S0629: RainyDay
Analyst context for executives and security teams
RainyDay is a Windows backdoor associated in ATT&CK with Naikon and reported as used since at least 2020. Its value to defenders is not in a single signature from the ATT&CK record—none is provided—but in the behavior chain ATT&CK relates to it: persistence through scheduled tasks or Windows services, discovery, command execution, credential access, collection, staging, command-and-control, tool transfer, and exfiltration to cloud storage. For leaders, this is a reminder that backdoor risk is usually decided by whether the organization can prove visibility across endpoints, credentials, outbound traffic, and data movement—not just whether malware alerts exist.
Executive priority
Treat RainyDay as a coverage-validation case for Windows endpoint resilience and espionage-style intrusion readiness. Priority questions include: Can the SOC see suspicious Windows service and scheduled task changes? Can incident responders reconstruct local discovery, credential access, data staging, and file deletion? Are browser and Windows Credential Manager protections and monitoring in scope? Can cloud storage exfiltration be distinguished from normal business use? Because ATT&CK provides no official detection text for this malware, risk owners should avoid assuming tool-specific coverage and instead require evidence that related behaviors are logged, alerted, and response-tested.
Technical view
ATT&CK lists RainyDay as Windows malware and relates it to techniques spanning execution, persistence, privilege escalation, discovery, credential access, collection, command-and-control, exfiltration, and stealth. SOC and IR teams should validate detection logic around Windows Command Shell activity, native API-driven behavior where telemetry allows, new or modified scheduled tasks and Windows services, service/task masquerading, suspicious file names or locations, process/service/file discovery, local data staging, screen capture, browser and Windows Credential Manager access, tool ingress, proxy or fallback C2 behavior, web-protocol and non-application-layer communications, file deletion, and encoded/encrypted artifacts followed by decoding activity. The Naikon relationship should be used for threat-intelligence context, not as proof of current local exposure.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows service creation/modification events and related registry/service configuration data
- Scheduled task creation, modification, and execution telemetry
- File system events for staging directories, suspicious file placement, encoded/encrypted artifacts, and file deletion
- Endpoint security/EDR observations for native API use, screen capture behavior, tool transfer, and credential store access
Detection direction
- Build coverage around the related ATT&CK behaviors rather than a malware name alone, since official ATT&CK detection guidance is not provided for RainyDay.
- Correlate persistence indicators—new scheduled tasks, new or modified Windows services, and masqueraded task/service names—with unusual parent processes, command shell use, or recently written binaries.
- Tune discovery detections for clusters of process, service, file, and directory enumeration, especially when followed by staging, credential access, tool transfer, or outbound network activity.
- Validate monitoring for access to browser credential stores and Windows Credential Manager, with care for administrative tools and legitimate credential-management workflows that may generate false positives.
- Review outbound network analytics for unusual web-protocol communications, proxy behavior, fallback destinations, or non-application-layer protocol usage, while accounting for normal enterprise web and cloud traffic.
Mitigation priorities
- Prioritize Windows endpoint logging and EDR coverage for process creation, command lines, services, scheduled tasks, file writes/deletions, and credential-store access.
- Harden and monitor persistence surfaces: restrict who can create services and scheduled tasks, review privileged group membership, and baseline legitimate task/service names and paths.
- Reduce credential exposure by limiting saved browser credentials where feasible, strengthening Windows credential protections, and enforcing least privilege for accounts used on endpoints.
- Control and monitor outbound communications, including proxy use, unusual protocols, and cloud storage access, with business-approved destinations and investigation workflows for exceptions.
- Prepare IR playbooks that collect persistence inventories, process trees, credential-access evidence, staged files, deleted-file indicators, and cloud transfer records from affected Windows systems.
Analyst notes and limits
The ATT&CK object identifies RainyDay as a Windows backdoor used by Naikon since at least 2020 and provides one external Bitdefender reference. The object itself has no ATT&CK tactics listed and no official detection text; the practical defensive view above is derived from the supplied relationship context showing the techniques RainyDay uses. Several related techniques list non-Windows platforms in their general ATT&CK descriptions, but RainyDay’s supplied platform is Windows, so Windows should be treated as the supported scope for this object.
