S0582: LookBack
Analyst context for executives and security teams
LookBack matters because ATT&CK describes it as a Windows remote access trojan used against at least three U.S. utility companies in July 2019. For security leaders, the key decision value is not just the malware name; it is the combination of remote access, discovery, persistence, command-and-control, screen capture, and service disruption behaviors that can affect operational resilience, especially in utility or cyber-physical environments.
Executive priority
Prioritize validation of Windows endpoint visibility, egress monitoring, and incident response readiness for remote access malware behaviors. Utilities and organizations with operational dependencies should ask whether SOC teams can prove coverage for command shell execution, persistence through Run keys/startup folders, unusual web or non-application-layer communications, service stops, and shutdown/reboot activity. Because ATT&CK provides no official detection guidance for this object, assurance should come from local telemetry tests, control evidence, and response playbooks rather than assumptions based on the malware family name.
Technical view
LookBack is documented as Windows malware and is related to techniques spanning execution, discovery, persistence, stealth, collection, command-and-control, and impact. SOC and IR teams should validate behavior-based detections around Windows Command Shell and Visual Basic execution, process/service/file discovery, Registry Run keys or startup folder persistence, DLL abuse, file deletion, decoding/deobfuscation activity, screen capture, encrypted or web-based C2 patterns, non-application-layer protocol use, service stop, and shutdown/reboot events. Detection engineering should map alerts to the related ATT&CK techniques rather than relying on a single malware signature.
Likely telemetry
- Windows endpoint process creation and command-line logs
- Registry modification events, especially Run keys and startup folder changes
- File creation, deletion, rename, and directory enumeration activity
- DLL load and suspicious library path telemetry where available
- Windows service query, stop, and configuration events
Detection direction
- Build coverage around the related behaviors: T1059.003, T1059.005, T1007, T1057, T1083, T1547.001, T1574.001, T1070.004, T1140, T1113, T1071.001, T1095, T1573.001, T1489, and T1529.
- Tune discovery detections to distinguish normal administration from unusual service, process, and file enumeration, especially when followed by persistence or outbound communication.
- Correlate Run key/startup folder changes and DLL abuse with the initiating process, user context, parent process, and subsequent network activity.
- Review egress monitoring for web-protocol C2 patterns and unusual non-application-layer communications, while accounting for encrypted traffic visibility limits.
- Treat service stop and shutdown/reboot alerts as higher priority when they occur on operationally important Windows systems or during an active investigation.
Mitigation priorities
- Maintain strong Windows endpoint logging and centralized retention before relying on malware-specific detections.
- Harden persistence paths by monitoring and controlling Registry Run keys, startup folders, and DLL search/load behavior where feasible.
- Restrict and monitor script and command shell usage according to administrative need.
- Apply least privilege so user-context persistence and service control require appropriate authorization.
- Segment and monitor outbound network paths, especially from systems with operational or utility relevance.
Analyst notes and limits
The supplied ATT&CK object identifies LookBack as a C++ remote access trojan used against at least three U.S. utility companies in July 2019 and notes TALONITE has been observed using it. The strongest defensive value comes from the relationship context: LookBack is associated with execution, discovery, persistence, stealth, C2, collection, and impact techniques. This supports behavior-based control validation and SOC use-case development.
ATT&CK provides no official detection text, no aliases, and no tactic list directly on the malware object. External references are listed, but no indicators, hashes, infrastructure, or detailed procedure examples were supplied here. Local environment telemetry, asset criticality, and approved administrative baselines are required to determine actual exposure and detection quality.
LookBack
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1489 | Service Stop | LookBack can kill processes and delete services.CitationProofpoint LookBack Malware Aug 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | LookBack executes the |
| Enterprise | T1059.005 | Visual Basic Sub-technique | LookBack has used VBA macros in Microsoft Word attachments to drop additional files to the host.CitationProofpoint LookBack Malware Aug 2019 |
| Enterprise | T1007 | System Service Discovery | LookBack can enumerate services on the victim machine.CitationProofpoint LookBack Malware Aug 2019 |
| Enterprise | T1057 | Process Discovery | LookBack can list running processes.CitationProofpoint LookBack Malware Aug 2019 |
| Enterprise | T1529 | System Shutdown/Reboot | LookBack can shutdown and reboot the victim machine.CitationProofpoint LookBack Malware Aug 2019 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | LookBack has a C2 proxy tool that masquerades as |
| Enterprise | T1071.001 | Web Protocols Sub-technique | LookBack’s C2 proxy tool sends data to a C2 server over HTTP.CitationProofpoint LookBack Malware Aug 2019 |
| Enterprise | T1113 | Screen Capture | LookBack can take desktop screenshots.CitationProofpoint LookBack Malware Aug 2019 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | LookBack uses a modified version of RC4 for data transfer.CitationProofpoint LookBack Malware Aug 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | LookBack sets up a Registry Run key to establish a persistence mechanism.CitationProofpoint LookBack Malware Aug 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | LookBack removes itself after execution and can delete files on the system.CitationProofpoint LookBack Malware Aug 2019 |
| Enterprise | T1095 | Non-Application Layer Protocol | LookBack uses a custom binary protocol over sockets for C2 communications.CitationProofpoint LookBack Malware Aug 2019 |
| Enterprise | T1083 | File and Directory Discovery | LookBack can retrieve file listings from the victim machine.CitationProofpoint LookBack Malware Aug 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | LookBack has a function that decrypts malicious data.CitationProofpoint LookBack Malware Aug 2019 |
| Enterprise | T1574.001 | DLL Sub-technique | LookBack side loads its communications module as a DLL into the |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 45ea0dd53c11… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Proofpoint LookBack Malware Aug 2019
Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
Open source URL -
[2]
Dragos TALONITE
Dragos. (null). TALONITE. Retrieved February 25, 2021.
Open source URL -
[3]
Dragos Threat Report 2020
Dragos. (n.d.). ICS Cybersecurity Year in Review 2020. Retrieved February 25, 2021.
Open source URL -
[4]
LookBack
(Citation: Proofpoint LookBack Malware Aug 2019)
-
[5]
mitre-attack S0582Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.