S1066: DarkTortilla
DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. DarkTortilla has been used to deliver popular information stealers, RATs, and payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.[1]
Analyst context for executives and security teams
DarkTortilla matters because MITRE describes it as a highly configurable Windows .NET-based crypter used to deliver other payloads, including information stealers, RATs, Cobalt Strike, and Metasploit. For leaders, the practical issue is not one malware family alone; it is whether the organization can detect and contain an evasive loader/crypter stage before it enables credential theft, remote access, or follow-on tooling.
Executive priority
Prioritize this as a Windows endpoint resilience and incident-readiness concern. Because the ATT&CK relationships include user-executed malicious files, obfuscation, discovery, persistence via registry/startup mechanisms, command execution, web-based command and control, and credential/clipboard collection behaviors, executives should ask whether endpoint telemetry, egress monitoring, identity response procedures, and malware triage workflows can connect the initial file execution to later payload delivery and persistence. This is also useful audit evidence for validating malware defense, logging, and incident response control coverage.
Technical view
MITRE provides no official detection text for DarkTortilla, so SOC and detection engineering should validate coverage through its mapped behaviors on Windows. Focus on chains involving malicious file execution, .NET or obfuscated payloads, deobfuscation behavior, system/security software/process/service discovery, WMI, cmd.exe, COM/native API execution, DLL injection indicators, registry modification, Run Key/Startup Folder and Winlogon-related persistence, web protocol or web service C2, and ingress tool transfer. IR teams should treat a suspected DarkTortilla finding as a potential loader/crypter event and scope for delivered payloads named in the ATT&CK description, while avoiding attribution assumptions.
Likely telemetry
- Windows process creation and command-line telemetry, including cmd.exe, WMI, COM-related execution, and unusual parent-child process chains
- Endpoint file creation, modification, quarantine, and reputation events for downloaded or user-opened malicious files
- Windows Registry auditing for Run Keys, Startup Folder references, Winlogon-related keys, and other suspicious modifications
- Network proxy, DNS, firewall, and endpoint network telemetry for HTTP/S or web service communications and file transfer activity
- EDR memory/process telemetry that may show DLL injection, unusual module loads, or suspicious API-driven execution
Detection direction
- Do not rely on a single malware signature; validate behavior-based detections across the loader stage, persistence, discovery, C2, and payload transfer behaviors mapped to this object.
- Tune detections for suspicious Windows registry persistence while accounting for legitimate software installers and enterprise management tools that also modify startup locations.
- Review WMI, command shell, COM, and native API execution detections in context of parent process, file origin, user action, and network activity to reduce administrative false positives.
- Ensure sandbox and malware-analysis processes account for anti-analysis behavior, including system checks and time-based checks, because evasive samples may not reveal full behavior in short or artificial runs.
- Correlate endpoint and network evidence: web protocol traffic alone may look normal, so prioritize unusual destinations, newly observed domains, suspicious user-agent patterns if collected, and proximity to suspicious file execution.
Mitigation priorities
- Reduce initial execution risk with user-facing file controls, attachment/download inspection, and endpoint prevention for suspicious Windows executables and scriptable files.
- Harden Windows persistence surfaces by monitoring and controlling Registry Run Keys, Startup Folder entries, and Winlogon helper locations.
- Limit abuse of administrative execution paths such as WMI and command shell through least privilege, administrative separation, and logging-backed control policies.
- Strengthen egress controls and web traffic monitoring so unauthorized web-based C2 and tool transfer are harder to blend into normal traffic.
- Maintain endpoint detection and response visibility for process, registry, module, and network activity rather than depending only on static malware identification.
Analyst notes and limits
The supplied ATT&CK object identifies DarkTortilla as Windows malware and a configurable .NET crypter associated with delivery of multiple payload types. The ATT&CK relationship set is broad and gives useful defensive validation areas, but it does not provide official detection analytics, specific indicators, or a tactic list on the malware object itself.
This take is limited to the supplied MITRE ATT&CK fields, external references, and relationships. It does not assert active exploitation, actor attribution, customer exposure, guaranteed detection, or platforms beyond Windows for DarkTortilla. Local telemetry, sample analysis, and environment-specific baselines are required to confirm relevance and coverage.