This take is limited to the supplied STIX fields, external references, and relationships. It does not include indicators of compromise, hashes, infrastructure, exploit details, prevalence, current activity, or guaranteed detection logic. Organizations need local endpoint, identity, network, and cloud telemetry to determine exposure or coverage.
RainyDay
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | RainyDay has used names to mimic legitimate software including "vmtoolsd.exe" to spoof Vmtools.CitationBitdefender Naikon April 2021 |
| Enterprise | T1106 | Native API | The file collection tool used by RainyDay can utilize native API including |
| Enterprise | T1070.004 | File Deletion Sub-technique | RainyDay has the ability to uninstall itself by deleting its service and files.CitationBitdefender Naikon April 2021 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | RainyDay can use a file exfiltration tool to upload specific files to Dropbox.CitationBitdefender Naikon April 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | RainyDay can download files to a compromised host.CitationBitdefender Naikon April 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | RainyDay can decrypt its payload via a XOR key.CitationBitdefender Naikon April 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | RainyDay can use HTTP in C2 communications.CitationBitdefender Naikon April 2021 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | RainyDay has named services and scheduled tasks to appear benign including "ChromeCheck" and "googleupdate."CitationBitdefender Naikon April 2021 |
| Enterprise | T1007 | System Service Discovery | RainyDay can create and register a service for execution.CitationBitdefender Naikon April 2021 |
| Enterprise | T1057 | Process Discovery | RainyDay can enumerate processes on a target system.CitationBitdefender Naikon April 2021 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | RainyDay can use a file exfiltration tool to copy files to |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | RainyDay can use tools to collect credentials from web browsers.CitationBitdefender Naikon April 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | RainyDay has downloaded as a XOR-encrypted payload.CitationBitdefender Naikon April 2021 |
| Enterprise | T1008 | Fallback Channels | RainyDay has the ability to switch between TCP and HTTP for C2 if one method is not working.CitationBitdefender Naikon April 2021 |
| Enterprise | T1543.003 | Windows Service Sub-technique | RainyDay can use services to establish persistence.CitationBitdefender Naikon April 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | RainyDay can use the Windows Command Shell for execution.CitationBitdefender Naikon April 2021 |
| Enterprise | T1090 | Proxy | RainyDay can use proxy tools including boost_proxy_client for reverse proxy functionality.CitationBitdefender Naikon April 2021 |
| Enterprise | T1113 | Screen Capture | RainyDay has the ability to capture screenshots.CitationBitdefender Naikon April 2021 |
| Enterprise | T1083 | File and Directory Discovery | RainyDay can use a file exfiltration tool to collect recently changed files with specific extensions.CitationBitdefender Naikon April 2021 |
| Enterprise | T1555.004 | Windows Credential Manager Sub-technique | RainyDay can use the QuarksPwDump tool to obtain local passwords and domain cached credentials.CitationBitdefender Naikon April 2021 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | RainyDay can use scheduled tasks to achieve persistence.CitationBitdefender Naikon April 2021 |
| Enterprise | T1095 | Non-Application Layer Protocol | RainyDay can use TCP in C2 communications.CitationBitdefender Naikon April 2021 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | RainyDay can use RC4 to encrypt C2 communications.CitationBitdefender Naikon April 2021 |
| Enterprise | T1574.001 | DLL Sub-technique | RainyDay can use side-loading to run malicious executables.CitationBitdefender Naikon April 2021 |
| Enterprise | T1005 | Data from Local System | RainyDay can use a file exfiltration tool to collect recently changed files on a compromised host.CitationBitdefender Naikon April 2021 |
Groups, software, and campaigns
G0019: Naikon
Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).[1] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).[1][2]
While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 008c324ce07b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Bitdefender Naikon April 2021
Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
Open source URL -
[2]
mitre-attack S0629Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.