S0653: xCaon
Analyst context for executives and security teams
xCaon is a Windows malware entry associated in ATT&CK with IndigoZebra and described as an HTTP variant of the BoxCaon family. Its practical significance is not just the malware name: the mapped behaviors cover command execution, discovery of network and security tooling, local data collection, persistence, tool transfer, and HTTP-based command-and-control with encoding/encryption. For leaders, this is a useful test case for whether Windows endpoint, web egress, and incident response evidence can prove what happened after an initial compromise.
Executive priority
Prioritize xCaon-related coverage where Windows systems support sensitive government, political, or similarly high-value operations, especially if Central Asia threat reporting is relevant to the organization’s risk model. The ATT&CK mapping points to business risks around data exposure, persistent access, and delayed detection through ordinary-looking web traffic. Executives should ask whether security teams can document endpoint persistence checks, outbound HTTP visibility, command-shell monitoring, and local data access evidence as part of resilience and compliance readiness.
Technical view
Validate controls against the behaviors ATT&CK maps to xCaon: Windows Command Shell execution, Native API use, Boot or Logon Autostart Execution, System Network Configuration Discovery, Security Software Discovery, Data from Local System, Ingress Tool Transfer, Web Protocol C2, Standard Encoding, Symmetric Cryptography, and Deobfuscate/Decode Files or Information. Because the object has no official detection text and no ATT&CK tactics directly listed on the malware object, detection engineering should be relationship-driven: look for suspicious combinations of Windows command execution, persistence artifacts, discovery commands or API-driven discovery, local file access followed by outbound HTTP/S-like communications, and encoded or encrypted payload patterns.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe activity
- Windows persistence evidence such as boot or logon autostart locations
- Endpoint file access and local data staging indicators
- Network telemetry for outbound HTTP/S or web-protocol communications
- Proxy, firewall, DNS, and egress logs that can correlate endpoints to external destinations
Detection direction
- Do not rely on a malware-name signature alone; validate behavior chains across execution, discovery, persistence, collection, and command-and-control.
- Tune for suspicious Windows command shell usage combined with network discovery, security tool discovery, or local data access.
- Review outbound web traffic for unusual client behavior, uncommon destinations, encoded content, or encrypted application data that does not match normal business patterns.
- Correlate ingress tool transfer with subsequent execution or persistence events on the same Windows host.
- Account for false positives from legitimate administration, software deployment, endpoint security tooling, and scripted inventory tasks by baselining approved tools, parent processes, users, and destinations.
Mitigation priorities
- Maintain strong Windows endpoint hardening and monitoring for command execution, persistence locations, and suspicious file activity.
- Restrict and monitor outbound web traffic where business processes allow, with proxy/firewall logging sufficient for investigation.
- Control unauthorized tool transfer through application control, download restrictions, and egress policy.
- Ensure endpoint protection and logging remain visible to defenders, especially where malware may attempt security software discovery.
- Prepare incident response playbooks that preserve endpoint, proxy, DNS, and firewall evidence needed to reconstruct execution, collection, and C2 activity.
Analyst notes and limits
ATT&CK identifies xCaon as an HTTP variant of BoxCaon used by IndigoZebra since at least 2014 and notes targeting of political entities in Central Asia, including Kyrgyzstan and Uzbekistan. The relationship set is the main source of defensive value: it provides the behaviors defenders should emulate, detect, and investigate. The group relationship states IndigoZebra is a suspected Chinese cyber espionage group targeting Central Asian governments, but this summary does not infer current activity or local exposure.
The official object does not provide detection text, aliases, labels, or malware-level tactics. Platform support is limited to Windows for this malware object, even though related techniques have broader platform lists. No active exploitation, current campaign status, indicators, hashes, infrastructure, or guaranteed detection logic are supplied; local telemetry and threat model relevance must be validated by the organization.
xCaon
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1005 | Data from Local System | xCaon has uploaded files from victims' machines.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | xCaon has communicated with the C2 server by sending POST requests over HTTP.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1547 | Boot or Logon Autostart Execution | xCaon has added persistence via the Registry key |
| Enterprise | T1016 | System Network Configuration Discovery | xCaon has used the GetAdaptersInfo() API call to get the victim's MAC address.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | xCaon has checked for the existence of Kaspersky antivirus software on the system.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | xCaon has encrypted data sent to the C2 server using a XOR key.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | xCaon has a command to download files to the victim's machine.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | xCaon has used Base64 to encode its C2 traffic.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | xCaon has a command to start an interactive shell.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1106 | Native API | xCaon has leveraged native OS function calls to retrieve victim's network adapter's information using GetAdapterInfo() API.CitationCheckpoint IndigoZebra July 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | xCaon has decoded strings from the C2 server before executing commands.CitationCheckpoint IndigoZebra July 2021 |
Groups, software, and campaigns
G0136: IndigoZebra
IndigoZebra is a suspected Chinese cyber espionage group that has been targeting Central Asian governments since at least 2014.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 1f9c5d0b560c… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Checkpoint IndigoZebra July 2021
CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
Open source URL -
[2]
Securelist APT Trends Q2 2017
Kaspersky Lab's Global Research & Analysis Team. (2017, August 8). APT Trends report Q2 2017. Retrieved February 15, 2018.
Open source URL -
[3]
mitre-attack S0653Open source URL
-
[4]
xCaon
(Citation: Checkpoint IndigoZebra July 2021)
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.