S0553: MoleNet
Analyst context for executives and security teams
MoleNet matters because MITRE describes it as a Windows downloader with backdoor capabilities: if present, it can support follow-on tool transfer, command execution, discovery, and persistence. For leaders, the practical issue is not just one malware name, but whether Windows endpoint monitoring, egress visibility, and incident response playbooks can prove what was executed, what was downloaded, and whether persistence was established.
Executive priority
Treat MoleNet as a validation case for Windows endpoint resilience and incident readiness. The ATT&CK relationships point to common high-value control areas: PowerShell, Windows command shell, WMI, startup persistence, security-tool discovery, system discovery, and ingress tool transfer. Executives should ask whether the organization can produce audit-ready evidence for these behaviors, especially around endpoint logging, administrative scripting controls, outbound network monitoring, and rapid containment of downloader/backdoor activity.
Technical view
MITRE provides no dedicated detection text for MoleNet, so defenders should pivot from the related techniques. Validate visibility for WMI execution, PowerShell activity, cmd.exe execution, system and security software discovery, external file transfer into Windows hosts, and Registry Run Key or Startup Folder persistence. Incident responders should be prepared to reconstruct parent-child process chains, command-line arguments, downloaded files, persistence locations, network destinations, and whether the activity ran in a user or administrative context. The relationship to Molerats is useful threat-intelligence context, but local evidence should drive any incident conclusions.
Likely telemetry
- Windows endpoint process creation events, including parent-child relationships and command-line arguments
- PowerShell execution and script-block or equivalent command telemetry where available
- WMI activity and remote/local WMI execution traces
- Windows Registry monitoring for Run Keys and related startup persistence locations
- Startup folder file creation or modification events
Detection direction
- Build or validate behavior-based detections around the related ATT&CK techniques rather than relying only on the malware name.
- Correlate suspicious PowerShell, cmd.exe, and WMI execution with newly created files, outbound connections, and persistence changes.
- Tune for legitimate administration: WMI, PowerShell, and command shell activity are common in enterprise operations, so detections should account for approved management tools, administrators, scripts, and maintenance windows.
- Hunt for discovery activity that enumerates host details or installed security tools, especially when followed by file downloads or persistence creation.
- Confirm that detections cover both initial downloader behavior and post-download execution, because a downloader/backdoor may be most visible through follow-on activity.
Mitigation priorities
- Prioritize strong Windows endpoint logging and retention for process, script, WMI, registry, file, and network activity.
- Restrict and monitor administrative scripting interfaces such as PowerShell, Windows command shell, and WMI according to operational need.
- Harden persistence points by monitoring and controlling Registry Run Keys and Startup Folder changes.
- Apply least privilege so user-context persistence and execution have limited business impact.
- Strengthen outbound network controls and review egress paths used for external file transfer.
Analyst notes and limits
The supplied ATT&CK object identifies MoleNet as a downloader tool with backdoor capabilities observed since at least 2019 and relates it to Molerats and several techniques. Because official detection guidance is not provided, the most defensible Glexia position is to assess coverage through the mapped behaviors: execution via WMI, PowerShell, and command shell; discovery; ingress tool transfer; security software discovery; and Run Key or Startup Folder persistence.
This summary is limited to the supplied MITRE ATT&CK fields, external references, and relationships. The object lists Windows as the platform, while some related techniques have broader platform metadata; this take only treats Windows as supported for MoleNet. No claim is made about current activity, customer exposure, guaranteed detection, or attribution beyond the provided Molerats relationship. Local telemetry, baselines, and incident evidence are required to determine relevance in any specific environment.
MoleNet
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | MoleNet can collect information about the about the system.CitationCybereason Molerats Dec 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | MoleNet can execute commands via the command line utility.CitationCybereason Molerats Dec 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | MoleNet can use PowerShell to set persistence.CitationCybereason Molerats Dec 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | MoleNet can achieve persitence on the infected machine by setting the Registry run key.CitationCybereason Molerats Dec 2020 |
| Enterprise | T1047 | Windows Management Instrumentation | MoleNet can perform WMI commands on the system.CitationCybereason Molerats Dec 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | MoleNet can download additional payloads from the C2.CitationCybereason Molerats Dec 2020 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | MoleNet can use WMI commands to check the system for firewall and antivirus software.CitationCybereason Molerats Dec 2020 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | cab9c7e506fe… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason Molerats Dec 2020
Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020.
Open source URL -
[2]
MoleNet
(Citation: Cybereason Molerats Dec 2020)
-
[3]
mitre-attack S0553Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.