validated against local Windows architecture, logging maturity, and business risk.
No active exploitation, current campaign activity, customer exposure, or guaranteed detection coverage is stated in the supplied fields. ATT&CK provides only a high-level Okrum description and relationship mappings here; local telemetry, malware analysis, and incident evidence are required for confident detection, scoping, and attribution.
Okrum
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003.005 | Cached Domain Credentials Sub-technique | Okrum was seen using modified Quarks PwDump to perform credential dumping.CitationESET Okrum July 2019 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | Okrum can establish persistence by creating a .lnk shortcut to itself in the Startup folder.CitationESET Okrum July 2019 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Okrum was seen using a RAR archiver tool to compress/decompress data.CitationESET Okrum July 2019 |
| Enterprise | T1497.001 | System Checks Sub-technique | Okrum's loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total.CitationESET Okrum July 2019 |
| Enterprise | T1497.002 | User Activity Based Checks Sub-technique | Okrum loader only executes the payload after the left mouse button has been pressed at least three times, in order to avoid being executed within virtualized or emulated environments.CitationESET Okrum July 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | Okrum has built-in commands for uploading, downloading, and executing files to the system.CitationESET Okrum July 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Okrum's backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.CitationESET Okrum July 2019 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | Okrum's loader can detect presence of an emulator by using two calls to GetTickCount API, and checking whether the time has been accelerated.CitationESET Okrum July 2019 |
| Enterprise | T1543.003 | Windows Service Sub-technique | To establish persistence, Okrum can install itself as a new service named NtmSsvc.CitationESET Okrum July 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | Okrum can collect network information, including the host IP address, DNS, and proxy information.CitationESET Okrum July 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Okrum uses HTTP for communication with its C2.CitationESET Okrum July 2019 |
| Enterprise | T1001 | Data Obfuscation | Okrum leverages the HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.CitationESET Okrum July 2019 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Okrum's installer can attempt to achieve persistence by creating a scheduled task.CitationESET Okrum July 2019 |
| Enterprise | T1027.003 | Steganography Sub-technique | Okrum's payload is encrypted and embedded within its loader, or within a legitimate PNG file.CitationESET Okrum July 2019 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager.CitationESET Okrum July 2019 |
| Enterprise | T1033 | System Owner/User Discovery | Okrum can collect the victim username.CitationESET Okrum July 2019 |
| Enterprise | T1082 | System Information Discovery | Okrum can collect computer name, locale information, and information about the OS and architecture.CitationESET Okrum July 2019 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Data exfiltration is done by Okrum using the already opened channel with the C2 server.CitationESET Okrum July 2019 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Okrum has used base64 to encode C2 communication.CitationESET Okrum July 2019 |
| Enterprise | T1569.002 | Service Execution Sub-technique | Okrum's loader can create a new service named NtmsSvc to execute the payload.CitationESET Okrum July 2019 |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | Okrum can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.CitationESET Okrum July 2019 |
| Enterprise | T1083 | File and Directory Discovery | Okrum has used DriveLetterView to enumerate drive information.CitationESET Okrum July 2019 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Before exfiltration, Okrum's backdoor has used hidden files to store logs and outputs from backdoor commands.CitationESET Okrum July 2019 |
| Enterprise | T1090.002 | External Proxy Sub-technique | Okrum can identify proxy servers configured and used by the victim, and use it to make HTTP requests to C2 its server.CitationESET Okrum July 2019 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Okrum uses AES to encrypt network traffic. The key can be hardcoded or negotiated with the C2 server in the registration phase. CitationESET Okrum July 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Okrum's loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption.CitationESET Okrum July 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Okrum's backdoor deletes files after they have been successfully uploaded to C2 servers.CitationESET Okrum July 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder.CitationESET Okrum July 2019 |
| Enterprise | T1049 | System Network Connections Discovery | Okrum was seen using NetSess to discover NetBIOS sessions.CitationESET Okrum July 2019 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | Okrum has used a custom implementation of AES encryption to encrypt collected data.CitationESET Okrum July 2019 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Okrum was seen using a keylogger tool to capture keystrokes. CitationESET Okrum July 2019 |
| Enterprise | T1124 | System Time Discovery | Okrum can obtain the date and time of the compromised system.CitationESET Okrum July 2019 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Okrum was seen using MimikatzLite to perform credential dumping.CitationESET Okrum July 2019 |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | Okrum leverages the HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.CitationESET Okrum July 2019 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c0f051c7ee84… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Okrum July 2019
Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
Open source URL -
[2]
mitre-attack S0439Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.