Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0680: LitePower

LitePower is a downloader and second stage malware that has been used by WIRTE since at least 2021.[1]

EnterpriseS0680MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

LitePower matters because it is described by ATT&CK as a Windows downloader and second-stage malware associated with WIRTE. For leaders, the key risk is not a single malware name but the post-compromise pattern it represents: execution through PowerShell/native APIs, persistence through scheduled tasks, host and security-tool discovery, screen capture, web-based command-and-control, tool transfer, and exfiltration over the C2 channel.

Executive priority

Prioritize LitePower as a validation case for Windows endpoint visibility, SOC triage readiness, and incident response decision-making around suspected second-stage malware. The ATT&CK relationship to WIRTE adds threat-intelligence relevance for organizations concerned with the diplomatic, financial, military, legal, technology, Middle East, North Africa, or Europe context described for that group, but local exposure must be assessed from organizational telemetry and threat model.

Technical view

Because ATT&CK provides no dedicated detection text for LitePower, defenders should validate coverage against the related techniques: PowerShell execution, scheduled task creation or modification, registry queries, user/system/security-software/storage discovery, screen capture behavior, inbound tool transfer, web-protocol C2, and exfiltration over an existing C2 channel. Treat this as a behavior cluster rather than a signature-only malware detection problem.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry
  • PowerShell execution logs and script-block/module logging where available
  • Windows scheduled task creation, modification, and execution events
  • Registry access/query telemetry
  • Endpoint file creation and download evidence for transferred tools or payloads

Detection direction

  • Correlate PowerShell or native execution with discovery activity, scheduled task persistence, and outbound web traffic rather than relying on one event type.
  • Tune for suspicious scheduled tasks created by unusual users, paths, commands, or PowerShell-backed actions while accounting for legitimate administration software.
  • Review discovery patterns involving registry, logged-on user, system information, security tools, and local storage enumeration, especially when followed by external network communication.
  • Validate whether network monitoring can distinguish routine web traffic from unusual beaconing, file transfer, or data egress over HTTP/S-like channels.
  • Use the WIRTE relationship as enrichment for threat intelligence and prioritization, not as proof of attribution in an incident.

Mitigation priorities

  • Harden and monitor PowerShell use, including administrative baselines and logging appropriate to the Windows environment.
  • Restrict and review scheduled task creation rights and maintain an auditable inventory of legitimate scheduled tasks.
  • Ensure endpoint controls and SOC playbooks cover downloader and second-stage malware scenarios, including containment, payload retrieval analysis, and C2 blocking decisions.
  • Apply least privilege and administrative control review to reduce the value of user, system, and security-tool discovery.
  • Validate egress controls and proxy logging so web-protocol C2 and exfiltration-over-C2 behaviors can be investigated.
Analyst notes and limits

LitePower is a software object, not a technique. Its practical value for defenders comes from the ATT&CK relationships to techniques it uses and the relationship indicating WIRTE use. The supplied object identifies Windows as the platform for LitePower, while several related techniques have broader platform lists; detection engineering should scope implementation to the local Windows estate unless other evidence exists.

ATT&CK provides no official detection guidance, no aliases, no labels, and no explicit tactics on the LitePower object itself. This take is based only on the supplied description, external references, and relationship context. It should not be read as evidence of current activity, customer exposure, guaranteed detection coverage, or confirmed attribution in any specific environment.

Official MITRE ATT&CK definition

LitePower

LitePower is a downloader and second stage malware that has been used by WIRTE since at least 2021.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

12 rows
Domain ID Name Relationship / procedure
Enterprise T1033 System Owner/User Discovery

LitePower can determine if the current user has admin privileges.CitationKaspersky WIRTE November 2021
Enterprise T1105 Ingress Tool Transfer

LitePower has the ability to download payloads containing system commands to a compromised host.CitationKaspersky WIRTE November 2021
Enterprise T1012 Query Registry

LitePower can query the Registry for keys added to execute COM hijacking.CitationKaspersky WIRTE November 2021
Enterprise T1059.001 PowerShell Sub-technique

LitePower can use a PowerShell script to execute commands.CitationKaspersky WIRTE November 2021
Enterprise T1113 Screen Capture

LitePower can take system screenshots and save them to `%AppData%`.CitationKaspersky WIRTE November 2021
Enterprise T1106 Native API

LitePower can use various API calls.CitationKaspersky WIRTE November 2021
Enterprise T1071.001 Web Protocols Sub-technique

LitePower can use HTTP and HTTPS for C2 communications.CitationKaspersky WIRTE November 2021
Enterprise T1041 Exfiltration Over C2 Channel

LitePower can send collected data, including screenshots, over its C2 channel.CitationKaspersky WIRTE November 2021
Enterprise T1053.005 Scheduled Task Sub-technique

LitePower can create a scheduled task to enable persistence mechanisms.CitationKaspersky WIRTE November 2021
Enterprise T1680 Local Storage Discovery

LitePower has the ability to list local drives.CitationKaspersky WIRTE November 2021
Enterprise T1518.001 Security Software Discovery Sub-technique

LitePower can identify installed AV software.CitationKaspersky WIRTE November 2021
Enterprise T1082 System Information Discovery

LitePower has the ability to enumerate the OS architecture.CitationKaspersky WIRTE November 2021
Associated objects

Groups, software, and campaigns

Group Enterprise

G0090: WIRTE

WIRTE is a cyberespionage actor, believed to be a subgroup of the Hamas-affiliated Gaza Cybergang, that has been active since at least August 2018. WIRTE has targeted diplomatic, financial, military, legal, and technology organizations across the Middle East, North Africa, and in Europe to gather intelligence. WIRTE has remained persistently active despite the ongoing Israel-Hamas conflict and has expanded their operations to include wiper malware attacks against Israeli targets.[1][2][3][4]

Relationship explorer

All related ATT&CK context

uses · Group G0090: WIRTE Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1012: Query Registry Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1106: Native API Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1680: Local Storage Discovery Enterprise uses · Technique T1518.001: Security Software Discovery Enterprise uses · Technique T1082: System Information Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
e17a4d1b1c32c090...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle e17a4d1b1c32…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Kaspersky WIRTE November 2021

    Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022.

    Open source URL
  2. [2]
    mitre-attack S0680
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use