S0679: Ferocious
Analyst context for executives and security teams
Ferocious matters because it is a Windows first-stage implant built from VBS and PowerShell, two common administrative scripting technologies. For leaders, the decision point is whether the organization can distinguish legitimate scripting from early intrusion activity before an operator pivots into discovery, persistence, or defense-evasion behaviors.
Executive priority
Prioritize validation of Windows script execution visibility, registry change monitoring, and investigation playbooks for suspicious PowerShell/VBS activity. ATT&CK associates Ferocious with WIRTE, a cyberespionage group targeting several sectors and regions, but local risk should be based on the organization’s geography, sector, exposure, and observed telemetry rather than assuming direct targeting.
Technical view
SOC and IR teams should treat Ferocious as a script-based first-stage Windows implant with relationship-driven behaviors: PowerShell execution, Visual Basic execution, file deletion, system and peripheral discovery, security software discovery, system checks, registry modification, and possible COM hijacking persistence. Because ATT&CK provides no dedicated detection text for this malware object, coverage should be validated through the related techniques rather than a single malware signature.
Likely telemetry
- Windows process creation events for powershell.exe, wscript.exe, cscript.exe, and related script hosts
- PowerShell script block, module, and command-line logging where enabled
- File creation and deletion telemetry for temporary, user-profile, and script execution paths
- Windows Registry modification events, especially changes relevant to persistence or COM references
- Endpoint security alerts and sensor health data indicating security software discovery or tampering-adjacent behavior
Detection direction
- Baseline legitimate administrative PowerShell and VBS usage before alerting broadly, since these tools are commonly used for benign operations.
- Correlate script execution with discovery activity, registry modification, file deletion, and security software discovery to reduce false positives.
- Validate visibility into COM-related registry changes because persistence through COM hijacking can be missed if registry telemetry is limited.
- Review gaps in PowerShell logging, command-line capture, and script host monitoring; these gaps materially affect detection of this object’s documented behaviors.
- Use the WIRTE relationship as threat-intelligence context, not as proof of local exposure or active targeting.
Mitigation priorities
- Harden and monitor Windows scripting environments, including PowerShell and legacy script hosts, according to business need.
- Restrict unnecessary script execution and administrative scripting privileges where operationally feasible.
- Protect and monitor registry locations used for persistence, including COM-related references.
- Ensure endpoint logging and EDR policies retain enough process, script, file, and registry evidence for incident reconstruction.
- Prepare IR triage steps for script-based first-stage implants, including collection of executed scripts, command lines, registry changes, and deleted-file evidence where available.
Analyst notes and limits
The strongest defensive value comes from mapping Ferocious to its related ATT&CK techniques. Its business relevance is less about a unique malware family signature and more about whether Windows endpoints expose enough scripting, registry, discovery, and deletion telemetry to identify an early-stage implant workflow.
ATT&CK does not provide official detection guidance for Ferocious, and the object lists no tactics directly. This take is limited to the official description, external reference, Windows platform field, and supplied relationships. Local telemetry, asset criticality, sector exposure, and incident evidence are required to determine actual risk or coverage.
Ferocious
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.005 | Visual Basic Sub-technique | Ferocious has the ability to use Visual Basic scripts for execution.CitationKaspersky WIRTE November 2021 |
| Enterprise | T1120 | Peripheral Device Discovery | Ferocious can run |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Ferocious has checked for AV software as part of its persistence process.CitationKaspersky WIRTE November 2021 |
| Enterprise | T1546.015 | Component Object Model Hijacking Sub-technique | Ferocious can use COM hijacking to establish persistence.CitationKaspersky WIRTE November 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Ferocious can use PowerShell scripts for execution.CitationKaspersky WIRTE November 2021 |
| Enterprise | T1497.001 | System Checks Sub-technique | Ferocious can run anti-sandbox checks using the Microsoft Excel 4.0 function |
| Enterprise | T1082 | System Information Discovery | Ferocious can use |
| Enterprise | T1070.004 | File Deletion Sub-technique | Ferocious can delete files from a compromised host.CitationKaspersky WIRTE November 2021 |
| Enterprise | T1112 | Modify Registry | Ferocious has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms.CitationKaspersky WIRTE November 2021 |
Groups, software, and campaigns
G0090: WIRTE
WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | de3ff4f84aee… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky WIRTE November 2021
Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.
Open source URL -
[2]
mitre-attack S0679Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.