DarkTortilla
DarkTortilla is a highly configurable .NET-based crypter that has been possibly active since at least August 2015. DarkTortilla has been used to deliver popular information stealers, RATs, and payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | DarkTortilla can download additional packages for keylogging, cryptocurrency mining, and other capabilities; it can also retrieve malicious payloads such as Agent Tesla, AsyncRat, NanoCore, RedLine, Cobalt Strike, and Metasploit.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | DarkTortilla can decrypt its payload and associated configuration elements using the Rijndael cipher.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1027 | Obfuscated Files or Information | DarkTortilla has been obfuscated with the DeepSea .NET and ConfuserEx code obfuscators.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | DarkTortilla can use a .NET-based DLL named `RunPe6` for process injection.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | DarkTortilla has been distributed via spearphishing emails containing archive attachments, with file types such as .iso, .zip, .img, .dmg, and .tar, as well as through malicious documents.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | DarkTortilla has established persistence via the `Software\Microsoft\Windows NT\CurrentVersion\Run` registry key and by creating a .lnk shortcut file in the Windows startup folder.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1547.004 | Winlogon Helper DLL Sub-technique | DarkTortilla has established persistence via the `Software\Microsoft\Windows NT\CurrentVersion\Winlogon` registry key.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | DarkTortilla can implement the `kernel32.dll` Sleep function to delay execution for up to 300 seconds before implementing persistence or processing an addon package.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1574.012 | COR_PROFILER Sub-technique | DarkTortilla can detect profilers by verifying the `COR_ENABLE_PROFILING` environment variable is present and active.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | DarkTortilla can check for the Kaspersky Anti-Virus suite.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | DarkTortilla can use `cmd.exe` to add registry keys for persistence.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1082 | System Information Discovery | DarkTortilla can obtain system information by querying the `Win32_ComputerSystem`, `Win32_BIOS`, `Win32_MotherboardDevice`, `Win32_PnPEntity`, and `Win32_DiskDrive` WMI objects.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1036 | Masquerading | DarkTortilla's payload has been renamed `PowerShellInfo.exe`.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1564 | Hide Artifacts | DarkTortilla has used `%HiddenReg%` and `%HiddenKey%` as part of its persistence via the Windows registry.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1497.001 | System Checks Sub-technique | DarkTortilla can search a compromised system's running processes and services to detect Hyper-V, QEMU, Virtual PC, Virtual Box, and VMware, as well as Sandboxie.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1115 | Clipboard Data | DarkTortilla can download a clipboard information stealer module.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1056.001 | Keylogging Sub-technique | DarkTortilla can download a keylogging module.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | DarkTortilla has relied on a user to open a malicious document or archived file delivered via email for initial execution.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1057 | Process Discovery | DarkTortilla can enumerate a list of running processes on a compromised system.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | DarkTortilla can check for internet connectivity by issuing HTTP GET requests.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1047 | Windows Management Instrumentation | DarkTortilla can use WMI queries to obtain system information.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1106 | Native API | DarkTortilla can use a variety of API calls for persistence and defense evasion.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1102 | Web Service | DarkTortilla can retrieve its primary payload from public sites such as Pastebin and Textbin.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1007 | System Service Discovery | DarkTortilla can retrieve information about a compromised system's running services.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | DarkTortilla has used the `WshShortcut` COM object to create a .lnk shortcut file in the Windows startup folder.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1622 | Debugger Evasion | DarkTortilla can detect debuggers by using functions such as `DebuggerIsAttached` and `DebuggerIsLogging`. DarkTortilla can also detect profilers by verifying the `COR_ENABLE_PROFILING` environment variable is present and active.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1112 | Modify Registry | DarkTortilla has modified registry keys for persistence.CitationSecureworks DarkTortilla Aug 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | DarkTortilla has used HTTP and HTTPS for C2.CitationSecureworks DarkTortilla Aug 2022 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d41f7539a94a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Secureworks DarkTortilla Aug 2022
Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022.
Open source URL -
[2]
mitre-attack S1066Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.