S0678: Torisma
Torisma is a second stage implant designed for specialized monitoring that has been used by Lazarus Group. Torisma was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.[1]
Analyst context for executives and security teams
Torisma is a Windows second-stage implant described by ATT&CK as designed for specialized monitoring and used by Lazarus Group. Its business significance is not just the malware name: the related behaviors show a post-compromise toolset that can discover local/network context, hide artifacts, communicate over web protocols, encode/encrypt C2, and exfiltrate over that channel. For leaders, this makes Torisma relevant to resilience questions around sensitive Windows environments, especially where defense-sector-style espionage risk is a concern.
Executive priority
Prioritize evidence that the organization can detect and investigate stealthy second-stage activity after initial access. Ask whether SOC and IR teams can prove coverage for Windows endpoint visibility, outbound web traffic analysis, encoded/encrypted C2 patterns, and data movement over existing C2 channels. This is also useful audit evidence for logging, monitoring, egress control, and incident response readiness; ATT&CK does not provide active exploitation status or customer exposure.
Technical view
ATT&CK lists Torisma on Windows and relates it to discovery, stealth, execution, command-and-control, and exfiltration techniques including System Network Configuration Discovery, System Network Connections Discovery, System Time Discovery, Local Storage Discovery, Native API, Software Packing, Encrypted/Encoded File, Deobfuscate/Decode Files or Information, Execution Guardrails, Web Protocols, Standard Encoding, Symmetric Cryptography, and Exfiltration Over C2 Channel. SOC teams should validate detections around suspicious Windows process behavior, packed or encoded payloads, decode/deobfuscation activity, environment checks, web-based outbound communications, and data leaving through the same channel used for C2.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Endpoint file creation/modification metadata for packed, encoded, or unusual executable artifacts
- EDR memory/process behavior telemetry where available, especially for native API-heavy behavior
- Network proxy, firewall, DNS, and web gateway logs for outbound HTTP/S-style communications
- TLS/session metadata and destination reputation/context where content inspection is unavailable
Detection direction
- Because ATT&CK provides no official detection text, build coverage from the related technique cluster rather than a single malware signature.
- Correlate Windows discovery activity with unusual outbound web communications and encoded/encrypted payload patterns.
- Tune for false positives from legitimate administration tools, inventory agents, backup software, and normal encrypted web traffic.
- Validate blind spots around packed binaries, encrypted files, TLS visibility limits, lack of command-line logging, and malware execution guardrails that may suppress behavior in sandboxes.
- Use relationship context from Operation Dream Job and the cited Operation North Star reporting as intelligence context, not as proof of current activity in the environment.
Mitigation priorities
- Ensure Windows endpoint monitoring and response controls are deployed on systems that handle sensitive operations or data.
- Restrict and monitor outbound web traffic with egress controls, proxy logging, and allow/deny policy appropriate to business need.
- Harden detection and response playbooks for second-stage implants: triage endpoint artifacts, preserve memory where needed, and investigate C2-linked data movement.
- Use application control and malware prevention where feasible to reduce execution of unknown packed or encoded binaries.
- Maintain logging retention and investigation procedures sufficient to demonstrate monitoring and response readiness for compliance or governance reviews.
Analyst notes and limits
Torisma is linked by ATT&CK to Lazarus Group use and was discovered during investigation of the 2020 Operation North Star campaign targeting the defense sector. The relationship context also connects it to Operation Dream Job. The practical defensive value is in validating coverage across its related behaviors, especially stealth, discovery, web C2, and exfiltration over C2.
The supplied ATT&CK object has no official detection guidance, no aliases, no labels, no explicit malware tactics, and only Windows as the listed platform. This take does not include IOCs, active exploitation claims, or guaranteed detection logic; local telemetry and environment-specific baselining are required.
Torisma
Torisma is a second stage implant designed for specialized monitoring that has been used by Lazarus Group. Torisma was discovered during an investigation into the 2020 Operation North Star campaign that targeted the defense sector.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Torisma has been Base64 encoded and AES encrypted.CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1106 | Native API | Torisma has used various Windows API calls.CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1680 | Local Storage Discovery | Torisma can use `GetlogicalDrives` to get a bitmask of all drives available on a compromised system. It can also use `GetDriveType` to determine if a new drive is a CD-ROM drive.CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1124 | System Time Discovery | Torisma can collect the current time on a victim machine.CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Torisma can send victim data to an actor-controlled C2 server.CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Torisma has encoded C2 communications with Base64.CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1480 | Execution Guardrails | Torisma is only delivered to a compromised host if the victim's IP address is on an allow-list.CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1049 | System Network Connections Discovery | Torisma can use `WTSEnumerateSessionsW` to monitor remote desktop connections.CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Torisma has used XOR and Base64 to decode C2 data.CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Torisma has been packed with Iz4 compression.CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Torisma has encrypted its C2 communications using XOR and VEST-32.CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Torisma can use HTTP and HTTPS for C2 communications.CitationMcAfee Lazarus Nov 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | Torisma can collect the local MAC address using `GetAdaptersInfo` as well as the system's IP address.CitationMcAfee Lazarus Nov 2020 |
Groups, software, and campaigns
C0022: Operation Dream Job
Operation Dream Job was a cyber espionage operation likely conducted by Lazarus Group that targeted the defense, aerospace, government, and other sectors in the United States, Israel, Australia, Russia, and India. In at least one case, the cyber actors tried to monetize their network access to conduct a business email compromise (BEC) operation. In 2020, security researchers noted overlapping TTPs, to include fake job lures and code similarities, between Operation Dream Job, Operation North Star, and Operation Interception; by 2022 security researchers described Operation Dream Job as an umbrella term covering both Operation Interception and Operation North Star.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 278d5fe2cc14… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
McAfee Lazarus Nov 2020
Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021.
Open source URL -
[2]
mitre-attack S0678Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.