S0586: TAINTEDSCRIBE
TAINTEDSCRIBE is a fully-featured beaconing implant integrated with command modules used by Lazarus Group. It was first reported in May 2020.[1]
Analyst context for executives and security teams
TAINTEDSCRIBE matters because ATT&CK describes it as a Windows beaconing implant with command modules, not a single-purpose tool. For leaders, the risk is sustained command-and-control with follow-on discovery, persistence, stealth, tool transfer, and collection behaviors that can complicate containment and recovery. The supplied ATT&CK relationship also ties its use to Lazarus Group, so teams should treat it as a threat-intelligence-relevant malware family while still validating activity from local evidence.
Executive priority
Prioritize this as a resilience and readiness question: can the organization prove it would notice a Windows implant that blends network traffic, uses fallback channels, persists with Run keys or Startup folders, executes commands, and cleans up artifacts? Budget and control discussions should focus less on hash blocking alone and more on endpoint visibility, egress governance, incident response evidence retention, and audit-ready proof that discovery, persistence, and command-and-control behaviors are monitored.
Technical view
ATT&CK provides no official detection text for TAINTEDSCRIBE, so SOC and IR teams should build coverage from the related techniques. Validate Windows telemetry for command shell execution, process/file/directory/system time/local storage discovery, Registry Run Key or Startup Folder persistence, file deletion, timestamp manipulation, archive creation, ingress tool transfer, and suspicious beaconing. Network detection should account for protocol or service impersonation, fallback channels, and symmetric cryptography used for command-and-control, with the caveat that encrypted or protocol-like traffic may limit content inspection.
Likely telemetry
- Windows endpoint process creation, command-line, parent-child process, and user context telemetry
- Registry monitoring for Run keys and Startup Folder persistence locations
- File system telemetry for new executables, file deletion, archive creation, unusual timestamp changes, and suspicious placement or naming
- EDR or host logs showing discovery activity against processes, files/directories, remote systems, system time, and local storage
- Network egress metadata from firewall, proxy, DNS, and NDR sources, including beacon patterns, fallback destinations, and protocol mismatch indicators
Detection direction
- Do not rely only on hashes or static signatures; Binary Padding and legitimate-looking names or locations can weaken simple file-based detection.
- Correlate behavior chains: command shell execution followed by discovery, tool transfer, persistence changes, archive creation, or cleanup is more meaningful than any single noisy event.
- Tune network analytics for recurring beacon-like egress, alternate/fallback communication paths, and traffic that appears to impersonate legitimate protocols or services.
- Review detections for Registry Run Key and Startup Folder modifications in user context, especially when paired with newly written executables.
- Account for false positives from administrators, software deployment tools, backup agents, and inventory scripts that legitimately enumerate systems, processes, files, or storage.
Mitigation priorities
- Ensure Windows endpoint protection and logging are enabled on systems where business impact would be material.
- Restrict and monitor outbound connectivity so command-and-control and fallback channels have fewer ungoverned paths.
- Harden persistence locations by monitoring and controlling Registry Run keys and Startup folders.
- Preserve sufficient endpoint and network logs for IR review of deletion, timestomping, tool transfer, and discovery activity.
- Use application control or execution policy where feasible to reduce unauthorized binaries and command shell abuse.
Analyst notes and limits
This take is derived from the supplied ATT&CK malware object, its CISA external reference, and the listed ATT&CK relationships. The most useful defensive value comes from mapping TAINTEDSCRIBE to its related behaviors rather than treating it as a standalone malware name.
ATT&CK does not provide official detection guidance, aliases, labels, or explicit tactics on the malware object itself. Platform support for the malware is supplied as Windows; some related techniques list broader platforms, but those should not be assumed for TAINTEDSCRIBE without additional source evidence. Local telemetry, environment baselines, and incident artifacts are required to confirm exposure or activity.
TAINTEDSCRIBE
TAINTEDSCRIBE is a fully-featured beaconing implant integrated with command modules used by Lazarus Group. It was first reported in May 2020.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1018 | Remote System Discovery | The TAINTEDSCRIBE command and execution module can perform target system enumeration.CitationCISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | TAINTEDSCRIBE can execute |
| Enterprise | T1070.006 | Timestomp Sub-technique | TAINTEDSCRIBE can change the timestamp of specified filenames.CitationCISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020 |
| Enterprise | T1083 | File and Directory Discovery | TAINTEDSCRIBE can use |
| Enterprise | T1560 | Archive Collected Data | TAINTEDSCRIBE has used |
| Enterprise | T1057 | Process Discovery | TAINTEDSCRIBE can execute |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | The TAINTEDSCRIBE main executable has disguised itself as Microsoft’s Narrator.CitationCISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | TAINTEDSCRIBE can copy itself into the current user’s Startup folder as “Narrator.exe” for persistence.CitationCISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | TAINTEDSCRIBE can enable Windows CLI access and execute files.CitationCISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | TAINTEDSCRIBE uses a Linear Feedback Shift Register (LFSR) algorithm for network encryption.CitationCISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020 |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | TAINTEDSCRIBE has used FakeTLS for session authentication.CitationCISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | TAINTEDSCRIBE can download additional modules from its C2 server.CitationCISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020 |
| Enterprise | T1124 | System Time Discovery | TAINTEDSCRIBE can execute |
| Enterprise | T1008 | Fallback Channels | TAINTEDSCRIBE can randomly pick one of five hard-coded IP addresses for C2 communication; if one of the IP fails, it will wait 60 seconds and then try another IP address.CitationCISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | TAINTEDSCRIBE can delete files from a compromised host.CitationCISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020 |
| Enterprise | T1680 | Local Storage Discovery | TAINTEDSCRIBE can use |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 43b36344e9cf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020
USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021.
Open source URL -
[2]
mitre-attack S0586Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.