S1074: ANDROMEDA
Analyst context for executives and security teams
ANDROMEDA is a Windows commodity malware family with a history of broad industry exposure and a documented 2022 campaign where expired command-and-control domains were re-registered to reach selected targets in Ukraine. For leaders, the main value is not treating it as “old malware,” but using it to test whether endpoint, web, DNS, removable-media, and persistence controls still catch commodity tradecraft that can remain useful when infrastructure is recycled.
Executive priority
Prioritize this as a resilience and control-validation issue. The ATT&CK relationships show behaviors that affect incident scoping and business continuity: masquerading, process injection, web-based command-and-control, tool transfer, removable-media replication, and Windows Run Key or Startup Folder persistence. Executives should ask whether SOC and IR teams can prove visibility across endpoints, proxy/DNS logs, removable media use, and Windows persistence locations before an incident, not after.
Technical view
For SOC, detection engineering, and IR teams, validate Windows-focused coverage for the related behaviors: files named or placed to resemble legitimate resources, file type or extension mismatches, suspicious process injection, HTTP/S or web-protocol C2 patterns, external file ingress, removable-media execution or copying, and Registry Run Key or Startup Folder persistence. Because no official ATT&CK detection text is provided for ANDROMEDA, detections should be built from the linked techniques and then tested against local baselines to reduce false positives from legitimate software updaters, admin tools, and normal web traffic.
Likely telemetry
- Windows endpoint process creation and parent-child process telemetry
- Endpoint file creation, rename, path, icon, extension, and file signature or magic-byte metadata
- Registry modification events for Run Keys and Startup Folder changes
- Endpoint security telemetry for process injection or abnormal cross-process access
- DNS logs, web proxy logs, HTTP/S metadata, and outbound connection records
Detection direction
- Confirm that ANDROMEDA-related coverage is behavior-based, not only hash or domain based, because the supplied description highlights reused or re-registered C2 infrastructure.
- Tune detections around combinations of signals: masqueraded file plus Run Key persistence, suspicious removable-media activity plus execution, or process injection followed by web-protocol outbound traffic.
- Review blind spots where HTTPS inspection, endpoint telemetry retention, removable-media logging, or registry auditing are limited.
- Account for false positives from legitimate software installers, update agents, administrative scripts, and common Windows startup entries by baselining trusted paths, signers, and change owners.
- Use the C0026 relationship context only as supporting intelligence for infrastructure and campaign review; do not assume attribution or current activity without local evidence.
Mitigation priorities
- Maintain Windows endpoint hardening and application control to reduce execution of untrusted or masqueraded files.
- Harden and monitor Registry Run Keys and Startup Folder locations, with change review for unexpected user-context persistence.
- Control removable media use and disable or restrict Autorun-style execution where applicable.
- Enforce egress, DNS, and web proxy governance so unusual web-protocol command-and-control or file transfer activity can be investigated.
- Ensure incident response playbooks include scoping for injected processes, persistence artifacts, downloaded tools, removable-media propagation, and associated network indicators.
Analyst notes and limits
This take is based on the official ATT&CK S1074 object and its supplied relationships to T1036.005, T1036.008, T1055, T1071.001, T1091, T1105, and T1547.001. The object identifies Windows as the platform for ANDROMEDA; several related techniques have broader platform coverage, but the defensive emphasis here is Windows because that is what the malware object supports.
ATT&CK provides no official detection text for this object, no aliases in the supplied fields, and no direct indicators such as hashes, domains, registry paths, or process names. Local environment telemetry, baselines, and threat intelligence enrichment are required before making claims about exposure, detection coverage, or incident scope.
ANDROMEDA
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | ANDROMEDA can download additional payloads from C2.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1055 | Process Injection | ANDROMEDA can inject into the `wuauclt.exe` process to perform C2 actions.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | ANDROMEDA has the ability to make GET requests to download files from C2.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | ANDROMEDA has been installed to `C:\Temp\TrustedInstaller.exe` to mimic a legitimate Windows installer service.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1036.008 | Masquerade File Type Sub-technique | ANDROMEDA has been delivered through a LNK file disguised as a folder.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | ANDROMEDA can establish persistence by dropping a sample of itself to `C:\ProgramData\Local Settings\Temp\mskmde.com` and adding a Registry run key to execute every time a user logs on.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1091 | Replication Through Removable Media | ANDROMEDA has been spread via infected USB keys.CitationMandiant Suspected Turla Campaign February 2023 |
Groups, software, and campaigns
C0026: C0026
C0026 was a campaign identified in September 2022 that included the selective distribution of KOPILUWAK and QUIETCANARY malware to previous ANDROMEDA malware victims in Ukraine through re-registered ANDROMEDA C2 domains. Several tools and tactics used during C0026 were consistent with historic Turla operations.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6eedbf5adf61… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Suspected Turla Campaign February 2023
Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
Open source URL -
[2]
mitre-attack S1074Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.