Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0442: VBShower

VBShower is a backdoor that has been used by Inception since at least 2019. VBShower has been used as a downloader for second stage payloads, including PowerShower.[1]

EnterpriseS0442MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

VBShower matters because ATT&CK describes it as a Windows backdoor used as a downloader for second-stage payloads, including PowerShower. For leaders, the key risk is not only the initial malware but the follow-on access it can enable: persistence, web-based command-and-control, file transfer, script execution, and cleanup behavior that may reduce forensic visibility.

Executive priority

Prioritize validation around Windows endpoint visibility, persistence monitoring, and outbound web traffic governance. Because ATT&CK links VBShower to Inception and to downloader behavior, incident decision-making should assume that finding VBShower may require scoping for additional payloads and persistence, not treating it as a single-file cleanup event. This is relevant to SOC readiness, IR playbooks, audit evidence for endpoint monitoring, and resilience against espionage-style intrusions described in the related group context.

Technical view

ATT&CK provides no official detection text for VBShower, so defenders should build coverage from the linked behaviors: Visual Basic execution, registry Run Key or Startup Folder persistence, file deletion, ingress tool transfer, and command-and-control over web protocols. On Windows, validate whether endpoint telemetry can show script or VB-related process execution, autorun changes, suspicious file creation and deletion, and subsequent downloads or second-stage payload activity. Network teams should confirm proxy, DNS, and web traffic logs can support investigation of unusual outbound web sessions associated with compromised hosts.

Likely telemetry

  • Windows endpoint process execution telemetry, especially script or Visual Basic-related execution
  • Windows registry monitoring for Run Key changes
  • Startup Folder file creation or modification events
  • Endpoint file creation, download, and deletion events
  • EDR or host audit logs showing parent-child process relationships

Detection direction

  • Do not rely on a VBShower-specific signature alone; map detections to the ATT&CK-linked behaviors and test whether they correlate into an intrusion story.
  • Tune for suspicious Visual Basic execution followed by persistence creation, outbound web traffic, tool transfer, or file deletion on Windows hosts.
  • Review allowlisted administrative scripts and software updaters to reduce false positives around VB execution, downloads, and autorun locations.
  • Validate that file deletion telemetry is retained long enough for IR scoping, since cleanup behavior can remove evidence of dropped tools or payloads.
  • When VBShower is suspected, hunt for second-stage activity including PowerShower where supported by local evidence.

Mitigation priorities

  • Strengthen Windows endpoint monitoring and retention before an incident, especially for script execution, autoruns, file events, and outbound network activity.
  • Restrict and review unnecessary script execution and autorun persistence paths using standard enterprise hardening and change-control practices.
  • Apply egress controls and proxy logging so web-protocol command-and-control and downloader behavior are reviewable.
  • Ensure IR playbooks require scoping for additional payloads and persistence when downloader malware is found.
  • Maintain evidence collection procedures that preserve host, registry, network, and deleted-file context for investigation and compliance reporting.
Analyst notes and limits

This take is based on the ATT&CK software object S0442, its Kaspersky external reference, and ATT&CK relationships showing use by Inception and use of T1059.005, T1070.004, T1071.001, T1105, and T1547.001. The strongest defensive value is relationship-driven: VBShower should be treated as a Windows downloader/backdoor behavior cluster rather than a standalone malware name.

ATT&CK does not provide official detection guidance, indicators, hashes, C2 infrastructure, aliases, labels, or explicit tactics for this malware object. Local telemetry, malware analysis, and environment-specific baselines are required to determine exposure, detection coverage, and incident scope.

Official MITRE ATT&CK definition

VBShower

VBShower is a backdoor that has been used by Inception since at least 2019. VBShower has been used as a downloader for second stage payloads, including PowerShower.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

5 rows
Domain ID Name Relationship / procedure
Enterprise T1059.005 Visual Basic Sub-technique

VBShower has the ability to execute VBScript files.CitationKaspersky Cloud Atlas August 2019
Enterprise T1070.004 File Deletion Sub-technique

VBShower has attempted to complicate forensic analysis by deleting all the files contained in %APPDATA%\..\Local\Temporary Internet Files\Content.Word and %APPDATA%\..\Local Settings\Temporary Internet Files\Content.Word\.CitationKaspersky Cloud Atlas August 2019
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

VBShower used HKCU\Software\Microsoft\Windows\CurrentVersion\Run\\[a-f0-9A-F]{8} to maintain persistence.CitationKaspersky Cloud Atlas August 2019
Enterprise T1071.001 Web Protocols Sub-technique

VBShower has attempted to obtain a VBS script from command and control (C2) nodes over HTTP.CitationKaspersky Cloud Atlas August 2019
Enterprise T1105 Ingress Tool Transfer

VBShower has the ability to download VBS files to the target computer.CitationKaspersky Cloud Atlas August 2019
Associated objects

Groups, software, and campaigns

Group Enterprise

G0100: Inception

Inception is a cyber espionage group active since at least 2014. The group has targeted multiple industries and governmental entities primarily in Russia, but has also been active in the United States and throughout Europe, Asia, Africa, and the Middle East.[1][2][3]

Relationship explorer

All related ATT&CK context

uses · Technique T1059.005: Visual Basic Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Group G0100: Inception Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
a0066a2359438eb3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle a0066a235943…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kaspersky Cloud Atlas August 2019

    GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020.

    Open source URL
  2. [2]
    mitre-attack S0442
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use