S0555: CHEMISTGAMES
CHEMISTGAMES is a modular backdoor that has been deployed by Sandworm Team.[1]
Analyst context for executives and security teams
CHEMISTGAMES matters because it represents an Android modular backdoor with behaviors that cut across mobile supply-chain trust, device reconnaissance, local data access, location tracking, and web-based command-and-control. For leaders, the practical issue is not only the malware name; it is whether the organization can govern Android app provenance, observe mobile device behavior, and respond when a mobile endpoint may become a collection or tracking platform.
Executive priority
Prioritize this as a mobile security and resilience validation item where Android devices support sensitive operations, executive communications, field work, or regulated data access. ATT&CK links CHEMISTGAMES to Sandworm Team and to techniques involving software supply-chain compromise, runtime code download, obfuscation, encrypted C2, local data collection, and location tracking. Executives should ask whether mobile risk management, app approval, incident response, and compliance evidence cover these behaviors rather than relying only on traditional endpoint controls.
Technical view
CHEMISTGAMES is documented for Android and is related to techniques including Obfuscated Files or Information, Download New Code at Runtime, System Information Discovery, Location Tracking, Web Protocols, Compromise Software Supply Chain, Asymmetric Cryptography, Data from Local System, Native API, Unix Shell, and Match Legitimate Name or Location. SOC and IR teams should validate whether mobile security tooling can inspect app identity, permissions, package provenance, dynamic code loading, native code use, suspicious shell activity, device discovery, access to local data, location permission use, and outbound web-protocol communications. ATT&CK provides no official detection text, so coverage should be proven through local telemetry and controlled validation, not assumed from the malware entry alone.
Likely telemetry
- Android mobile device management or enterprise mobility management inventory, compliance state, app install source, package name, signing certificate, and permission records
- Mobile threat defense or mobile EDR alerts for dynamic code loading, obfuscation, native code execution, shell usage, and suspicious app behavior
- Application vetting or mobile app security analysis results for runtime code download, disguised names or locations, embedded native libraries, and supply-chain provenance concerns
- Network telemetry for Android device HTTP/HTTPS communications, unusual destinations, encrypted application-layer traffic patterns, and command-and-control-like beaconing
- Device and app logs showing system information queries, local file or database access, and use of location APIs or background location permissions
Detection direction
- Validate detection logic against the related behaviors rather than the CHEMISTGAMES name alone, because ATT&CK supplies no official detection guidance for this malware object.
- Correlate mobile app identity anomalies, such as legitimate-looking names or package locations, with risky permissions, native libraries, runtime code retrieval, and unusual outbound web traffic.
- Tune for context: many legitimate Android apps use HTTPS, location permissions, native libraries, and system information APIs, so alerts should incorporate app provenance, business authorization, permission necessity, destination reputation, and behavioral combinations.
- Review blind spots in mobile telemetry, especially personally owned devices, unmanaged Android devices, encrypted web traffic without mobile context, limited app-store provenance evidence, and lack of logs for local data access or shell activity.
- Use the Sandworm Team relationship as threat-intelligence context for prioritization, while avoiding any assumption that local observations are attributable without independent evidence.
Mitigation priorities
- Start with Android governance: maintain an inventory of devices and installed apps, enforce approved app sources where feasible, and review app signing, provenance, permissions, and business justification.
- Harden mobile access to sensitive services using device compliance checks, least-privilege access, and conditional access policies where available.
- Strengthen app vetting for dynamic code loading, obfuscation, native code, suspicious package naming, excessive local data access, and location permission abuse.
- Improve mobile network monitoring for managed devices, focusing on unusual web-protocol communications and encrypted traffic patterns tied to risky or unapproved apps.
- Prepare mobile incident response procedures for containment, device acquisition where legally and operationally appropriate, app removal, credential rotation, and evidence preservation.
Analyst notes and limits
The object is a malware entry for CHEMISTGAMES, described by ATT&CK as a modular backdoor deployed by Sandworm Team. The most useful defensive value comes from the related mobile techniques, which indicate what controls and telemetry should be validated across Android environments. Because tactics are not specified and official detection content is absent, defenders should treat this as a behavior-driven validation case rather than a complete detection recipe.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not establish current activity, customer exposure, indicators of compromise, exploit details, or guaranteed detection methods. Local device ownership models, mobile telemetry depth, app inventory quality, and legal/privacy constraints will determine practical detection and response options.
CHEMISTGAMES
CHEMISTGAMES is a modular backdoor that has been deployed by Sandworm Team.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1426 | System Information Discovery | CHEMISTGAMES has fingerprinted devices to uniquely identify them.CitationCYBERWARCON CHEMISTGAMES |
| Mobile | T1521.002 | Asymmetric Cryptography Sub-technique | CHEMISTGAMES has used HTTPS for C2 communication.CitationCYBERWARCON CHEMISTGAMES |
| Mobile | T1437.001 | Web Protocols Sub-technique | CHEMISTGAMES has used HTTPS for C2 communication.CitationCYBERWARCON CHEMISTGAMES |
| Mobile | T1430 | Location Tracking | CHEMISTGAMES has collected the device’s location.CitationCYBERWARCON CHEMISTGAMES |
| Mobile | T1623.001 | Unix Shell Sub-technique | CHEMISTGAMES can run bash commands.CitationCYBERWARCON CHEMISTGAMES |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | CHEMISTGAMES has masqueraded as popular South Korean applications.CitationCYBERWARCON CHEMISTGAMES |
| Mobile | T1406 | Obfuscated Files or Information | CHEMISTGAMES has encrypted its DEX payload.CitationCYBERWARCON CHEMISTGAMES |
| Mobile | T1575 | Native API | CHEMISTGAMES has utilized native code to decrypt its malicious payload.CitationCYBERWARCON CHEMISTGAMES |
| Mobile | T1533 | Data from Local System | CHEMISTGAMES can collect files from the filesystem and account information from Google Chrome.CitationCYBERWARCON CHEMISTGAMES |
| Mobile | T1407 | Download New Code at Runtime | CHEMISTGAMES can download new modules while running.CitationCYBERWARCON CHEMISTGAMES |
| Mobile | T1474.003 | Compromise Software Supply Chain Sub-technique | CHEMISTGAMES has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.CitationCYBERWARCON CHEMISTGAMES |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ce14b1912b43… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CYBERWARCON CHEMISTGAMES
B. Leonard, N. Mehta. (2019, November 21). The Secret Life of Sandworms. Retrieved December 31, 2020.
Open source URL -
[2]
mitre-attack S0555Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.