S0495: RDAT
Analyst context for executives and security teams
RDAT is a Windows backdoor associated in ATT&CK with OilRig and reported in 2020 as targeting telecommunications organizations. Its decision value is that the related behaviors cluster around resilient and hidden command-and-control: web, mail, and DNS channels; steganography; encoding/encryption; fallback channels; tool transfer; screen capture; exfiltration over C2; and Windows service persistence. For leaders, this is less about one malware name and more about whether the organization can see and disrupt low-noise backdoor activity that blends into normal network traffic.
Executive priority
Prioritize RDAT as a coverage-validation case for Windows endpoint visibility, egress monitoring, DNS/mail/web telemetry, and incident response readiness. The ATT&CK relationships point to behaviors that can undermine business continuity and investigation confidence: persistence through Windows services, concealed C2, file deletion, and exfiltration over the same channel used for control. Telecommunications relevance in the source reporting makes this especially useful for organizations with high dependence on network operations, trusted interconnections, or regulated communications services, but local exposure must be determined from environment evidence.
Technical view
ATT&CK does not provide a dedicated detection section for RDAT, so SOC and detection teams should validate coverage through the mapped techniques. On Windows, confirm visibility into service creation or modification, command shell execution, suspicious file writes/deletions, tool ingress, screen capture activity, and outbound network behavior. Network detection should focus on unusual or policy-violating use of web, mail, and DNS protocols, especially where traffic shows encoded, encrypted, steganographic, chunked, or fallback-channel patterns. Treat OilRig relationship context as threat-intelligence enrichment, not as proof of attribution in any local event.
Likely telemetry
- Windows service creation, modification, and service executable path data
- Windows process execution and command-line telemetry, especially cmd.exe activity
- Endpoint file creation, transfer, and deletion events
- Network proxy, firewall, and web protocol logs
- DNS query and response logs
Detection direction
- Because no official RDAT detection guidance is supplied, build detections from the ATT&CK relationships rather than malware-name matching alone.
- Tune for Windows service persistence: newly created services, modified service paths, suspicious names, or names/locations that imitate legitimate resources.
- Correlate command shell execution with service activity, file transfer, file deletion, and outbound network sessions.
- Baseline DNS, web, and mail protocol use from Windows endpoints; investigate endpoints using unusual channels, destinations, timing, or fallback-like behavior.
- Look for exfiltration patterns over existing C2 paths, including fixed-size or threshold-avoiding transfer patterns, while accounting for legitimate application traffic that may generate similar volumes.
Mitigation priorities
- Harden and monitor Windows service creation and modification with least privilege and change-control expectations.
- Restrict and log outbound web, DNS, and mail communications according to business need; focus on endpoints that should not initiate those protocols directly.
- Ensure endpoint controls and EDR policies capture process, service, file, and network activity needed for post-compromise investigation.
- Maintain egress monitoring and alerting that can identify fallback channels and abnormal protocol use without relying only on payload inspection.
- Prepare IR playbooks for suspected backdoors: isolate affected Windows hosts, preserve volatile and service configuration evidence, review outbound communications, and scope for tool transfer and exfiltration behavior.
Analyst notes and limits
The supplied ATT&CK object identifies RDAT as a backdoor used by the suspected Iranian group OilRig and references Unit42 reporting from July 2020. The relationship set is rich even though the malware object has no official detection text and no malware-level tactics specified. Defensive value comes from validating the mapped behaviors: stealthy C2, steganography, encoding/encryption, fallback channels, Windows service persistence, command shell execution, screen capture, file deletion, tool transfer, and exfiltration over C2.
This take is constrained to the supplied ATT&CK STIX fields, external references, and relationships. It does not assert current activity, customer exposure, specific indicators, guaranteed detection logic, or confirmed attribution in any environment. RDAT is listed for Windows; related techniques may list additional platforms, but that does not expand the stated platform for this malware object. Local telemetry, asset role, and business context are required to prioritize response.
RDAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | RDAT can use HTTP communications for C2, as well as using the WinHTTP library to make requests to the Exchange Web Services API.CitationUnit42 RDAT July 2020 |
| Enterprise | T1027.003 | Steganography Sub-technique | RDAT can also embed data within a BMP image prior to exfiltration.CitationUnit42 RDAT July 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | RDAT has used Windows Video Service as a name for malicious services.CitationUnit42 RDAT July 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | RDAT has executed commands using |
| Enterprise | T1071.004 | DNS Sub-technique | RDAT has used DNS to communicate with the C2.CitationUnit42 RDAT July 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | RDAT has masqueraded as VMware.exe.CitationUnit42 RDAT July 2020 |
| Enterprise | T1113 | Screen Capture | RDAT can take a screenshot on the infected system.CitationUnit42 RDAT July 2020 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | RDAT can communicate with the C2 via base32-encoded subdomains.CitationUnit42 RDAT July 2020 |
| Enterprise | T1132.002 | Non-Standard Encoding Sub-technique | RDAT can communicate with the C2 via subdomains that utilize base64 with character substitutions.CitationUnit42 RDAT July 2020 |
| Enterprise | T1543.003 | Windows Service Sub-technique | RDAT has created a service when it is installed on the victim machine.CitationUnit42 RDAT July 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | RDAT can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server.CitationUnit42 RDAT July 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | RDAT has used AES ciphertext to encode C2 communications.CitationUnit42 RDAT July 2020 |
| Enterprise | T1071.003 | Mail Protocols Sub-technique | RDAT can use email attachments for C2 communications.CitationUnit42 RDAT July 2020 |
| Enterprise | T1001.002 | Steganography Sub-technique | |
| Enterprise | T1030 | Data Transfer Size Limits | |
| Enterprise | T1105 | Ingress Tool Transfer | RDAT can download files via DNS.CitationUnit42 RDAT July 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1041 | Exfiltration Over C2 Channel | RDAT can exfiltrate data gathered from the infected system via the established Exchange Web Services API C2 channel.CitationUnit42 RDAT July 2020 |
| Enterprise | T1008 | Fallback Channels | RDAT has used HTTP if DNS C2 communications were not functioning.CitationUnit42 RDAT July 2020 |
| Enterprise | T1001 | Data Obfuscation | RDAT has used encoded data within subdomains as AES ciphertext to communicate from the host to the C2.CitationUnit42 RDAT July 2020 |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 557a765e33f1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit42 RDAT July 2020
Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020.
Open source URL -
[2]
mitre-attack S0495Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.