S0456: Aria-body
Analyst context for executives and security teams
Aria-body is a Windows custom backdoor associated in ATT&CK with Naikon and documented as in use since approximately 2017. Its mapped behaviors matter because they span persistence, discovery, collection, stealth, privilege-related token activity, and command-and-control. For leaders, the value is not just knowing the malware name; it is validating whether Windows endpoint, identity, and network controls can show the full chain from initial persistence and host reconnaissance through data staging and outbound communications.
Executive priority
Treat this as a coverage-validation case for espionage-style backdoor tradecraft on Windows. Priority questions include: can the organization prove visibility into suspicious startup persistence, process and token manipulation, removable media access, screen capture, archive creation, file deletion, and unusual web or non-application-layer outbound traffic? Because ATT&CK provides no official detection guidance for this object, confidence should come from local telemetry tests, incident response playbooks, and control evidence rather than from a single malware signature.
Technical view
Aria-body is mapped to Windows-relevant behaviors including Registry Run Keys/Startup Folder persistence, DLL injection, token impersonation or process creation with token, Native API use, multiple discovery techniques, collection from removable media and screen capture, archive creation, file deletion, encoded/encrypted files, deobfuscation, tool transfer, proxy use, web protocol C2, non-application-layer C2, and DGA-based C2. SOC and IR teams should validate detections around behavior clusters rather than the malware name alone: persistence plus discovery, injection or token activity plus outbound C2, collection or archiving plus file cleanup. The relationship to Naikon provides threat-intelligence context, but local alerting should remain behavior-based unless validated indicators are available from approved intelligence sources.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows registry modification events for Run keys and Startup Folder paths
- File creation, modification, deletion, archive, and removable media access telemetry
- Process injection or cross-process memory/thread activity telemetry where available
- Windows security events related to token use, impersonation, privileged process creation, and logon context
Detection direction
- Do not rely on a named Aria-body signature as the primary control; ATT&CK does not provide official detection text for this malware object.
- Correlate Windows startup persistence with nearby discovery activity such as process, user, system, network configuration, network connection, file, and window enumeration.
- Tune for suspicious DLL injection and token impersonation patterns, especially when followed by new process creation or outbound network sessions.
- Review removable media access, screen capture, and archive creation in context; these can be legitimate, so prioritize unusual parent processes, user context, timing, destination, and follow-on transfer behavior.
- Monitor outbound web traffic, proxy-like behavior, non-standard protocols, and DNS patterns consistent with DGA use, while accounting for business applications that generate frequent or dynamic domains.
Mitigation priorities
- Prioritize Windows endpoint hardening and EDR coverage for persistence, process injection, token abuse, and suspicious file operations.
- Restrict and monitor autorun persistence locations, including Registry Run keys and Startup Folder execution paths.
- Apply least privilege and credential hygiene to reduce the value of token impersonation or privileged process creation opportunities.
- Control removable media use and ensure access is logged where sensitive data or regulated environments are involved.
- Enforce network egress controls, DNS monitoring, and proxy logging so C2 over web protocols, proxies, non-standard protocols, or DGA-like domains is reviewable.
Analyst notes and limits
The supplied ATT&CK object identifies Aria-body as a custom backdoor used by Naikon and provides a rich set of technique relationships, but no official detection guidance and no aliases. The object platform is Windows; some related techniques list additional platforms, but this take treats Windows as the supported platform for this malware object. The group relationship is useful for intelligence context, especially for organizations concerned with espionage risk, but it should not be used alone for attribution.
This assessment is limited to the supplied ATT&CK STIX fields, external references, and relationships. It does not include indicators of compromise, hashes, C2 infrastructure, malware configuration details, active exploitation status, victim exposure, or validated detection analytics. Local telemetry, business context, and approved threat-intelligence sources are required to determine actual risk and coverage.
Aria-body
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1095 | Non-Application Layer Protocol | Aria-body has used TCP in C2 communications.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1057 | Process Discovery | Aria-body has the ability to enumerate loaded modules for a process.CitationCheckPoint Naikon May 2020. |
| Enterprise | T1106 | Native API | Aria-body has the ability to launch files using |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | Aria-body has the ability to use a DGA for C2 communications.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Aria-body has the ability to decrypt the loader configuration and payload DLL.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1025 | Data from Removable Media | Aria-body has the ability to collect data from USB devices.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | Aria-body has the ability to identify the location, public IP address, and domain name on a compromised host.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1134.002 | Create Process with Token Sub-technique | Aria-body has the ability to execute a process using |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Aria-body has used HTTP in C2 communications.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1113 | Screen Capture | Aria-body has the ability to capture screenshots on compromised hosts.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1033 | System Owner/User Discovery | Aria-body has the ability to identify the username on a compromised host.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1010 | Application Window Discovery | Aria-body has the ability to identify the titles of running windows on a compromised host.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1082 | System Information Discovery | Aria-body has the ability to identify the hostname, computer name, Windows version, processor speed, and machine GUID on a compromised host.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Aria-body has the ability to delete files and directories on compromised hosts.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Aria-body has established persistence via the Startup folder or Run Registry key.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Aria-body has used an encrypted configuration file for its loader.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1134.001 | Token Impersonation/Theft Sub-technique | Aria-body has the ability to duplicate a token from ntprint.exe.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1090 | Proxy | Aria-body has the ability to use a reverse SOCKS proxy module.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | Aria-body has the ability to download additional payloads from C2.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1083 | File and Directory Discovery | Aria-body has the ability to gather metadata from a file and to search for file and directory names.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Aria-body has the ability to inject itself into another process such as rundll32.exe and dllhost.exe.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1680 | Local Storage Discovery | Aria-body has the ability to identify disk information on a compromised host.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1560 | Archive Collected Data | Aria-body has used ZIP to compress data gathered on a compromised host.CitationCheckPoint Naikon May 2020 |
| Enterprise | T1049 | System Network Connections Discovery | Aria-body has the ability to gather TCP and UDP table status listings.CitationCheckPoint Naikon May 2020 |
Groups, software, and campaigns
G0019: Naikon
Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).[1] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).[1][2]
While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | f09f9656c656… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CheckPoint Naikon May 2020
CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020.
Open source URL -
[2]
mitre-attack S0456Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.