S0475: BackConfig
BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.[1]
Analyst context for executives and security teams
BackConfig matters because it is a Windows Trojan with a plugin architecture, meaning a single intrusion can support multiple follow-on behaviors depending on what the operator loads or enables. MITRE links it to Patchwork and to behaviors spanning user-driven execution, persistence, command execution, discovery, web-based command and control, tool transfer, and stealth. For leaders, the practical question is not whether one malware name is blocked; it is whether Windows endpoint, email/web, Office, scheduled task, proxy, and incident response evidence can show what happened if a modular Trojan is introduced.
Executive priority
Prioritize BackConfig as a coverage-validation case for Windows malware readiness, especially for organizations with government, diplomatic, or similarly sensitive missions referenced in the related Patchwork context. The business value is in proving controls and audit evidence across the full chain: malicious link exposure, Office macro/template persistence, scheduled task persistence, command shell activity, outbound web traffic, downloaded tools, file hiding/deletion, and code-signing trust decisions. Executives should ask whether the SOC can reconstruct these events quickly and whether IR has authority to contain hosts, preserve evidence, and review egress without waiting for malware-family-specific signatures.
Technical view
ATT&CK provides no official detection text for BackConfig, so defenders should validate detection against the related techniques rather than rely on a named-malware rule. On Windows, focus on correlations between suspicious link or Office activity, Visual Basic or command shell execution, scheduled task creation, system and file discovery, hidden or deleted artifacts, possible deobfuscation activity, code-signing metadata, ingress tool transfer, and HTTP/S-like command-and-control traffic. Because the malware is described as having a flexible plugin architecture, detection engineering should favor behavior chains and host-network correlation over single indicators.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, including cmd.exe and Visual Basic-related execution
- Scheduled task creation, modification, and execution records
- Microsoft Office template, macro, and startup/template path changes
- File system events for new executables, hidden files/directories, file deletion, and suspicious placement using legitimate-looking names or locations
- Code-signing metadata and certificate validation results for newly observed binaries
Detection direction
- Build detections around behavior combinations: user link or Office activity followed by script/command execution, scheduled task persistence, discovery commands, and outbound web traffic.
- Tune for masquerading by comparing file names and paths against expected legitimate Windows and application locations; avoid relying only on filename matches.
- Review scheduled task baselines so administrative software and IT automation do not overwhelm detections for new or unusual task creation.
- Correlate web egress with endpoint process lineage where possible, because command-and-control over web protocols may blend into normal HTTP/S traffic.
- Validate visibility into file deletion and hidden-file changes; these stealth behaviors can erase or reduce evidence if not captured early.
Mitigation priorities
- Reduce initial execution risk with email/web filtering, malicious-link controls, and user-focused reporting processes for suspicious links.
- Harden Office macro and template behavior, especially where Office templates can create persistence.
- Restrict and monitor scheduled task creation using least privilege and administrative change control.
- Apply application control and certificate trust governance so signed or legitimate-looking binaries are still evaluated by policy and reputation.
- Maintain endpoint protection and EDR coverage on Windows systems with retention sufficient for IR reconstruction.
Analyst notes and limits
The supplied ATT&CK object identifies BackConfig as a custom Trojan used by Patchwork and provides technique relationships that cover execution, persistence, discovery, command and control, defense evasion, and tool transfer. The strongest defensive use of this object is as a control-validation map for Windows malware operations rather than as a standalone indicator list. Local baselines are essential because many related behaviors, such as scheduled tasks, command shell use, Office activity, and web traffic, also occur in legitimate administration and business workflows.
No official ATT&CK detection text, aliases, labels, or malware-specific indicators were supplied. Tactics are not specified on the malware object itself, and several related techniques have broader platform listings; this take treats BackConfig as Windows-focused because the supplied malware platform is Windows. Conclusions about current activity, customer exposure, attribution beyond MITRE’s Patchwork relationship, or guaranteed detection coverage cannot be made from the supplied fields alone.
BackConfig
BackConfig is a custom Trojan with a flexible plugin architecture that has been used by Patchwork.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1553.002 | Code Signing Sub-technique | BackConfig has been signed with self signed digital certificates mimicking a legitimate software company.CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code.CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | BackConfig can download and run batch files to execute commands on a compromised host.CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | BackConfig can download and execute additional payloads on a compromised host.CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1106 | Native API | BackConfig can leverage API functions such as |
| Enterprise | T1083 | File and Directory Discovery | BackConfig has the ability to identify folders and files related to previous infections.CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1137.001 | Office Template Macros Sub-technique | BackConfig has the ability to use hidden columns in Excel spreadsheets to store executable files or commands for VBA macros.CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | BackConfig has the ability to remove files and folders related to previous infections.CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1082 | System Information Discovery | BackConfig has the ability to gather the victim's computer name.CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | BackConfig has used compressed and decimal encoded VBS scripts.CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | BackConfig has the ability to set folders or files to be hidden from the Windows Explorer default view.CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | BackConfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host.CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | BackConfig has the ability to use HTTPS for C2 communiations.CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | BackConfig has used a custom routine to decrypt strings.CitationUnit 42 BackConfig May 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | BackConfig has hidden malicious payloads in |
| Enterprise | T1204.001 | Malicious Link Sub-technique | BackConfig has compromised victims via links to URLs hosting malicious content.CitationUnit 42 BackConfig May 2020 |
Groups, software, and campaigns
G0040: Patchwork
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[1] [2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 5806e7fb42e7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 BackConfig May 2020
Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020.
Open source URL -
[2]
mitre-attack S0475Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.