S0691: Neoichor
Analyst context for executives and security teams
Neoichor matters because it is a Windows C2 malware entry associated in ATT&CK with Ke3chang and linked to behaviors that support discovery, collection, command-and-control, tool transfer, registry modification, COM-based execution, and indicator removal. For leaders, the decision value is not a single malware name; it is whether the organization can prove it would see a compromised Windows host being profiled, communicating over web protocols, receiving additional tools, modifying the Registry, and attempting to reduce evidence.
Executive priority
Prioritize Neoichor as a readiness check for targeted-intrusion response: endpoint visibility, web egress monitoring, Windows Registry auditing, and incident evidence preservation. The relationship context references Ke3chang targeting oil, government, diplomatic, military, and NGO entities across multiple regions, so organizations with similar missions should use this as a control-validation scenario for resilience, sensitive-data protection, and audit evidence. ATT&CK provides no official detection text, so leadership should ask for demonstrated telemetry and tested detections rather than assuming coverage from malware naming alone.
Technical view
Scope validation to Windows because that is the supplied platform for Neoichor. Build detection and IR review around the related techniques: local data access (T1005), network and Internet connectivity discovery (T1016, T1016.001), user and system discovery (T1033, T1082, T1614.001), web-protocol C2 (T1071.001), ingress tool transfer (T1105), Registry modification (T1112), COM execution (T1559.001), and indicator removal (T1070). Since no official detection is provided, SOC teams should correlate endpoint process, registry, file, and network events rather than rely on a single signature.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows Registry modification events and related process context
- COM activity or process relationships consistent with COM-based execution
- File creation, modification, access, and deletion evidence on local systems
- Endpoint evidence of discovery commands or API-driven collection of user, system, language, network, and Internet connectivity details
Detection direction
- Validate that Windows endpoint telemetry can connect discovery behavior, Registry modification, COM execution, file access, and outbound web communications into one host-level timeline.
- Tune web-protocol C2 analytics for unusual destinations, timing, user-agent or process-to-network relationships, and hosts that also show discovery or tool-transfer behavior; avoid treating HTTP/S alone as suspicious without context.
- Review false positives from legitimate administration, software deployment, inventory tools, and helpdesk activity, especially for system discovery, Registry changes, and file transfer.
- Confirm whether log retention and endpoint controls preserve enough evidence to investigate indicator removal; absence of logs should be treated as an investigation risk, not proof of no activity.
- Use the Ke3chang relationship as threat-intelligence context, but do not turn it into attribution without local evidence.
Mitigation priorities
- Establish baseline Windows endpoint logging for process, registry, file, and network activity before relying on detections for this behavior set.
- Restrict and monitor unnecessary outbound web access from endpoints, especially where direct Internet access is not required.
- Harden Windows administrative permissions around Registry modification and local execution paths, including review of privileged account use.
- Control software and tool transfer through approved channels and monitor unexpected downloads or dropped files on endpoints.
- Prepare IR playbooks that preserve volatile and endpoint evidence quickly when indicator-removal behavior is suspected.
Analyst notes and limits
Neoichor is described by ATT&CK as C2 malware used by Ke3chang since at least 2019, with Microsoft’s December 2021 NICKEL reporting as the cited source. The software object itself has no tactics listed and no official detection guidance, so this take uses the supplied relationships to ATT&CK techniques to frame practical validation priorities.
This assessment is limited to the supplied ATT&CK fields, external references, and relationships. It does not establish current activity, victim exposure, exploit method, infrastructure, indicators of compromise, or guaranteed detection coverage. Local telemetry, baselines, and incident evidence are required to determine relevance in any specific environment.
Neoichor
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | Neoichor can check for Internet connectivity by contacting bing[.]com with the request format `bing[.]com?id= |
| Enterprise | T1105 | Ingress Tool Transfer | Neoichor can download additional files onto a compromised host.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1614.001 | System Language Discovery Sub-technique | Neoichor can identify the system language on a compromised host.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1033 | System Owner/User Discovery | Neoichor can collect the user name from a victim's machine.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1112 | Modify Registry | Neoichor has the ability to configure browser settings by modifying Registry entries under `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer`.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1005 | Data from Local System | Neoichor can upload files from a victim's machine.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Neoichor can gather the IP address from an infected host.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1082 | System Information Discovery | Neoichor can collect the OS version and computer name from a compromised host.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | Neoichor can use the Internet Explorer (IE) COM interface to connect and receive commands from C2.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Neoichor can use HTTP for C2 communications.CitationMicrosoft NICKEL December 2021 |
| Enterprise | T1070 | Indicator Removal | Neoichor can clear the browser history on a compromised host by changing the `ClearBrowsingHistoryOnExit` value to 1 in the `HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Privacy` Registry key.CitationMicrosoft NICKEL December 2021 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 01694c5c82e9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft NICKEL December 2021
MSTIC. (2021, December 6). NICKEL targeting government organizations across Latin America and Europe. Retrieved March 18, 2022.
Open source URL -
[2]
mitre-attack S0691Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.