Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0637: NativeZone

NativeZone is the name given collectively to disposable custom Cobalt Strike loaders used by APT29 since at least 2021.[1][2]

EnterpriseS0637MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

NativeZone matters because ATT&CK describes it as disposable custom Cobalt Strike loaders associated with APT29 activity on Windows. For leaders, the key issue is not a single malware family signature; it is whether the organization can recognize early-stage loader behavior that may be renamed, encoded, guarded to run only in certain environments, or proxied through legitimate Windows utilities such as rundll32.exe.

Executive priority

Treat NativeZone as a readiness test for Windows endpoint visibility, user-executed file controls, and incident response triage. Because MITRE provides no official detection guidance and the loader is described as disposable, security leaders should prioritize evidence that controls can detect behavior patterns tied to the related ATT&CK techniques rather than relying only on known hashes or static indicators. This is relevant to managed detection quality, audit evidence for endpoint monitoring, and response decisions when suspicious loaders or Cobalt Strike-related activity are suspected.

Technical view

Validate coverage for Windows execution chains involving malicious files, masqueraded artifacts, decoding or deobfuscation behavior, rundll32.exe proxy execution, execution guardrails, and system checks that may indicate sandbox or environment awareness. SOC and IR teams should correlate process creation, file metadata, command-line arguments, parent-child process relationships, file origin, and any decoding or DLL-loading activity. Because tactics are not specified for the malware object and official detection text is absent, detections should be built from the supplied relationships to T1204.002, T1036, T1140, T1218.011, T1480, and T1497.001 rather than from the software page alone.

Likely telemetry

  • Windows process creation events including parent-child process relationships
  • Command-line telemetry for rundll32.exe and file execution
  • Endpoint file creation, rename, path, extension, and metadata observations
  • Script, DLL, and module load telemetry where available
  • Evidence of file decoding or deobfuscation activity

Detection direction

  • Do not depend only on NativeZone names, hashes, or static signatures because the ATT&CK description characterizes the loaders as disposable custom loaders.
  • Tune detections for suspicious rundll32.exe usage, especially unusual DLL paths, exported function patterns, unexpected parent processes, or execution from user-writable locations.
  • Hunt for masquerading indicators such as misleading filenames, locations, extensions, or metadata that make a malicious artifact appear legitimate.
  • Look for decode or deobfuscation behavior before payload execution, but account for legitimate administrative and software-installation activity to reduce false positives.
  • Correlate user-opened files with follow-on process execution to support T1204.002-style investigation paths.

Mitigation priorities

  • Prioritize Windows endpoint logging and retention sufficient to reconstruct file execution, rundll32.exe use, and process ancestry.
  • Harden controls around user-executed files, especially files from untrusted delivery paths, while preserving business-approved workflows.
  • Review allowlisting and application-control policies so trusted Windows utilities such as rundll32.exe are monitored and constrained appropriately rather than blindly trusted.
  • Ensure detection engineering maps coverage to the related ATT&CK techniques, not just to the NativeZone software name.
  • Prepare IR playbooks for suspicious loader findings that include containment, evidence preservation, and scoping for possible follow-on Cobalt Strike activity.
Analyst notes and limits

The strongest decision value comes from the relationship context: NativeZone is linked by ATT&CK to APT29 and to techniques involving malicious file execution, masquerading, decoding, rundll32.exe abuse, execution guardrails, and system checks. These relationships point defenders toward behavioral validation on Windows endpoints.

MITRE does not provide official detection text, malware tactics, aliases, or labels for this object. Local telemetry, EDR configuration, file provenance, and environment-specific baselines are required before judging exposure or detection coverage. The supplied fields support Windows as the platform for NativeZone; other platform references come only from related technique objects and should not be treated as NativeZone platform coverage.

Official MITRE ATT&CK definition

NativeZone

NativeZone is the name given collectively to disposable custom Cobalt Strike loaders used by APT29 since at least 2021.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

6 rows
Domain ID Name Relationship / procedure
Enterprise T1204.002 Malicious File Sub-technique

NativeZone can display an RTF document to the user to enable execution of Cobalt Strike stage shellcode.CitationMSTIC Nobelium Toolset May 2021
Enterprise T1497.001 System Checks Sub-technique

NativeZone has checked if Vmware or VirtualBox VM is running on a compromised host.CitationMSTIC Nobelium Toolset May 2021
Enterprise T1218.011 Rundll32 Sub-technique

NativeZone has used rundll32 to execute a malicious DLL.CitationSentinelOne NobleBaron June 2021
Enterprise T1140 Deobfuscate/Decode Files or Information

NativeZone can decrypt and decode embedded Cobalt Strike beacon stage shellcode.CitationMSTIC Nobelium Toolset May 2021
Enterprise T1480 Execution Guardrails

NativeZone can check for the presence of KM.EkeyAlmaz1C.dll and will halt execution unless it is in the same directory as the rest of the malware's components.CitationMSTIC Nobelium Toolset May 2021CitationSentinelOne NobleBaron June 2021
Enterprise T1036 Masquerading

NativeZone has, upon execution, displayed a message box that appears to be related to a Ukrainian electronic document management system.CitationSentinelOne NobleBaron June 2021
Associated objects

Groups, software, and campaigns

Group Enterprise

G0016: APT29

APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]

In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]

Relationship explorer

All related ATT&CK context

uses · Technique T1204.002: Malicious File Enterprise uses · Technique T1497.001: System Checks Enterprise uses · Technique T1218.011: Rundll32 Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1480: Execution Guardrails Enterprise uses · Technique T1036: Masquerading Enterprise uses · Group G0016: APT29 Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
e0ca13475d7cbfd1...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle e0ca13475d7c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    MSTIC Nobelium Toolset May 2021

    MSTIC. (2021, May 28). Breaking down NOBELIUM’s latest early-stage toolset. Retrieved August 4, 2021.

    Open source URL
  2. [2]
    SentinelOne NobleBaron June 2021

    Guerrero-Saade, J. (2021, June 1). NobleBaron | New Poisoned Installers Could Be Used In Supply Chain Attacks. Retrieved August 4, 2021.

    Open source URL
  3. [3]
    mitre-attack S0637
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use