S0632: GrimAgent
GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020; it is likely used by FIN6 and Wizard Spider.[1]
Analyst context for executives and security teams
GrimAgent matters because ATT&CK describes it as a Windows backdoor observed before Ryuk ransomware deployment. For leaders, the key decision value is not the malware name itself, but whether the organization can recognize backdoor behavior that enables discovery, persistence, command-and-control, tool transfer, data collection, and exfiltration before a ransomware event becomes operationally disruptive.
Executive priority
Treat GrimAgent as a ransomware-predecessor readiness use case. Security leaders should ask whether Windows endpoint, network, and proxy telemetry can show: new persistence through scheduled tasks or Run keys, suspicious command shell activity, host and file discovery, unusual web-based C2, inbound tool transfer, and data leaving over the same channel. This is useful for incident response preparedness, managed detection validation, control prioritization, and audit evidence that the organization can detect and investigate pre-ransomware intrusion activity rather than only final-stage encryption.
Technical view
ATT&CK provides no dedicated detection text for GrimAgent, so defenders should validate coverage through the related behaviors. On Windows, prioritize detections for Scheduled Task creation or modification, Registry Run key and Startup Folder persistence, suspicious cmd.exe execution, file and directory enumeration, system/user/network discovery, local data collection, file deletion, persistence cleanup, ingress tool transfer, and web-protocol C2 using encoding, junk data, or symmetric cryptography. Because the object is associated with obfuscation, binary padding, decoding/deobfuscation, mutex checks, and time-based checks, static hash-only detection and sandbox-only analysis are likely weak control points.
Likely telemetry
- Windows process creation and command-line logging
- Windows Scheduled Task creation, modification, and execution events
- Windows Registry monitoring for Run keys and Startup Folder persistence paths
- Endpoint file creation, deletion, rename, and directory enumeration activity
- EDR or host telemetry for mutex creation, API usage, and suspicious process behavior
Detection direction
- Map existing detections to the related ATT&CK techniques rather than relying on a GrimAgent signature alone.
- Correlate persistence events with nearby command shell execution, discovery commands, tool transfer, outbound web traffic, and file cleanup activity.
- Tune web C2 analytics for suspicious encoded content, junk data patterns, unusual destinations, and data exfiltration over the same channel, while accounting for normal enterprise web traffic volume.
- Review whether file size limits, binary padding, encryption, or obfuscation reduce endpoint scanning and malware-analysis effectiveness.
- Validate that cleanup behaviors such as file deletion and removal of persistence artifacts are retained in logs long enough for incident reconstruction.
Mitigation priorities
- Prioritize hardening and monitoring of Windows persistence locations, especially Scheduled Tasks, Registry Run keys, and Startup Folder paths.
- Restrict and monitor command shell usage where business processes allow, with emphasis on unusual parent-child process chains.
- Improve outbound network control and logging for web protocols, including proxy visibility and egress review for unmanaged destinations.
- Ensure endpoint controls can inspect or detonate large, padded, obfuscated, or encoded binaries where feasible.
- Maintain incident response playbooks for pre-ransomware backdoor activity, including host isolation, credential review, persistence removal, and evidence preservation.
Analyst notes and limits
The strongest business relevance is the ATT&CK description that GrimAgent has been used before Ryuk ransomware deployment and is likely used by FIN6 and Wizard Spider. The most actionable defensive content comes from the related techniques: Windows persistence, execution, discovery, C2, tool transfer, local collection, exfiltration, obfuscation, and cleanup. Attribution should remain tentative because the supplied description says likely used, not definitively exclusive to those groups.
MITRE does not provide official detection guidance for this malware object, and the object-level tactics are not specified. The supplied platform is Windows, although several related techniques are cross-platform in ATT&CK. Local telemetry, baselines, malware samples, and incident evidence are required to determine actual exposure or detection coverage.
GrimAgent
GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020; it is likely used by FIN6 and Wizard Spider.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | GrimAgent can set persistence with a Registry run key.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | GrimAgent can use the Windows Command Shell to execute commands, including its own removal.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | GrimAgent has the ability to set persistence using the Task Scheduler.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1005 | Data from Local System | GrimAgent can collect data and files from a compromised host.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1033 | System Owner/User Discovery | GrimAgent can identify the user id on a target machine.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | GrimAgent can use a hardcoded server public RSA key to encrypt the first request to C2.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1083 | File and Directory Discovery | GrimAgent has the ability to enumerate files and directories on a compromised host.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | GrimAgent has the ability to download and execute additional payloads.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | GrimAgent can enumerate the IP and domain of a target system.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | GrimAgent can base64 encode C2 replies.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | GrimAgent can use an AES key to encrypt C2 communications.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1106 | Native API | GrimAgent can use Native API including |
| Enterprise | T1480.002 | Mutual Exclusion Sub-technique | GrimAgent uses the last 64 bytes of the binary to compute a mutex name. If the generated name is invalid, it will default to the generic `mymutex`.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | GrimAgent has used |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | GrimAgent can sleep for 195 - 205 seconds after payload execution and before deleting its task.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1614 | System Location Discovery | GrimAgent can identify the country code on a compromised host.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1070.009 | Clear Persistence Sub-technique | GrimAgent can delete previously created tasks on a compromised host.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | GrimAgent can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1001.001 | Junk Data Sub-technique | GrimAgent can pad C2 messages with random generated values.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | GrimAgent can delete old binaries on a compromised host.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | GrimAgent has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | GrimAgent has the ability to use HTTP for C2 communications.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1082 | System Information Discovery | GrimAgent can collect the OS, and build version on a compromised host.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | GrimAgent has sent data related to a compromise host over its C2 channel.CitationGroup IB GrimAgent July 2021 |
| Enterprise | T1027.001 | Binary Padding Sub-technique | GrimAgent has the ability to add bytes to change the file hash.CitationGroup IB GrimAgent July 2021 |
Groups, software, and campaigns
G0037: FIN6
G0102: Wizard Spider
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 70bd28a09a4e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Group IB GrimAgent July 2021
Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
Open source URL -
[2]
mitre-attack S0632Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.