S0538: Crutch
Analyst context for executives and security teams
Crutch matters because ATT&CK describes it as a Windows backdoor designed for document theft and associated with Turla use since at least 2015. For leaders, the practical issue is not just malware presence; it is whether the organization can notice document collection, local staging, archiving, and exfiltration over web, C2, or cloud-storage channels before sensitive data leaves the environment.
Executive priority
Prioritize Crutch as a data-theft and espionage readiness scenario: validate that high-value Windows systems, document repositories, removable media use, scheduled tasks, DLL activity, and outbound web/cloud traffic are covered by logging, monitoring, and response playbooks. This object is useful for testing whether SOC, incident response, compliance evidence, and data-loss controls can prove what documents were accessed, staged, archived, and transmitted.
Technical view
ATT&CK provides no official detection text for Crutch, so defenders should build validation from the related techniques: local and removable-media collection, peripheral discovery, automated collection and exfiltration, local staging, archive creation, scheduled task persistence, masqueraded tasks or services, DLL abuse, fallback C2, web-protocol C2, bidirectional web-service communication, exfiltration over C2, and exfiltration to cloud storage. Focus testing on Windows endpoints because that is the supplied platform for the malware object.
Likely telemetry
- Windows endpoint process execution and command-line telemetry
- Scheduled task creation, modification, and execution records
- Windows service and task names, descriptions, paths, and signer metadata for masquerade review
- DLL load events and file path metadata relevant to DLL abuse
- File-system telemetry for document discovery, copying, staging directories, archive creation, and access to removable media
Detection direction
- Because official detection guidance is not provided, validate behavior chains rather than a single malware signature.
- Correlate document enumeration or bulk file access with local staging, archive utility use, and outbound transfer activity.
- Review scheduled tasks and services for names that imitate legitimate administrative or system components, especially when paired with unusual executable paths.
- Hunt for suspicious DLL loading patterns on Windows systems, particularly when followed by persistence or outbound communication.
- Baseline normal cloud storage and web traffic so exfiltration to cloud services or C2 over web protocols does not disappear into routine business traffic.
Mitigation priorities
- Start with visibility: ensure Windows endpoint, file, scheduled task, DLL, removable media, proxy/DNS, and cloud access telemetry is retained and searchable.
- Restrict and monitor removable media and unsanctioned cloud storage use where business requirements allow.
- Harden scheduled task and service creation permissions and regularly review persistence points on high-value systems.
- Apply least privilege to sensitive document locations and monitor access to regulated or mission-critical data stores.
- Use egress controls and proxy policy to limit unauthorized outbound channels while preserving business-approved web access.
Analyst notes and limits
The relationship set makes Crutch most useful as a collection-to-exfiltration scenario for control validation. The supplied ATT&CK relationship identifies Turla as a user of this malware, and the official description says Crutch has been used by Turla since at least 2015. Treat that as contextual intelligence; local evidence is still required for incident attribution.
ATT&CK does not provide official detection text, aliases, labels, or explicit tactics on the malware object. Technique relationships provide behavioral context, but they do not guarantee that every Crutch sample or intrusion will exhibit every behavior. Local baselines, approved administrative activity, cloud-service usage, and endpoint logging quality will determine practical detection value.
Crutch
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Crutch has used the WinRAR utility to compress and encrypt stolen files.CitationESET Crutch December 2020 |
| Enterprise | T1120 | Peripheral Device Discovery | Crutch can monitor for removable drives being plugged into the compromised machine.CitationESET Crutch December 2020 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | Crutch can use Dropbox to receive commands and upload stolen data.CitationESET Crutch December 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Crutch has conducted C2 communications with a Dropbox account using the HTTP API.CitationESET Crutch December 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Crutch has the ability to persist using scheduled tasks.CitationESET Crutch December 2020 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | Crutch has exfiltrated stolen data to Dropbox.CitationESET Crutch December 2020 |
| Enterprise | T1025 | Data from Removable Media | Crutch can monitor removable drives and exfiltrate files matching a given extension list.CitationESET Crutch December 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Crutch has established persistence with a scheduled task impersonating the Outlook item finder.CitationESET Crutch December 2020 |
| Enterprise | T1574.001 | DLL Sub-technique | Crutch can persist via DLL search order hijacking on Google Chrome, Mozilla Firefox, or Microsoft OneDrive.CitationESET Crutch December 2020 |
| Enterprise | T1020 | Automated Exfiltration | Crutch has automatically exfiltrated stolen files to Dropbox.CitationESET Crutch December 2020 |
| Enterprise | T1119 | Automated Collection | Crutch can automatically monitor removable drives in a loop and copy interesting files.CitationESET Crutch December 2020 |
| Enterprise | T1005 | Data from Local System | Crutch can exfiltrate files from compromised systems.CitationESET Crutch December 2020 |
| Enterprise | T1008 | Fallback Channels | Crutch has used a hardcoded GitHub repository as a fallback channel.CitationESET Crutch December 2020 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Crutch has staged stolen files in the |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Crutch can exfiltrate data over the primary C2 channel (Dropbox HTTP API).CitationESET Crutch December 2020 |
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 78e8b456c888… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Crutch December 2020
Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020.
Open source URL -
[2]
mitre-attack S0538Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.