S1020: Kevin
Analyst context for executives and security teams
Kevin is a Windows backdoor implant associated in ATT&CK with HEXANE, a cyber espionage group described as targeting sectors such as oil and gas, telecommunications, aviation, and internet service providers in the Middle East and Africa. Its ATT&CK relationships matter because they describe a full intrusion-support pattern: persistence through WMI event subscription, command execution, discovery, local data collection and staging, C2 over web/DNS-style protocols, fallback channels, tunneling, encoding/junk data, and exfiltration over C2. For leaders, this is less about one malware name and more about whether the organization can prove it would notice a stealthy Windows implant that blends into normal administration and network traffic.
Executive priority
Prioritize Kevin as a validation case for Windows endpoint resilience, C2 visibility, and incident response readiness, especially in environments where espionage against critical services or regional operations would create business continuity, regulatory, or safety-adjacent risk. The key executive question is whether teams have evidence—not assumptions—that they collect and retain the endpoint, WMI, command-line, DNS, web proxy, and egress telemetry needed to investigate a backdoor that may encode traffic, use fallback channels, stage data, and delete files. This object also supports audit and compliance conversations around logging coverage, egress control, privileged administration monitoring, and evidence preservation.
Technical view
ATT&CK does not provide official detection text for Kevin, so SOC and detection engineering should validate coverage through the related behaviors rather than relying on malware-specific signatures. On Windows, focus on WMI event subscription persistence, unusual cmd.exe activity, renamed legitimate utilities, native API-driven execution indicators where observable, hidden-window style execution, file deletion after tool use, discovery commands for system and network configuration, local collection/staging patterns, ingress tool transfer, and outbound C2 over web or DNS protocols. Network analytics should account for encoded content, junk data, fixed-size or threshold-aware transfers, fallback channels, and protocol tunneling. IR playbooks should be able to correlate host persistence, process execution, file staging, and outbound communications into a single case timeline.
Likely telemetry
- Windows endpoint process creation and command-line logging
- WMI event filter, consumer, provider, and binding creation or modification events
- Endpoint file creation, rename, staging, deletion, and tool transfer evidence
- EDR telemetry for suspicious native API usage, hidden execution, and renamed utilities
- DNS query and response logs
Detection direction
- Build behavior-based detections around the ATT&CK relationships rather than depending on the malware name Kevin alone.
- Correlate WMI persistence with nearby command-shell execution, discovery, file staging, deletion, and outbound network activity.
- Tune DNS and web C2 analytics for encoded data, junk padding, unusual request patterns, fallback destinations, and tunneling-like behavior while accounting for legitimate administrative and application traffic.
- Validate whether renamed legitimate utilities are detected by file metadata, path, parent process, and execution context rather than filename alone.
- Review false positives from IT automation, software deployment, backup tools, and administrative scripts, especially where WMI, cmd.exe, file transfer, and hidden execution are normal.
Mitigation priorities
- Harden and monitor WMI persistence paths on Windows, including restricting who can create event subscriptions and auditing changes.
- Reduce unnecessary outbound access and enforce egress controls for web and DNS traffic where operationally feasible.
- Centralize and retain endpoint, DNS, proxy, firewall, and EDR logs needed to investigate C2, staging, and cleanup behavior.
- Apply least privilege and administrative control monitoring to limit misuse of command shell, native utilities, and renamed tools.
- Use application control or allowlisting strategies where appropriate to reduce unauthorized tool transfer and execution.
Analyst notes and limits
The official object identifies Kevin as a C++ backdoor implant used by HEXANE since at least June 2020, including operations against organizations in Tunisia. Relationship context links Kevin to multiple ATT&CK techniques spanning persistence, execution, discovery, collection, command and control, exfiltration, and stealth. Because official detection guidance is not supplied, this take emphasizes control validation and telemetry coverage mapped to those relationships.
This assessment is limited to the supplied ATT&CK STIX fields, external references, and relationships. It does not prove current activity, customer exposure, specific indicators, or guaranteed detection coverage. The object platform is Windows; related techniques may list additional platforms, but those are not treated here as Kevin platform claims. Local environment baselines are required to distinguish malicious behavior from legitimate administration.
Kevin
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.004 | DNS Sub-technique | Variants of Kevin can communicate over DNS through queries to the server for constructed domain names with embedded information.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Kevin can hide the current window from the targeted user via the `ShowWindow` API function.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Kevin can collect the MAC address and other information from a victim machine using `ipconfig/all`.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Kevin can Base32 encode chunks of output files during exfiltration.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1082 | System Information Discovery | Kevin can enumerate the OS version and hostname of a targeted machine.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Kevin can download files to the compromised host.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Kevin can send data from the victim host through a DNS C2 channel.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1572 | Protocol Tunneling | Kevin can use a custom protocol tunneled through DNS or HTTP.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1030 | Data Transfer Size Limits | Kevin can exfiltrate data to the C2 server in 27-character chunks.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Kevin can delete files created on the victim's machine.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Variants of Kevin can communicate with C2 over HTTP.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1106 | Native API | Kevin can use the `ShowWindow` API to avoid detection.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1005 | Data from Local System | Kevin can upload logs and other data from a compromised host.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Kevin can use a renamed image of `cmd.exe` for execution.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1001.001 | Junk Data Sub-technique | Kevin can generate a sequence of dummy HTTP C2 requests to obscure traffic.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Kevin has Base64-encoded its configuration file.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1074 | Data Staged | Kevin can create directories to store logs and other collected data.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | Kevin can compile randomly-generated MOF files into the WMI repository to persistently run malware.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1008 | Fallback Channels | Kevin can assign hard-coded fallback domains for C2.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Kevin can sleep for a time interval between C2 communication attempts.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1036.003 | Rename Legitimate Utilities Sub-technique | Kevin has renamed an image of `cmd.exe` with a random name followed by a `.tmpl` extension.CitationKaspersky Lyceum October 2021 |
Groups, software, and campaigns
G1001: HEXANE
HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 40e416f39fc3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky Lyceum October 2021
Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
Open source URL -
[2]
mitre-attack S1020Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.