S0533: SLOTHFULMEDIA
SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017.[1][2] It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.[3][4]
In October 2020, Kaspersky Labs assessed SLOTHFULMEDIA is part of an activity cluster it refers to as "IAmTheKing".[4] ESET also noted code similarity between SLOTHFULMEDIA and droppers used by a group it refers to as "PowerPool".[5]
Analyst context for executives and security teams
SLOTHFULMEDIA is a Windows remote access Trojan reported by ATT&CK as historically used against government, defense, university, and energy organizations. Its mapped behaviors matter because they cover the full post-compromise problem set: persistence through Windows services, command execution, discovery, collection such as keylogging and screen capture, C2 over web protocols, exfiltration over C2, and cleanup/stealth. For leaders, the value is not only identifying this malware family, but validating whether Windows endpoint, network, and incident response evidence would show a similar remote-access intrusion before data collection or exfiltration is missed.
Executive priority
Prioritize this as a readiness check for Windows enterprise monitoring and response, especially in environments where government, defense, education, energy, or regulated operations increase the business impact of credential theft or data loss. The key executive questions are: can the SOC prove visibility into suspicious Windows services, registry changes, command shell activity, web-based C2, and exfiltration over existing channels; and can incident responders quickly determine what local data, screenshots, keystrokes, and system discovery were exposed? Because ATT&CK provides no official detection guidance for this object, coverage should be demonstrated with local telemetry and tested detections rather than assumed from tool ownership.
Technical view
ATT&CK maps SLOTHFULMEDIA to Windows-focused behaviors including Windows Command Shell, Windows Service persistence/execution, Modify Registry, Process Injection, masquerading, hidden files, discovery of users/processes/services/network connections/system information/files/local storage, keylogging, screen capture, ingress tool transfer, web-protocol C2, data obfuscation, exfiltration over C2, service stop, and file deletion. SOC and IR teams should validate correlation across endpoint process telemetry, service-control events, registry writes, suspicious file placement/naming, network web sessions, and post-compromise collection indicators. Treat the malware name as threat-intelligence context; detection engineering should focus on the mapped behaviors because no official ATT&CK detection text is supplied.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and service-control activity
- Windows service creation, modification, start/stop, and executable path metadata
- Windows Registry modification events tied to persistence, execution, or defense evasion
- File creation, deletion, hidden attribute changes, and suspicious executable names or locations
- EDR or host telemetry for process injection and unusual process ancestry
Detection direction
- Build behavior-based detections around the mapped ATT&CK techniques rather than relying on a malware family name alone.
- Correlate Windows service creation or modification with new executable drops, registry changes, command shell execution, and unusual parent-child process chains.
- Tune discovery detections to distinguish administrative inventory activity from clustered post-compromise enumeration across users, processes, services, files, network connections, system information, and storage.
- Review web-protocol egress monitoring for uncommon destinations, unusual client behavior, or suspicious beacon-like sessions, while accounting for high false-positive volume in normal HTTP/S traffic.
- Look for possible exfiltration over the same channel used for C2 by correlating host collection activity with outbound network transfers.
Mitigation priorities
- Ensure Windows endpoint visibility is deployed and retained for process execution, services, registry, file activity, and network connections.
- Harden and monitor Windows service creation/modification and registry persistence paths using least privilege and administrative change control.
- Limit unnecessary command shell and administrative utility abuse through privilege management and controlled administrative workflows.
- Strengthen egress controls and monitoring for web-protocol C2 and potential exfiltration over established channels.
- Protect credentials and sensitive workflows by prioritizing controls and response procedures for keylogging and screen capture risk on high-value workstations.
Analyst notes and limits
ATT&CK identifies SLOTHFULMEDIA as a C++ remote access Trojan used by an unidentified sophisticated cyber actor and notes historical targeting of government organizations, defense contractors, universities, and energy companies across several countries. Kaspersky associates it with the IAmTheKing cluster and related names, and ESET noted code similarity with droppers used by PowerPool. These are useful enrichment points, not proof of current activity or local exposure.
The supplied ATT&CK object has no official detection text, no tactics listed directly on the malware object, no aliases in the primary alias field, and only Windows as the malware platform. Technique relationships provide behavioral context, but local validation is required to determine whether an organization has telemetry, detections, and response coverage. This summary does not assert active exploitation, attribution, or guaranteed detectability.
