S0520: BLINDINGCAN
BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.[1][2]
Analyst context for executives and security teams
BLINDINGCAN matters because ATT&CK describes it as a Windows remote access Trojan used in operations against defense, engineering, and government organizations in Western Europe and the US. For leaders, the practical issue is not just “malware on an endpoint”; it is the potential for remote control, discovery of sensitive systems and files, tool transfer, command-and-control over web protocols, and data exfiltration through the same channel.
Executive priority
Prioritize this as a resilience and evidence question for Windows environments that hold sensitive government, defense, engineering, or regulated data. Executives should ask whether the organization can prove coverage across phishing-delivered malicious files, suspicious Windows command shell and rundll32 activity, encoded or encrypted C2 over web traffic, local data discovery, tool ingress, and exfiltration over C2. The ATT&CK object has no official detection text, so assurance should come from validated telemetry and tested response playbooks rather than assumptions.
Technical view
SOC and IR teams should validate detection and investigation coverage around the related ATT&CK behaviors: spearphishing attachment and malicious file execution, Windows command shell execution, rundll32 and shared module loading, obfuscated/packed or encoded files, code signing abuse, system/network/storage/file discovery, ingress tool transfer, web-protocol C2, standard encoding, symmetric cryptography, exfiltration over C2, file deletion, and timestomping. Because the software platform is Windows, prioritize Windows endpoint, email, identity, proxy, DNS, and network evidence that can connect initial execution to discovery, C2, and data movement.
Likely telemetry
- Email security logs and attachment detonation or analysis results for targeted malicious attachments
- Windows process creation telemetry for cmd.exe, rundll32.exe, DLL/shared module loading, and unusual parent-child process chains
- Endpoint file metadata, creation/deletion events, timestamp anomalies, packed or encoded file indicators, and code-signing details
- Command-line and script execution records showing discovery of system, network, storage, files, and directories
- Proxy, firewall, DNS, and TLS/web traffic metadata for unusual outbound web-protocol C2 patterns
Detection direction
- Build correlations across phases rather than relying on a single malware signature: phishing or malicious file execution followed by cmd/rundll32 activity, discovery commands, outbound web traffic, and file staging or exfiltration indicators.
- Tune for legitimate administrative overlap. Command shell, rundll32, encoded data, and web protocols are common in normal environments, so detections should use context such as unusual parent process, user, host role, destination, file path, module, signing status, and timing.
- Account for stealth behaviors in triage: software packing, encoded files, matched legitimate names or locations, file deletion, and timestomping can reduce the value of simple hash, filename, or timestamp-based searches.
- Use relationship context to inform threat hunting for Lazarus Group-associated tradecraft, while avoiding attribution conclusions unless local evidence supports them.
Mitigation priorities
- Reduce initial execution risk through attachment controls, user reporting workflows, and safe handling of high-risk file types associated with spearphishing attachments and malicious files.
- Harden and monitor Windows execution paths, especially command shell, rundll32, shared module loading, and unsigned or suspiciously signed binaries.
- Ensure egress controls and monitoring cover outbound web protocols, encoded or encrypted C2-like traffic, and external tool transfer patterns.
- Protect sensitive local data with least privilege and segmentation so host-level discovery does not automatically expose high-value files or systems.
- Prepare IR procedures for evidence preservation where file deletion and timestomping are possible, including rapid endpoint isolation and collection of volatile and filesystem metadata.
Analyst notes and limits
The supplied ATT&CK record identifies BLINDINGCAN as a Windows remote access Trojan and provides relationships to techniques spanning initial access, execution, discovery, defense evasion/impairment, command and control, collection, and exfiltration. The relationship to Lazarus Group and the official description support North Korea-related context, but local investigation should not infer attribution from technique matches alone.
MITRE provides no official detection text for this object, no aliases, no labels, and no object-level tactics. Several related techniques list platforms beyond Windows, but the BLINDINGCAN software platform supplied here is Windows; platform-specific conclusions should therefore be limited to Windows unless separate evidence supports broader scope.
BLINDINGCAN
BLINDINGCAN is a remote access Trojan that has been used by the North Korean government since at least early 2020 in cyber operations against defense, engineering, and government organizations in Western Europe and the US.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | BLINDINGCAN has collected from a victim machine the system name, processor information, and OS version.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | BLINDINGCAN has executed commands via cmd.exe.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | BLINDINGCAN has used HTTPS over port 443 for command and control.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | BLINDINGCAN has downloaded files to a victim machine.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1005 | Data from Local System | BLINDINGCAN has uploaded files from victim machines.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | BLINDINGCAN has attempted to hide its payload by using legitimate file names such as "iconcache.db".CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | BLINDINGCAN has encoded its C2 traffic with Base64.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | BLINDINGCAN has obfuscated code using Base64 encoding.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1553.002 | Code Signing Sub-technique | BLINDINGCAN has been signed with code-signing certificates such as CodeRipper.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | BLINDINGCAN has deleted itself and associated artifacts from victim machines.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1027.002 | Software Packing Sub-technique | BLINDINGCAN has been packed with the UPX packer.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | BLINDINGCAN has sent user and system information to a C2 server via HTTP POST requests.CitationNHS UK BLINDINGCAN Aug 2020CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | BLINDINGCAN has collected the victim machine's local IP address information and MAC address.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1070.006 | Timestomp Sub-technique | BLINDINGCAN has modified file and directory timestamps.CitationUS-CERT BLINDINGCAN Aug 2020CitationNHS UK BLINDINGCAN Aug 2020 |
| Enterprise | T1129 | Shared Modules | BLINDINGCAN has loaded and executed DLLs in memory during runtime on a victim machine.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1204.002 | Malicious File Sub-technique | BLINDINGCAN has lured victims into executing malicious macros embedded within Microsoft Office documents.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | BLINDINGCAN has used Rundll32 to load a malicious DLL.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1680 | Local Storage Discovery | BLINDINGCAN has collected disk information, including type and free space available.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1083 | File and Directory Discovery | BLINDINGCAN can search, read, write, move, and execute files.CitationUS-CERT BLINDINGCAN Aug 2020CitationNHS UK BLINDINGCAN Aug 2020 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | BLINDINGCAN has been delivered by phishing emails containing malicious Microsoft Office documents.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | BLINDINGCAN has encrypted its C2 traffic with RC4.CitationUS-CERT BLINDINGCAN Aug 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | BLINDINGCAN has used AES and XOR to decrypt its DLLs.CitationUS-CERT BLINDINGCAN Aug 2020 |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | d2675cf38890… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
US-CERT BLINDINGCAN Aug 2020
US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020.
Open source URL -
[2]
NHS UK BLINDINGCAN Aug 2020
NHS Digital . (2020, August 20). BLINDINGCAN Remote Access Trojan. Retrieved August 20, 2020.
Open source URL -
[3]
mitre-attack S0520Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.