S0664: Pandora
Pandora is a multistage kernel rootkit with backdoor functionality that has been in use by Threat Group-3390 since at least 2020.[1]
Analyst context for executives and security teams
Pandora matters because ATT&CK describes it as a Windows, multistage kernel rootkit with backdoor functionality. That combination is material for resilience: kernel-level presence can undermine endpoint trust, while backdoor and command-and-control behaviors can extend dwell time and complicate incident scoping. Security leaders should treat this as a test of whether Windows endpoints, privileged changes, service activity, and outbound web-like traffic are visible enough to support containment decisions.
Executive priority
Prioritize Pandora as a control-validation scenario, not just a malware name. The business question is whether the organization can prove it would notice suspicious Windows service changes, registry modification, code-signing policy weakening, privilege-escalation attempts, tool transfer, and covert web-protocol command traffic. This is especially relevant for audit evidence around endpoint protection, privileged access governance, vulnerability management, and incident response readiness when a system may no longer be trustworthy.
Technical view
ATT&CK lists Pandora for Windows and relates it to techniques covering compression, process injection, process discovery, exploitation for privilege escalation, web-protocol C2, ingress tool transfer, registry modification, traffic signaling, Windows service persistence/execution, code-signing policy modification, symmetric cryptography, and DLL abuse. SOC and IR teams should validate chained detections rather than single indicators: kernel/rootkit suspicion plus service or registry changes, possible driver/code-signing tampering, process injection, file transfer, and unusual HTTP/S or encrypted traffic patterns. ATT&CK provides no official detection text for this software, so local telemetry quality and correlation logic are decisive.
Likely telemetry
- Windows service creation, modification, and execution events
- Windows Registry modification events, especially persistence- and service-related keys
- Driver or kernel-module load events and code-signing enforcement changes
- Process creation, process access, and injection-related endpoint telemetry
- Process discovery activity from command-line tools, APIs, or security logs
Detection direction
- Confirm Windows endpoint telemetry can observe kernel driver activity, service control manager abuse, registry changes, DLL loading, and process injection behaviors.
- Correlate web-protocol command-and-control indicators with host-side events such as new services, registry persistence, file transfer, or injected processes.
- Treat process discovery and service administration carefully: they are common in legitimate administration, so tune detections around unusual parent processes, timing, privilege context, new binaries, and external network correlation.
- Validate visibility into code-signing policy modification because ATT&CK relates Pandora to Code Signing Policy Modification, a meaningful blind spot for rootkit-style activity.
- Hunt for technique clusters from the ATT&CK relationships rather than relying on malware-specific signatures, since no official ATT&CK detection guidance or indicators are supplied.
Mitigation priorities
- Maintain aggressive vulnerability and patch management for Windows privilege-escalation exposure referenced by the related Exploitation for Privilege Escalation technique.
- Restrict and monitor administrative rights that can create services, modify sensitive registry locations, load drivers, or alter code-signing policy.
- Enforce endpoint hardening around driver loading, signed code expectations, service creation, and DLL search-order risk where operationally feasible.
- Apply egress governance and monitoring for outbound web-protocol traffic so command-and-control and tool-transfer behavior can be investigated quickly.
- Prepare IR procedures for suspected kernel-level compromise, including containment, trusted forensic collection, credential risk review, and rebuild decisions when endpoint integrity cannot be assured.
Analyst notes and limits
ATT&CK associates Pandora with Threat Group-3390 and Cinnamon Tempest through use relationships; that context can support threat-informed prioritization, but it should not be treated as local attribution without incident evidence. The most useful defender action is to map the related techniques to existing Windows telemetry, alert logic, and response playbooks.
The supplied ATT&CK object has no official detection text, no tactics listed directly on the malware object, no aliases, and no supplied indicators of compromise. Conclusions are limited to the official description, external reference, platform field, and relationship context provided.
Pandora
Pandora is a multistage kernel rootkit with backdoor functionality that has been in use by Threat Group-3390 since at least 2020.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | Pandora can load additional drivers and files onto a victim machine.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1574.001 | DLL Sub-technique | Pandora can use DLL side-loading to execute malicious payloads.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Pandora has the ability to encrypt communications with D3DES.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | Pandora can use CVE-2017-15303 to bypass Windows Driver Signature Enforcement (DSE) protection and load its driver.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Pandora has the ability to gain system privileges through Windows services.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Pandora can communicate over HTTP.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1057 | Process Discovery | Pandora can monitor processes on a compromised host.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1205 | Traffic Signaling | Pandora can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and process the received command.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1027.015 | Compression Sub-technique | Pandora has the ability to compress stings with QuickLZ.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1569.002 | Service Execution Sub-technique | Pandora has the ability to install itself as a Windows service.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1553.006 | Code Signing Policy Modification Sub-technique | Pandora can use CVE-2017-15303 to disable Windows Driver Signature Enforcement (DSE) protection and load its driver.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1055 | Process Injection | Pandora can start and inject code into a new `svchost` process.CitationTrend Micro Iron Tiger April 2021 |
| Enterprise | T1112 | Modify Registry | Pandora can write an encrypted token to the Registry to enable processing of remote commands.CitationTrend Micro Iron Tiger April 2021 |
Groups, software, and campaigns
G1021: Cinnamon Tempest
Cinnamon Tempest is a China-based threat group that has been active since at least 2021 deploying multiple strains of ransomware based on the leaked Babuk source code. Cinnamon Tempest does not operate their ransomware on an affiliate model or purchase access but appears to act independently in all stages of the attack lifecycle. Based on victimology, the short lifespan of each ransomware variant, and use of malware attributed to government-sponsored threat groups, Cinnamon Tempest may be motivated by intellectual property theft or cyberespionage rather than financial gain.[1][2][3][4]
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | eacca8b4d496… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Iron Tiger April 2021
Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021.
Open source URL -
[2]
mitre-attack S0664Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.