S1013: ZxxZ
Analyst context for executives and security teams
ZxxZ matters because it represents a Windows trojan associated in ATT&CK with BITTER and a workflow that can start with a spearphishing attachment, collect local and system information, establish recurring execution through scheduled tasks, and hide artifacts through encoding or masquerading. For leaders, the practical question is not whether the name is blocked, but whether Windows endpoints, email controls, and SOC processes can connect the chain from malicious attachment to persistence, discovery, and possible tool transfer.
Executive priority
Prioritize this as a validation case for endpoint and email resilience rather than a standalone malware-name concern. The ATT&CK relationships point to risks that affect incident scoping and continuity: user-driven file execution, Windows registry and system discovery, scheduled-task persistence, security-tool discovery, and transfer of additional files. Executives should ask whether the organization can prove coverage across email attachment handling, Windows endpoint telemetry, scheduled task monitoring, and incident response triage for targeted phishing scenarios, especially in government, energy, or engineering-like environments referenced in the related BITTER context.
Technical view
The official object has no ATT&CK detection guidance, so defenders should build coverage from the related behaviors. On Windows, validate visibility for malicious file execution, registry queries, user/process/system/security software discovery, encoded or decoded file artifacts, scheduled task creation or modification, task/service masquerading, native API-driven execution indicators where available, and inbound transfer of tools or files. Detection engineering should correlate these behaviors rather than rely on a ZxxZ signature alone, because several individual actions can be legitimate administrative or software activity.
Likely telemetry
- Email security logs and attachment metadata for spearphishing attachment handling
- Windows endpoint process creation and command-line telemetry
- Windows Registry access/query telemetry where collected
- Scheduled task creation, modification, and execution events
- File creation, write, rename, decode/deobfuscation, and encoded-file indicators
Detection direction
- Correlate email attachment delivery or opening with new process execution on Windows endpoints.
- Alert or hunt for suspicious scheduled task creation or task names that imitate legitimate services or administrative tasks.
- Baseline common registry, user, process, system, and security-software discovery activity to reduce false positives from administrators and management tools.
- Look for encoded or encrypted files followed by local decoding/deobfuscation and execution, especially when tied to recent attachment execution.
- Review external file-transfer events occurring after initial endpoint execution, as related ATT&CK behavior includes ingress tool transfer.
Mitigation priorities
- Strengthen phishing attachment controls and user-facing safeguards for risky file types supported by the ATT&CK relationship.
- Ensure Windows endpoint monitoring captures process, registry, file, and scheduled task activity needed for investigation.
- Restrict and monitor scheduled task creation, especially by non-administrative users or unexpected processes.
- Maintain endpoint protection and logging resilience, recognizing that related behavior includes discovery of security software.
- Prepare IR playbooks to scope from the initial user and host outward to persistence mechanisms, local data access, and transferred tools.
Analyst notes and limits
ATT&CK identifies ZxxZ as a Visual C++ Windows trojan used by BITTER since at least August 2021, with reporting including Bangladeshi government personnel. The relationship set gives useful defensive anchors even though the malware object itself has no listed tactics and no official detection text. Local validation should focus on whether telemetry can reconstruct the related ATT&CK behaviors in sequence.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not establish current activity, customer exposure, specific indicators, malware internals beyond the official description, or guaranteed detection logic. Several related techniques list broader platforms, but the supplied ZxxZ platform is Windows, so Windows coverage should be the primary validation focus.
ZxxZ
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1106 | Native API | ZxxZ has used API functions such as `Process32First`, `Process32Next`, and `ShellExecuteA`.CitationCisco Talos Bitter Bangladesh May 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | ZxxZ can download and execute additional files.CitationCisco Talos Bitter Bangladesh May 2022 |
| Enterprise | T1057 | Process Discovery | ZxxZ has created a snapshot of running processes using `CreateToolhelp32Snapshot`.CitationCisco Talos Bitter Bangladesh May 2022 |
| Enterprise | T1082 | System Information Discovery | ZxxZ has collected the host name and operating system product name from a compromised machine.CitationCisco Talos Bitter Bangladesh May 2022 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | ZxxZ can search a compromised host to determine if it is running Windows Defender or Kasperky antivirus.CitationCisco Talos Bitter Bangladesh May 2022 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | ZxxZ has been disguised as a Windows security update service.CitationCisco Talos Bitter Bangladesh May 2022 |
| Enterprise | T1012 | Query Registry | ZxxZ can search the registry of a compromised host.CitationCisco Talos Bitter Bangladesh May 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | ZxxZ has been encoded to avoid detection from static analysis tools.CitationCisco Talos Bitter Bangladesh May 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | ZxxZ has used scheduled tasks for persistence and execution.CitationCisco Talos Bitter Bangladesh May 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | ZxxZ has relied on victims to open a malicious attachment delivered via email.CitationCisco Talos Bitter Bangladesh May 2022 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | ZxxZ has been distributed via spearphishing emails, usually containing a malicious RTF or Excel attachment.CitationCisco Talos Bitter Bangladesh May 2022 |
| Enterprise | T1033 | System Owner/User Discovery | ZxxZ can collect the username from a compromised host.CitationCisco Talos Bitter Bangladesh May 2022 |
| Enterprise | T1005 | Data from Local System | ZxxZ can collect data from a compromised host.CitationCisco Talos Bitter Bangladesh May 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | ZxxZ has used a XOR key to decrypt strings.CitationCisco Talos Bitter Bangladesh May 2022 |
Groups, software, and campaigns
G1002: BITTER
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 5ff73d303212… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cisco Talos Bitter Bangladesh May 2022
Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
Open source URL -
[2]
mitre-attack S1013Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.