S0657: BLUELIGHT
Analyst context for executives and security teams
BLUELIGHT is a Windows remote access Trojan associated in ATT&CK with APT37. Its mapped behaviors matter because they combine host discovery, security-tool awareness, browser credential and session-cookie theft, screen capture, data staging, exfiltration over command-and-control, and file cleanup. For leaders, this is less about one malware name and more about whether the organization can prove it would see a post-compromise remote-access implant collecting identity and user-context data before data leaves the environment.
Executive priority
Prioritize BLUELIGHT as a validation case for endpoint, identity, browser, and egress-monitoring readiness. The business risk is tied to unauthorized remote access, theft of browser-stored credentials or session cookies, collection of sensitive user-visible information, and exfiltration over web-based channels that may blend with normal traffic. Executives should ask whether SOC and IR teams can correlate Windows endpoint activity, browser artifact access, web-protocol C2, data archiving, and file deletion into a single incident narrative suitable for response decisions and audit evidence.
Technical view
ATT&CK does not provide a dedicated detection section for BLUELIGHT, so defenders should build coverage from the related techniques. On Windows, validate visibility for process, file, registry/configuration, browser-data access, screenshot activity, archive creation, network connections over web protocols, transfers of additional tools, exfiltration over existing C2, and file deletion. Detection engineering should focus on behavior chains: discovery of system, network, process, user, time, and security software information followed by access to browser credentials or cookies, screen capture, data archiving, outbound web traffic, and cleanup. Because BLUELIGHT is mapped to encrypted or encoded files and system checks, static signatures and sandbox-only verdicts should not be treated as sufficient evidence of coverage.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows file creation, modification, archival, and deletion events
- Browser profile, credential store, and session-cookie access evidence where legally and technically available
- Endpoint security logs showing discovery of security tools or sensor-related artifacts
- Network proxy, DNS, firewall, and TLS metadata for outbound web-protocol communications
Detection direction
- Map detections to the related ATT&CK behaviors rather than relying on the malware name alone, because no official BLUELIGHT detection guidance is supplied.
- Correlate multiple low-confidence discovery events; individual system, user, process, network, and time discovery actions can be administrative, but clustering before collection or C2 activity increases relevance.
- Tune for browser credential and web session cookie access from unusual processes or unexpected execution paths, while accounting for legitimate browser, backup, and enterprise management activity.
- Review outbound HTTP/S or web-service traffic patterns for unusual destinations, timing, payload size, or bidirectional command/output behavior, without assuming all web traffic is malicious.
- Look for collection staging indicators such as custom or unusual archives followed by outbound transfer, especially when paired with screen capture or browser-data access.
Mitigation priorities
- Ensure managed endpoint detection and response coverage is deployed and monitored on Windows systems in scope.
- Reduce exposure from browser-stored secrets by enforcing enterprise browser hardening, credential hygiene, session management, and access controls appropriate to the environment.
- Strengthen egress governance with proxy logging, DNS visibility, firewall policy, and review of allowed web-service destinations used for business.
- Harden identity and access controls so stolen cookies or browser credentials have reduced value, including conditional access and rapid session revocation where available.
- Prepare IR playbooks for remote access Trojan activity that include host isolation, credential and session invalidation, browser artifact review, C2 scoping, and exfiltration assessment.
Analyst notes and limits
The ATT&CK object identifies BLUELIGHT as a remote access Trojan used by APT37 and first observed in early 2021, with Windows as the listed platform. The relationship set is operationally useful: it shows discovery, credential access, collection, command-and-control, exfiltration, and stealth behaviors that can guide defensive validation. Treat this as a behavior-driven coverage exercise for RAT intrusions rather than a claim that any specific environment is currently targeted.
Official ATT&CK detection guidance is not provided for this object, tactics are not specified on the malware object itself, and the supplied data does not include indicators, hashes, infrastructure, command syntax, or confirmed current exploitation. Local telemetry, asset criticality, user behavior baselines, and approved administrative tooling are required to determine detection quality and incident severity.
BLUELIGHT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | BLUELIGHT can collect IP information from the victim’s machine.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | BLUELIGHT has encoded data into a binary blob using XOR.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1033 | System Owner/User Discovery | BLUELIGHT can collect the username on a compromised host.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1082 | System Information Discovery | BLUELIGHT has collected the computer name and OS version from victim machines.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | BLUELIGHT can download additional files onto the host.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | BLUELIGHT has a XOR-encoded payload.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | BLUELIGHT has exfiltrated data over its C2 channel.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | BLUELIGHT can collect a list of anti-virus products installed on a machine.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | BLUELIGHT can uninstall itself.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | BLUELIGHT can use different cloud providers for its C2.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1539 | Steal Web Session Cookie | BLUELIGHT can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | BLUELIGHT can collect passwords stored in web browers, including Internet Explorer, Edge, Chrome, and Naver Whale.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1057 | Process Discovery | BLUELIGHT can collect process filenames and SID authority level.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1560 | Archive Collected Data | BLUELIGHT can zip files before exfiltration.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1497.001 | System Checks Sub-technique | BLUELIGHT can check to see if the infected machine has VM tools running.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1083 | File and Directory Discovery | BLUELIGHT can enumerate files and collect associated metadata.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | BLUELIGHT can use HTTP/S for C2 using the Microsoft Graph API.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1124 | System Time Discovery | BLUELIGHT can collect the local time on a compromised host.CitationVolexity InkySquid BLUELIGHT August 2021 |
| Enterprise | T1113 | Screen Capture | BLUELIGHT has captured a screenshot of the display every 30 seconds for the first 5 minutes after initiating a C2 loop, and then once every five minutes thereafter.CitationVolexity InkySquid BLUELIGHT August 2021 |
Groups, software, and campaigns
G0067: APT37
APT37 is a North Korean state-sponsored cyber espionage group that has been active since at least 2012. The group has targeted victims primarily in South Korea, but also in Japan, Vietnam, Russia, Nepal, China, India, Romania, Kuwait, and other parts of the Middle East. APT37 has also been linked to the following campaigns between 2016-2018: Operation Daybreak, Operation Erebus, Golden Time, Evil New Year, Are you Happy?, FreeMilk, North Korean Human Rights, and Evil New Year 2018.[1][2][3]
North Korean group definitions are known to have significant overlap, and some security researchers report all North Korean state-sponsored cyber activity under the name Lazarus Group instead of tracking clusters or subgroups.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 3b28abf51194… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Volexity InkySquid BLUELIGHT August 2021
Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021.
Open source URL -
[2]
BLUELIGHT
(Citation: Volexity InkySquid BLUELIGHT August 2021)
-
[3]
mitre-attack S0657Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.