S0630: Nebulae
Analyst context for executives and security teams
Nebulae is a Windows backdoor in ATT&CK associated through MITRE with Naikon and a 2021 Bitdefender report. Its value for defenders is not a single signature, but the pattern of behavior around persistence, command execution, discovery, file collection, tool transfer, encrypted/non-application-layer command and control, and cleanup. For leaders, this is a reminder that backdoor readiness depends on endpoint visibility, Windows persistence monitoring, network egress governance, and incident response ability to reconstruct host activity even when files are deleted.
Executive priority
Treat Nebulae as a control-validation case for Windows endpoint resilience and espionage-style intrusion readiness. Priority questions include: can the organization prove coverage for suspicious Windows services, Run keys/startup persistence, DLL abuse, command shell execution, local discovery, inbound tool transfer, unusual C2 protocols, and file deletion? Because ATT&CK provides no dedicated detection text for this malware, assurance should come from tested telemetry and investigation playbooks rather than assumptions about malware-name detection.
Technical view
ATT&CK lists Nebulae as Windows malware and relates it to techniques including Windows Command Shell, Native API, Windows Service persistence, Registry Run Keys/Startup Folder, DLL abuse, masquerading, file and process discovery, local data collection, ingress tool transfer, non-application-layer protocol C2, symmetric cryptography, and file deletion. SOC and IR teams should validate behavior-based detections across these chains: creation or modification of services and autoruns; suspicious DLL loading or naming/location mismatches; cmd.exe-driven discovery and file operations; unexpected file transfer into hosts; anomalous encrypted or non-standard egress; and deletion of dropped tools or staging files. Relationship context ties the malware to Naikon, but local triage should avoid attribution conclusions unless supported by environment-specific evidence.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows service creation/modification events and related Registry changes
- Registry Run key and Startup folder monitoring
- DLL load events, module paths, and executable-to-DLL relationship data
- File creation, rename, staging, and deletion events
Detection direction
- Build detections around the related behaviors rather than the malware name, since official ATT&CK detection guidance is not provided.
- Correlate persistence events with execution and network activity: new or changed Windows services, Run keys, startup entries, or DLL activity followed by command shell use or outbound connections should receive higher priority.
- Tune masquerading analytics for names and paths that resemble legitimate Windows resources, while accounting for legitimate software updates and administrative tooling to reduce false positives.
- Look for discovery sequences involving process, file, directory, and local storage enumeration, especially when performed by unexpected processes or newly observed binaries.
- Validate visibility into file deletion after execution or staging, since cleanup behavior can reduce forensic evidence and complicate incident scoping.
Mitigation priorities
- Prioritize hardening and monitoring of Windows persistence locations, including services, Run keys, Startup folders, and DLL search/load behavior.
- Restrict and audit administrative ability to create services, modify autoruns, and place executables or DLLs in trusted locations.
- Apply egress controls and protocol governance so unusual outbound channels and unsanctioned encrypted communications are visible and actionable.
- Ensure EDR or equivalent controls retain process, file, Registry, module-load, and network telemetry long enough to support incident reconstruction after file deletion.
- Maintain tested IR playbooks for backdoor investigations, including host isolation, persistence review, timeline reconstruction, and collection of volatile artifacts where appropriate.
Analyst notes and limits
The supplied ATT&CK object identifies Nebulae as a Windows backdoor used by Naikon since at least 2020 and provides a Bitdefender external reference. The relationship set is rich enough to drive behavior-based defensive validation across persistence, execution, discovery, collection, C2, transfer, stealth, and cleanup. Several related techniques have broader ATT&CK platform lists, but this take treats Nebulae itself as Windows because that is the platform supplied for the malware object.
Official detection text is not provided, and the supplied object does not include indicators, hashes, C2 infrastructure, procedures, prevalence, victim details, or confirmed current activity. Any assessment of exposure, detection coverage, or attribution requires local telemetry, case evidence, and intelligence validation.
Nebulae
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | Nebulae can download files from C2.CitationBitdefender Naikon April 2021 |
| Enterprise | T1680 | Local Storage Discovery | Nebulae can discover logical drive information including the drive type, free space, and volume information.CitationBitdefender Naikon April 2021 |
| Enterprise | T1005 | Data from Local System | Nebulae has the capability to upload collected files to C2.CitationBitdefender Naikon April 2021 |
| Enterprise | T1095 | Non-Application Layer Protocol | Nebulae can use TCP in C2 communications.CitationBitdefender Naikon April 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Nebulae can achieve persistence through a Registry Run key.CitationBitdefender Naikon April 2021 |
| Enterprise | T1057 | Process Discovery | Nebulae can enumerate processes on a target system.CitationBitdefender Naikon April 2021 |
| Enterprise | T1106 | Native API | Nebulae has the ability to use |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Nebulae has created a service named "Windows Update Agent1" to appear legitimate.CitationBitdefender Naikon April 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Nebulae has the ability to delete files and directories.CitationBitdefender Naikon April 2021 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Nebulae can create a service to establish persistence.CitationBitdefender Naikon April 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Nebulae uses functions named |
| Enterprise | T1574.001 | DLL Sub-technique | Nebulae can use DLL side-loading to gain execution.CitationBitdefender Naikon April 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Nebulae can use CMD to execute a process.CitationBitdefender Naikon April 2021 |
| Enterprise | T1083 | File and Directory Discovery | Nebulae can list files and directories on a compromised host.CitationBitdefender Naikon April 2021 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Nebulae can use RC4 and XOR to encrypt C2 communications.CitationBitdefender Naikon April 2021 |
Groups, software, and campaigns
G0019: Naikon
Naikon is assessed to be a state-sponsored cyber espionage group attributed to the Chinese People’s Liberation Army’s (PLA) Chengdu Military Region Second Technical Reconnaissance Bureau (Military Unit Cover Designator 78020).[1] Active since at least 2010, Naikon has primarily conducted operations against government, military, and civil organizations in Southeast Asia, as well as against international bodies such as the United Nations Development Programme (UNDP) and the Association of Southeast Asian Nations (ASEAN).[1][2]
While Naikon shares some characteristics with APT30, the two groups do not appear to be exact matches.[3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 058aee646eaf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Bitdefender Naikon April 2021
Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021.
Open source URL -
[2]
mitre-attack S0630Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.