Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0454: Cadelspy

Cadelspy is a backdoor that has been used by APT39.[1]

EnterpriseS0454MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Cadelspy matters because ATT&CK identifies it as a Windows backdoor associated with APT39 and links it to behaviors focused on discovery and collection: keylogging, screen capture, clipboard access, audio capture, peripheral discovery, system information discovery, application window discovery, and archiving collected data. For leaders, the practical risk is not just malware presence; it is the possibility that a compromised endpoint could become a quiet collection point for credentials, sensitive business information, and user activity.

Executive priority

Prioritize validation around Windows endpoint visibility, credential exposure response, and evidence of user-data collection. Because MITRE provides no official detection guidance for this malware object, coverage should be assessed through the related ATT&CK techniques rather than through a single malware signature. This is especially relevant for incident decision-making: if Cadelspy-like behavior is suspected, teams should be ready to evaluate whether credentials, screenshots, clipboard contents, audio, or archived data may have been collected.

Technical view

SOC and IR teams should map detections to the supplied relationships: T1056.001 Keylogging, T1113 Screen Capture, T1115 Clipboard Data, T1123 Audio Capture, T1560 Archive Collected Data, T1010 Application Window Discovery, T1082 System Information Discovery, and T1120 Peripheral Device Discovery. On Windows endpoints, validate telemetry for suspicious access to input, display, clipboard, audio, peripheral, and system-enumeration functions, plus unusual archive creation involving recently collected user data. Treat the APT39 relationship as threat-intelligence context, not as proof of attribution in any local incident.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry
  • Endpoint security or EDR behavioral events for keylogging, screen capture, clipboard access, and audio device access
  • File creation and modification events for screenshots, recordings, logs, temporary collection folders, and archives
  • System and hardware discovery activity from processes that do not normally enumerate host or peripheral details
  • Application/window enumeration signals where available from endpoint telemetry

Detection direction

  • Do not rely solely on a Cadelspy malware name or hash; MITRE does not provide official detection text for this object.
  • Build coverage around the related behaviors, especially combinations of discovery plus collection on the same Windows host.
  • Tune for suspicious processes accessing multiple user-context data sources, such as keystrokes, clipboard, screen, audio devices, and application windows.
  • Review false positives from legitimate remote support, conferencing, accessibility, screen capture, administration, and archive utilities.
  • Use the APT39 relationship to inform threat hunting priorities, while requiring local evidence before making attribution claims.

Mitigation priorities

  • Confirm Windows endpoints have sufficient monitoring for the related discovery and collection behaviors.
  • Harden and monitor access to credentials and sensitive user workflows because keylogging and clipboard collection can undermine identity controls.
  • Restrict and review unnecessary access to microphones, screen capture capabilities, clipboard automation, and peripheral enumeration where business operations allow.
  • Ensure incident response playbooks include credential reset decisions, endpoint isolation criteria, and review of potentially collected files or archives.
  • Use ATT&CK technique coverage as audit evidence for detection engineering and control validation, since this object lacks official MITRE detection guidance.
Analyst notes and limits

The most useful defensive framing is behavior-based. The supplied ATT&CK relationships show Cadelspy using several collection and discovery techniques, which gives defenders a practical test plan even though the malware entry itself is sparse. The APT39 relationship is relevant for threat intelligence enrichment, but attribution should not be inferred without environment-specific evidence.

This take is limited to the supplied STIX fields, external references, and relationships. MITRE lists Windows as the platform for this malware object and provides no official detection guidance, aliases, labels, or tactics for the malware entry. Local telemetry, samples, incident artifacts, and business context are required to determine exposure, detection coverage, impact, or attribution.

Official MITRE ATT&CK definition

Cadelspy

Cadelspy is a backdoor that has been used by APT39.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

8 rows
Domain ID Name Relationship / procedure
Enterprise T1010 Application Window Discovery

Cadelspy has the ability to identify open windows on the compromised host.CitationSymantec Chafer Dec 2015
Enterprise T1056.001 Keylogging Sub-technique

Cadelspy has the ability to log keystrokes on the compromised host.CitationSymantec Chafer Dec 2015
Enterprise T1560 Archive Collected Data

Cadelspy has the ability to compress stolen data into a .cab file.CitationSymantec Chafer Dec 2015
Enterprise T1115 Clipboard Data

Cadelspy has the ability to steal data from the clipboard.CitationSymantec Chafer Dec 2015
Enterprise T1123 Audio Capture

Cadelspy has the ability to record audio from the compromised host.CitationSymantec Chafer Dec 2015
Enterprise T1082 System Information Discovery

Cadelspy has the ability to discover information about the compromised host.CitationSymantec Chafer Dec 2015
Enterprise T1113 Screen Capture

Cadelspy has the ability to capture screenshots and webcam photos.CitationSymantec Chafer Dec 2015
Enterprise T1120 Peripheral Device Discovery

Cadelspy has the ability to steal information about printers and the documents sent to printers.CitationSymantec Chafer Dec 2015
Associated objects

Groups, software, and campaigns

Group Enterprise

G0087: APT39

APT39 is one of several names for cyber espionage activity conducted by the Iranian Ministry of Intelligence and Security (MOIS) through the front company Rana Intelligence Computing since at least 2014. APT39 has primarily targeted the travel, hospitality, academic, and telecommunications industries in Iran and across Asia, Africa, Europe, and North America to track individuals and entities considered to be a threat by the MOIS.[1][2][3][4][5]

Relationship explorer

All related ATT&CK context

uses · Technique T1010: Application Window Discovery Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1560: Archive Collected Data Enterprise uses · Technique T1115: Clipboard Data Enterprise uses · Group G0087: APT39 Enterprise uses · Technique T1123: Audio Capture Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1120: Peripheral Device Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e4465042266c959d...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e4465042266c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Symantec Chafer Dec 2015

    Symantec Security Response. (2015, December 7). Iran-based attackers use back door threats to spy on Middle Eastern targets. Retrieved April 17, 2019.

    Open source URL
  2. [2]
    mitre-attack S0454
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use