S0467: TajMahal
Analyst context for executives and security teams
TajMahal is a Windows multifunctional spying framework described by ATT&CK as active since at least 2014, with separate Tokyo and Yokohama packages and up to 80 plugins. Its ATT&CK relationships make it material because the behavior spans discovery, collection, credential access, stealth, persistence, execution, and exfiltration. For leaders, the risk is not one single malware signature; it is whether the organization can detect and respond to a modular espionage tool that can inventory a host, collect sensitive user data, capture audio/video/screen/clipboard content, steal web session cookies, and move collected data out through automated or C2-based channels.
Executive priority
Prioritize this as a readiness test for endpoint visibility, sensitive-data protection, and incident response scoping on Windows systems. Key executive questions: Do we collect enough endpoint, registry, process, file, removable media, browser/session, and network telemetry to reconstruct collection and exfiltration? Can the SOC distinguish legitimate administration and user activity from coordinated discovery and collection? Are high-value users and systems monitored for peripheral capture, keylogging, cookie theft, and unusual outbound transfer patterns? Because ATT&CK provides no official detection text for TajMahal, coverage should be proven through control validation mapped to the related techniques rather than assumed from malware naming alone.
Technical view
Defenders should validate behavior-based coverage for the Windows platform listed on the malware object and use the related techniques as the analytic map. Priority behaviors include DLL injection and shared module loading, registry modification, security software discovery, process/software/system/network discovery, file and directory enumeration, local and removable media collection, automated collection and archiving, keylogging, clipboard/screen/audio/video capture, web session cookie theft, obfuscation, and exfiltration over C2 or automated channels. Since the object has no ATT&CK tactics specified and no official detection guidance, SOC content should correlate multiple behaviors over time on the same host or user rather than depend on a single indicator.
Likely telemetry
- Windows endpoint process creation, command-line, parent/child process, and module/DLL load events
- Registry modification events, especially persistence- or defense-impairment-relevant changes
- File system enumeration, file access, staging, archive creation, and access to removable media
- Browser profile, cookie store, and web session artifact access where legally and operationally appropriate
- Clipboard, screenshot, microphone, camera, and peripheral device access telemetry where available
Detection direction
- Build detections around behavior clusters: discovery followed by collection, staging/archiving, and outbound transfer is more meaningful than isolated system enumeration.
- Tune for legitimate administrative activity: process, software, network, and file discovery can be normal, so prioritize unusual user context, rare binaries, unexpected parent processes, high-value hosts, or repeated automated patterns.
- Validate Windows visibility for DLL injection, shared module loading, and registry modification because these are explicitly related and often decide whether modular malware activity is visible before exfiltration.
- Add analytic coverage for user-data capture behaviors such as keylogging, clipboard access, screen capture, audio capture, video capture, removable media collection, and session cookie access; these may be privacy-sensitive and require approved monitoring boundaries.
- Correlate collection and exfiltration: automated collection, archive creation via libraries, local/removable media access, and C2-channel transfer should be reviewed together during triage.
Mitigation priorities
- Start with visibility and response readiness: confirm Windows endpoint logging, EDR telemetry, network egress logs, and retention are sufficient for post-compromise reconstruction.
- Reduce credential and session exposure by hardening browser/session handling, monitoring suspicious cookie-store access, and enforcing strong identity controls where applicable.
- Limit collection opportunities through least privilege, sensitive-data access controls, removable media governance, and tighter permissions on high-value file locations.
- Harden against stealth and persistence by monitoring and controlling registry changes, suspicious module loads, process injection behaviors, and unauthorized execution paths.
- Constrain exfiltration with egress monitoring, proxy/firewall policy, anomaly review for outbound transfers, and incident playbooks that preserve endpoint and network evidence.
Analyst notes and limits
The supplied ATT&CK object identifies TajMahal as Windows malware and describes it as a multifunctional spying framework with many plugins. The defensive value comes from its related techniques: broad host discovery, collection from local/removable/user-interaction sources, credential/session theft, stealth via obfuscation and injection, registry modification, archiving, and exfiltration. Treat this as a coverage-mapping object for espionage-style endpoint compromise and data theft scenarios.
No official ATT&CK detection text, aliases, labels, or object-level tactics are provided. The external reference is limited to the Kaspersky TajMahal April 2019 report and the MITRE ATT&CK page. Local environment evidence is required to determine actual exposure, telemetry availability, false-positive rates, and control effectiveness. The related technique platform lists include non-Windows platforms, but the malware object itself lists Windows, so platform claims should be centered on Windows for this object.
TajMahal
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1560.002 | Archive via Library Sub-technique | TajMahal has the ability to use the open source libraries XZip/Xunzip and zlib to compress files.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1125 | Video Capture | TajMahal has the ability to capture webcam video.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1082 | System Information Discovery | TajMahal has the ability to identify hardware information, the computer name, and OS information on an infected host.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1113 | Screen Capture | TajMahal has the ability to take screenshots on an infected host including capturing content from windows of instant messaging applications.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1123 | Audio Capture | TajMahal has the ability to capture VoiceIP application audio on an infected host.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | TajMahal has the ability to identify which anti-virus products, firewalls, and anti-spyware products are in use.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1119 | Automated Collection | TajMahal has the ability to index and compress files into a send queue for exfiltration.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1124 | System Time Discovery | TajMahal has the ability to determine local time on a compromised host.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | TajMahal has the ability to send collected files over its C2.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1057 | Process Discovery | TajMahal has the ability to identify running processes and associated plugins on an infected host.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1518 | Software Discovery | TajMahal has the ability to identify the Internet Explorer (IE) version on an infected host.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1112 | Modify Registry | TajMahal can set the |
| Enterprise | T1016 | System Network Configuration Discovery | TajMahal has the ability to identify the MAC address on an infected host.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1020 | Automated Exfiltration | TajMahal has the ability to manage an automated queue of egress files and commands sent to its C2.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1129 | Shared Modules | TajMahal has the ability to inject the |
| Enterprise | T1539 | Steal Web Session Cookie | TajMahal has the ability to steal web session cookies from Internet Explorer, Netscape Navigator, FireFox and RealNetworks applications.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1083 | File and Directory Discovery | TajMahal has the ability to index files from drives, user profiles, and removable drives.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | TajMahal has the ability to inject DLLs for malicious plugins into running processes.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1025 | Data from Removable Media | TajMahal has the ability to steal written CD images and files of interest from previously connected removable drives when they become available again.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1005 | Data from Local System | TajMahal has the ability to steal documents from the local system including the print spooler queue.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1056.001 | Keylogging Sub-technique | TajMahal has the ability to capture keystrokes on an infected host.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1120 | Peripheral Device Discovery | TajMahal has the ability to identify connected Apple devices.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1115 | Clipboard Data | TajMahal has the ability to steal data from the clipboard of an infected host.CitationKaspersky TajMahal April 2019 |
| Enterprise | T1027 | Obfuscated Files or Information | TajMahal has used an encrypted Virtual File System to store plugins.CitationKaspersky TajMahal April 2019 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ccb72cb61ab8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky TajMahal April 2019
GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019.
Open source URL -
[2]
mitre-attack S0467Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.