SLOTHFULMEDIA
SLOTHFULMEDIA is a remote access Trojan written in C++ that has been used by an unidentified "sophisticated cyber actor" since at least January 2017.[1][2] It has been used to target government organizations, defense contractors, universities, and energy companies in Russia, India, Kazakhstan, Kyrgyzstan, Malaysia, Ukraine, and Eastern Europe.[3][4]
In October 2020, Kaspersky Labs assessed SLOTHFULMEDIA is part of an activity cluster it refers to as "IAmTheKing".[4] ESET also noted code similarity between SLOTHFULMEDIA and droppers used by a group it refers to as "PowerPool".[5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1680 | Local Storage Discovery | SLOTHFULMEDIA has collected disk information from a victim machine.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | SLOTHFULMEDIA has sent system information to a C2 server via HTTP and HTTPS POST requests.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | SLOTHFULMEDIA has mimicked the names of known executables, such as mediaplayer.exe.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1112 | Modify Registry | SLOTHFULMEDIA can add, modify, and/or delete registry keys. It has changed the proxy configuration of a victim system by modifying the |
| Enterprise | T1055 | Process Injection | SLOTHFULMEDIA can inject into running processes on a compromised host.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | SLOTHFULMEDIA has used HTTP and HTTPS for C2 communications.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1007 | System Service Discovery | SLOTHFULMEDIA has the capability to enumerate services.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1056.001 | Keylogging Sub-technique | SLOTHFULMEDIA has a keylogging capability.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | SLOTHFULMEDIA can open a command line to execute commands.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1033 | System Owner/User Discovery | SLOTHFULMEDIA has collected the username from a victim machine.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1543.003 | Windows Service Sub-technique | SLOTHFULMEDIA has created a service on victim machines named "TaskFrame" to establish persistence.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | SLOTHFULMEDIA has named a service it establishes on victim machines as "TaskFrame" to hide its malicious purpose.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1569.002 | Service Execution Sub-technique | SLOTHFULMEDIA has the capability to start services.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1005 | Data from Local System | SLOTHFULMEDIA has uploaded files and information from victim machines.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1001 | Data Obfuscation | SLOTHFULMEDIA has hashed a string containing system information prior to exfiltration via POST requests.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1083 | File and Directory Discovery | SLOTHFULMEDIA can enumerate files and directories.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1489 | Service Stop | SLOTHFULMEDIA has the capability to stop processes and services.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | SLOTHFULMEDIA has deleted itself and the 'index.dat' file on a compromised machine to remove recent Internet history from the system.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | SLOTHFULMEDIA has downloaded files onto a victim machine.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1049 | System Network Connections Discovery | SLOTHFULMEDIA can enumerate open ports on a victim machine.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1057 | Process Discovery | SLOTHFULMEDIA has enumerated processes by ID, name, or privileges.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1113 | Screen Capture | SLOTHFULMEDIA has taken a screenshot of a victim's desktop, named it "Filter3.jpg", and stored it in the local directory.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | SLOTHFULMEDIA has been created with a hidden attribute to insure it's not visible to the victim.CitationCISA MAR SLOTHFULMEDIA October 2020 |
| Enterprise | T1082 | System Information Discovery | SLOTHFULMEDIA has collected system name, OS version, adapter information, and memory usage from a victim machine.CitationCISA MAR SLOTHFULMEDIA October 2020 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 34d2d27a0183… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA MAR SLOTHFULMEDIA October 2020
DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020.
Open source URL -
[2]
Costin Raiu IAmTheKing October 2020
Costin Raiu. (2020, October 2). Costin Raiu Twitter IAmTheKing SlothfulMedia. Retrieved September 12, 2024.
Open source URL -
[3]
USCYBERCOM SLOTHFULMEDIA October 2020
USCYBERCOM. (2020, October 1). USCYBERCOM Cybersecurity Alert SLOTHFULMEDIA. Retrieved September 12, 2024.
Open source URL -
[4]
Kaspersky IAmTheKing October 2020
Ivan Kwiatkowski, Pierre Delcher, Felix Aime. (2020, October 15). IAmTheKing and the SlothfulMedia malware family. Retrieved October 15, 2020.
Open source URL -
[5]
ESET PowerPool Code October 2020
ESET Research. (2020, October 1). ESET Research Tweet Linking Slothfulmedia and PowerPool. Retrieved September 12, 2024.
Open source URL -
[6]
JackOfHearts
Kaspersky Labs refers to the "mediaplayer.exe" dropper within [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) as the JackOfHearts.(Citation: Kaspersky IAmTheKing October 2020)
-
[7]
QueenOfClubs
Kaspersky Labs assesses [SLOTHFULMEDIA](https://attack.mitre.org/software/S0533) is an older variant of a malware family it refers to as the QueenOfClubs.(Citation: Kaspersky IAmTheKing October 2020)
-
[8]
mitre-attack S0533Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.