S0448: Rising Sun
Rising Sun is a modular backdoor that was used extensively in Operation Sharpshooter between 2017 and 2019. Rising Sun infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed Rising Sun included some source code from Lazarus Group's Trojan Duuzer.[1]
Analyst context for executives and security teams
Rising Sun matters because ATT&CK describes it as a modular Windows backdoor used in Operation Sharpshooter, a campaign that targeted nuclear, defense, government, energy, and financial organizations. For leaders, the decision value is not a malware name alone; it is the pattern of post-compromise behavior: discovery of users, systems, processes, files, storage, and network configuration, followed by collection, custom archiving, command-and-control over web protocols, and possible exfiltration over that same channel.
Executive priority
Prioritize this as a resilience and readiness validation item for Windows-heavy environments and organizations with critical infrastructure, defense, energy, government, or financial exposure. Ask whether the SOC can connect endpoint discovery activity, suspicious command shell or native API execution, hidden/deleted artifacts, and unusual web-based C2/exfiltration into one investigation story. For audit and risk owners, the key evidence is whether logging, retention, egress monitoring, and incident response playbooks can support a backdoor investigation where the malware attempts to blend into normal web traffic and remove indicators.
Technical view
ATT&CK provides no official detection text for Rising Sun, so defenders should build coverage from the related techniques. Validate Windows endpoint visibility for command shell execution, registry queries, process discovery, user discovery, system information discovery, file and directory discovery, local storage discovery, hidden files, file deletion, decoding/deobfuscation, and encrypted or encoded artifacts. Network teams should validate monitoring for web-protocol command-and-control and exfiltration over the C2 channel, including cases where asymmetric cryptography or encoded content reduces payload inspection value. IR teams should be prepared to correlate host discovery and collection behavior with outbound web sessions rather than relying on a single malware signature.
Likely telemetry
- Windows process creation and command-line telemetry
- Windows Registry access/query telemetry
- Endpoint file creation, modification, deletion, hidden attribute, and directory enumeration events
- Process and module/API activity where available from EDR
- User/session and logged-on user evidence
Detection direction
- Because ATT&CK does not provide a Rising Sun detection section, validate behavior-based analytics mapped to the related techniques rather than relying only on malware names or hashes.
- Correlate bursts of discovery activity: registry queries, system/user/process/network discovery, file and directory enumeration, and local storage discovery from the same host or process lineage.
- Tune Windows command shell detections for unusual parent/child process relationships and discovery commands, while accounting for administrative scripts and software management tools as common false-positive sources.
- Review network detections for uncommon or suspicious outbound web traffic from hosts showing discovery or collection behavior; payload visibility may be limited when encryption or encoding is used.
- Look for evidence of staging and cleanup, including hidden files, custom archives, encoded files, and file deletion after collection or execution.
Mitigation priorities
- Confirm high-value Windows assets have EDR or equivalent endpoint telemetry, centralized logging, and sufficient retention for incident reconstruction.
- Harden and monitor command shell usage, registry access, and administrative discovery activity on sensitive systems without disrupting legitimate operations.
- Apply least-privilege and administrative access controls so discovery and collection from compromised user contexts is constrained.
- Strengthen egress controls and monitoring for outbound web traffic, especially from servers and critical business systems that should have limited Internet access.
- Maintain incident response procedures for suspected backdoor activity, including host isolation, memory/disk evidence preservation, log preservation, and scoping for C2 and exfiltration.
Analyst notes and limits
The supplied ATT&CK object identifies Rising Sun as a modular Windows backdoor used in Operation Sharpshooter between 2017 and 2019 and reports targeting of at least 87 organizations globally, including nuclear, defense, energy, and financial service companies. Relationships show behaviors spanning discovery, execution, stealth, collection, command-and-control, and exfiltration. Although the description mentions similarities and shared source code associated with Lazarus Group’s Trojan Duuzer, this take does not infer current attribution or active exploitation beyond the supplied fields.
ATT&CK provides no official detection guidance, no object-level tactics, and no aliases for this malware in the supplied fields. Technique relationships include platforms beyond Windows, but the malware platform supplied for Rising Sun is Windows; local validation should prioritize Windows while using cross-platform technique context carefully. Detection quality depends on the organization’s actual endpoint, identity, proxy, DNS, firewall, and retention coverage.
Rising Sun
Rising Sun is a modular backdoor that was used extensively in Operation Sharpshooter between 2017 and 2019. Rising Sun infected at least 87 organizations around the world, including nuclear, defense, energy, and financial service companies. Security researchers assessed Rising Sun included some source code from Lazarus Group's Trojan Duuzer.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070.004 | File Deletion Sub-technique | Rising Sun can delete files and artifacts it creates.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1005 | Data from Local System | Rising Sun has collected data and files from a compromised host.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1033 | System Owner/User Discovery | Rising Sun can detect the username of the infected host.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | Rising Sun can archive data using RC4 encryption and Base64 encoding prior to exfiltration.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Rising Sun has decrypted itself using a single-byte XOR scheme. Additionally, Rising Sun can decrypt its configuration data at runtime.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1082 | System Information Discovery | Rising Sun can detect the computer name and operating system.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Configuration data used by Rising Sun has been encrypted using an RC4 stream algorithm.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Rising Sun has used HTTP and HTTPS for command and control.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1070 | Indicator Removal | Rising Sun can clear a memory blog in the process by overwriting it with junk bytes.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1057 | Process Discovery | Rising Sun can enumerate all running processes and process information on an infected machine.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Rising Sun variants can use SSL for encrypting C2 communications.CitationBleeping Computer Op Sharpshooter March 2019 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Rising Sun can send data gathered from the infected machine via HTTP POST request to the C2.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | Rising Sun can test a connection to a specified network IP address over a specified port number.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Rising Sun has executed commands using `cmd.exe /c “ |
| Enterprise | T1083 | File and Directory Discovery | Rising Sun can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. Rising Sun can enumerate the compilation timestamp of Windows executable files.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1012 | Query Registry | Rising Sun has identified the OS product name from a compromised host by searching the registry for `SOFTWARE\MICROSOFT\Windows NT\ CurrentVersion | ProductName`.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1106 | Native API | Rising Sun used dynamic API resolutions to various Windows APIs by leveraging `LoadLibrary()` and `GetProcAddress()`.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | Rising Sun can modify file attributes to hide files.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1680 | Local Storage Discovery | Rising Sun can detect drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume.CitationMcAfee Sharpshooter December 2018 |
| Enterprise | T1016 | System Network Configuration Discovery | Rising Sun can detect network adapter and IP address information.CitationMcAfee Sharpshooter December 2018 |
Groups, software, and campaigns
C0013: Operation Sharpshooter
Operation Sharpshooter was a global cyber espionage campaign that targeted nuclear, defense, government, energy, and financial companies, with many located in Germany, Turkey, the United Kingdom, and the United States. Security researchers noted the campaign shared many similarities with previous Lazarus Group operations, including fake job recruitment lures and shared malware code.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.1 | Current bundle | 1e1b9536b3ab… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
McAfee Sharpshooter December 2018
Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020.
Open source URL -
[2]
mitre-attack S0448Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.