S0672: Zox
Analyst context for executives and security teams
Zox is a Windows remote access tool in ATT&CK, associated through MITRE relationships with Axiom and a set of behaviors that matter for post-compromise operations: command and control hiding, local discovery, file collection, tool transfer, SMB-based lateral movement, and possible privilege escalation. For leaders, the value is not the malware name alone; it is a checklist for whether Windows endpoint, network, SMB, and vulnerability-management controls can prove visibility across an intrusion lifecycle.
Executive priority
Treat this as a resilience and assurance question: can the organization detect and investigate a Windows remote access tool that discovers local data, moves through SMB/admin shares, transfers additional tooling, and obscures command-and-control activity? Priority should be higher for environments where Axiom-relevant sectors or sensitive intellectual property are material, but local exposure must be validated with asset, identity, and telemetry evidence rather than assumed from ATT&CK alone.
Technical view
ATT&CK does not provide official detection text for Zox, so SOC and IR teams should validate coverage through the related techniques: T1001.002 Steganography, T1005 Data from Local System, T1021.002 SMB/Windows Admin Shares, T1027.013 Encrypted/Encoded File, T1057 Process Discovery, T1068 Exploitation for Privilege Escalation, T1083 File and Directory Discovery, T1105 Ingress Tool Transfer, and T1680 Local Storage Discovery. Because the malware platform is listed as Windows, prioritize Windows host telemetry and correlate it with SMB authentication/share access and outbound network activity that may include unusual file-based or encoded content transfers.
Likely telemetry
- Windows endpoint process execution and parent/child process activity related to discovery commands or utilities
- File system access, file enumeration, and local data staging indicators
- Local drive, disk, and volume enumeration evidence
- SMB/admin share authentication, remote share access, and lateral file movement logs
- Network egress metadata for command-and-control-like sessions and transferred files
Detection direction
- Do not rely on a Zox signature alone; validate behavior-based detections across discovery, collection, SMB movement, ingress tool transfer, and obfuscated or encoded files.
- Tune SMB/admin share detections against administrative baselines to reduce false positives while still alerting on unusual source hosts, accounts, timing, or share paths.
- Review whether network monitoring can surface suspicious file transfers or steganography-like patterns; ATT&CK notes this behavior can make C2 detection harder, so absence of alerts is not proof of absence.
- Correlate process and file discovery with later network transfer or SMB activity to distinguish benign administration from intrusion progression.
- Because official ATT&CK detection guidance is not provided, use local baselines, incident history, and controlled validation to determine whether current EDR/SIEM logic is adequate.
Mitigation priorities
- Prioritize least-privilege access and tight control of Windows administrative shares and accounts used for SMB access.
- Maintain vulnerability management and patching discipline for privilege-escalation exposure referenced by T1068.
- Ensure Windows endpoint detection, file auditing where appropriate, and network egress monitoring are retained long enough for incident reconstruction.
- Restrict and monitor tool transfer paths, especially external downloads and movement of executables or encoded files inside the environment.
- Prepare IR playbooks that connect remote access, discovery, collection, SMB movement, and C2 investigation rather than treating each alert as isolated.
Analyst notes and limits
The most decision-relevant context is the combination of a Windows RAT, its association with Axiom in ATT&CK, and its linked techniques spanning command and control, discovery, collection, lateral movement, privilege escalation, stealth, and tool transfer. This supports a control-validation discussion across SOC, IR, identity, endpoint, network, and vulnerability-management teams.
The supplied ATT&CK object is sparse: Zox has no official detection text, no object-level tactics listed, and only Windows is specified as the malware platform. Related technique platform lists are broader and should not be interpreted as Zox platform support. No claim is made here about current active exploitation, customer exposure, or guaranteed detection coverage.
Zox
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Zox has been encoded with Base64.CitationNovetta-Axiom |
| Enterprise | T1001.002 | Steganography Sub-technique | Zox has used the .PNG file format for C2 communications.CitationNovetta-Axiom |
| Enterprise | T1105 | Ingress Tool Transfer | Zox can download files to a compromised machine.CitationNovetta-Axiom |
| Enterprise | T1083 | File and Directory Discovery | Zox can enumerate files on a compromised host.CitationNovetta-Axiom |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Zox has the ability to use SMB for communication.CitationNovetta-Axiom |
| Enterprise | T1005 | Data from Local System | Zox has the ability to upload files from a targeted system.CitationNovetta-Axiom |
| Enterprise | T1057 | Process Discovery | Zox has the ability to list processes.CitationNovetta-Axiom |
| Enterprise | T1068 | Exploitation for Privilege Escalation | Zox has the ability to leverage local and remote exploits to escalate privileges.CitationNovetta-Axiom |
| Enterprise | T1680 | Local Storage Discovery | Zox can enumerate attached drives.CitationNovetta-Axiom |
Groups, software, and campaigns
G0001: Axiom
Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 98dfa6c77ffd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Novetta-Axiom
Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
Open source URL -
[2]
Gresim
(Citation: Novetta-Axiom)
-
[3]
ZoxPNG
(Citation: Novetta-Axiom)
-
[4]
ZoxRPC
(Citation: Novetta-Axiom)
-
[5]
mitre-attack S0672Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.