S0651: BoxCaon
BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against Afghan government officials. BoxCaon's name stems from similarities shared with the malware family xCaon.[1]
Analyst context for executives and security teams
BoxCaon matters because it represents a Windows backdoor associated in ATT&CK with espionage-style targeting: it was used by IndigoZebra in a 2021 spearphishing campaign against Afghan government officials. For leaders, the decision value is not just the malware name, but the behavior pattern: command execution, persistence, discovery, local collection and staging, tool transfer, and exfiltration through C2 or cloud storage. Those behaviors test whether the organization can see suspicious activity after initial access, especially on Windows endpoints handling sensitive government, policy, or regulated data.
Executive priority
Prioritize BoxCaon-style coverage where Windows endpoints contain sensitive information or where spearphishing-driven intrusion scenarios are material to business continuity, legal obligations, or public-sector risk. Executives should ask whether SOC and IR teams can prove visibility across endpoint process activity, persistence locations, network egress, cloud storage use, and data staging. Because ATT&CK provides no official detection text for this object, coverage should be validated through behavior-based controls and evidence, not by assuming a named-malware signature is sufficient.
Technical view
ATT&CK lists BoxCaon as Windows malware and relates it to techniques covering Windows Command Shell, Native API execution, Boot or Logon Autostart Execution, file and directory discovery, system network configuration discovery, local data collection and staging, ingress tool transfer, bidirectional web-service-based C2, exfiltration over C2, exfiltration to cloud storage, and obfuscation. SOC teams should validate detections around unusual cmd.exe activity, persistence changes, file enumeration followed by staging, unexpected inbound tool/file creation, anomalous outbound web or cloud-storage traffic, and suspicious encoded or obfuscated artifacts. IR playbooks should treat discovery plus staging plus outbound transfer as a higher-priority chain than any single event in isolation.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and child-process relationships
- Windows persistence evidence such as boot or logon autostart configuration changes
- File system telemetry for enumeration, collection, staging directories, newly created archives or bundled data, and suspicious transferred tools
- Endpoint security alerts or file metadata indicating obfuscated, encoded, encrypted, or otherwise hard-to-analyze payloads
- Network egress logs, proxy logs, DNS logs, and firewall telemetry for external C2-like communications
Detection direction
- Do not rely on an official BoxCaon detection recipe; MITRE does not provide one for this object. Build coverage from the related behaviors and validate with local telemetry.
- Correlate discovery commands, file enumeration, local staging, and outbound transfer into chained analytics; each behavior alone may be common, but the sequence can indicate collection and exfiltration preparation.
- Tune Windows command-shell detections for context: administrative use of cmd.exe is common, so prioritize unusual parent processes, suspicious working directories, rare command lines, and activity by users or hosts that do not normally perform administration.
- Monitor boot or logon autostart changes on Windows systems and require explainable ownership, change history, and business justification.
- Validate visibility into web-service or cloud-storage communications. Cloud storage may be legitimate, so detections should consider endpoint role, user context, data volume, upload direction, and first-seen destinations.
Mitigation priorities
- Start with phishing and endpoint hardening priorities appropriate for Windows environments, because the official description ties BoxCaon use to a spearphishing campaign.
- Reduce post-compromise freedom by enforcing least privilege, controlled administrative shell usage, and change control around persistence mechanisms.
- Improve endpoint detection and response coverage for process execution, persistence, file staging, and suspicious tool transfer before relying on perimeter-only controls.
- Control and monitor outbound web and cloud-storage access, including business-approved services, upload behavior, and unmanaged destinations.
- Maintain incident response procedures for rapid Windows host isolation, persistence review, staged-data identification, and outbound destination scoping.
Analyst notes and limits
This take is based on the supplied ATT&CK STIX fields and relationships for S0651 BoxCaon. The object is a Windows backdoor; ATT&CK links it to IndigoZebra and to multiple execution, persistence, discovery, collection, command-and-control, and exfiltration techniques. The relationship context supports behavior-driven detection planning, but it does not provide malware indicators, detection logic, or local exposure evidence.
Official detection is not provided. Tactics are not specified on the malware object itself, and several related techniques list platforms beyond Windows; this summary treats BoxCaon as Windows malware per the supplied platform field and uses the broader technique relationships only for defensive behavior mapping. No claim is made about current activity, customer exposure, guaranteed detection, or attribution in any specific environment.
BoxCaon
BoxCaon is a Windows backdoor that was used by IndigoZebra in a 2021 spearphishing campaign against Afghan government officials. BoxCaon's name stems from similarities shared with the malware family xCaon.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | BoxCaon has used DropBox for C2 communications.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | BoxCaon can execute arbitrary commands and utilize the "ComSpec" environment variable.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1083 | File and Directory Discovery | BoxCaon has searched for files on the system, such as documents located in the desktop folder.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | BoxCaon can download files.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1106 | Native API | BoxCaon has used Windows API calls to obtain information about the compromised host.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1005 | Data from Local System | BoxCaon can upload files from a compromised host.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | BoxCaon uploads files and data from a compromised host over the existing C2 channel.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1547 | Boot or Logon Autostart Execution | BoxCaon established persistence by setting the |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | BoxCaon has the capability to download folders' contents on the system and upload the results back to its Dropbox drive.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | BoxCaon used the "StackStrings" obfuscation technique to hide malicious functionalities.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | BoxCaon can collect the victim's MAC address by using the |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | BoxCaon has created a working folder for collected files that it sends to the C2 server.CitationCheckpoint IndigoZebra July 2021 |
Groups, software, and campaigns
G0136: IndigoZebra
IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 07f28e07959f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Checkpoint IndigoZebra July 2021
CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
Open source URL -
[2]
BoxCaon
(Citation: Checkpoint IndigoZebra July 2021)(Citation: HackerNews IndigoZebra July 2021)
-
[3]
HackerNews IndigoZebra July 2021
Lakshmanan, R.. (2021, July 1). IndigoZebra APT Hacking Campaign Targets the Afghan Government. Retrieved September 24, 2021.
Open source URL -
[4]
mitre-attack S0651Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.