S1075: KOPILUWAK
Analyst context for executives and security teams
KOPILUWAK matters because ATT&CK describes it as a Windows JavaScript-based reconnaissance and command-and-control tool used for victim profiling. For leaders, the key issue is not only malware removal; it is whether the organization can see early-stage profiling activity that helps an intruder decide what to do next, including discovery, staging, and exfiltration over C2.
Executive priority
Prioritize validation of endpoint, email, and web-traffic visibility around targeted attachment delivery, JavaScript execution, host discovery, local data access, and outbound C2-like communications. This object is associated in ATT&CK with campaign C0026 and group Turla, but local risk decisions should be based on whether your environment has the telemetry and response playbooks to identify reconnaissance on Windows systems before collection or exfiltration progresses.
Technical view
ATT&CK provides no dedicated detection text for KOPILUWAK, so defenders should pivot from the documented relationships: Spearphishing Attachment and Malicious File for delivery/execution; JavaScript execution on Windows; discovery of users, processes, network configuration, network connections, network shares, and local storage; local data access and staging; web-protocol C2; and exfiltration over the C2 channel. SOC teams should validate detections that correlate suspicious script execution with rapid host/network enumeration and unusual outbound web communications rather than relying on a single malware signature.
Likely telemetry
- Email security logs and attachment metadata for spearphishing-style delivery
- Endpoint process creation telemetry, especially Windows script host or JavaScript/JScript execution context
- Command-line and parent/child process relationships around discovery utilities and scripts
- File system events for local data access and local staging locations
- User/session context showing current or primary user discovery
Detection direction
- Build correlation logic around JavaScript execution followed by multiple discovery behaviors such as user, process, network configuration, network connection, share, or storage enumeration.
- Tune for context: administrative scripts and software inventory tools can resemble discovery, so baselines for approved management activity are important.
- Validate visibility into outbound HTTP/S-like traffic from endpoints after suspicious script execution, especially where results may be carried over the same channel as command and control.
- Confirm email-to-endpoint linkage so analysts can connect a malicious attachment event to subsequent host behavior.
- Use the C0026 relationship as threat-intelligence context for hunting, not as proof of local compromise or active exploitation.
Mitigation priorities
- Harden email attachment handling and user-execution paths for malicious files.
- Restrict or monitor unnecessary JavaScript/JScript execution on Windows where business processes allow.
- Ensure endpoint controls capture script execution, command-line context, file staging, and discovery activity.
- Apply least privilege and share-access governance to reduce the value of local and network discovery.
- Review outbound web access controls, proxy logging, and egress monitoring for systems that should not initiate broad external communications.
Analyst notes and limits
KOPILUWAK is described by ATT&CK as JavaScript-based and Windows-platform malware used for victim profiling and C2 since at least 2017. The strongest defensive value comes from the mapped technique relationships, which show a chain spanning phishing attachment delivery, script execution, discovery, collection, staging, web-protocol C2, and exfiltration over C2.
The official ATT&CK object provides no detection text, no aliases, and no malware-specific tactics. Several related techniques list broad or non-Windows platforms, but the KOPILUWAK software object itself is supplied as Windows. Any detection or control priority must be validated against local telemetry, approved administrative activity, and business use of scripting.
KOPILUWAK
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | KOPILUWAK has used HTTP POST requests to send data to C2.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1204.002 | Malicious File Sub-technique | KOPILUWAK has gained execution through malicious attachments.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1057 | Process Discovery | KOPILUWAK can enumerate current running processes on the targeted machine.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1135 | Network Share Discovery | |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1041 | Exfiltration Over C2 Channel | KOPILUWAK has exfiltrated collected data to its C2 via POST requests.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1680 | Local Storage Discovery | KOPILUWAK can discover logical drive information on compromised hosts.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1049 | System Network Connections Discovery | |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | KOPILUWAK has been delivered to victims as a malicious email attachment.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1005 | Data from Local System | KOPILUWAK can gather information from compromised hosts.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | KOPILUWAK has piped the results from executed C2 commands to `%TEMP%\result2.dat` on the local machine.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1059.007 | JavaScript Sub-technique | KOPILUWAK had used Javascript to perform its core functions.CitationMandiant Suspected Turla Campaign February 2023 |
| Enterprise | T1033 | System Owner/User Discovery | KOPILUWAK can conduct basic network reconnaissance on the victim machine with `whoami`, to get user details.CitationMandiant Suspected Turla Campaign February 2023 |
Groups, software, and campaigns
G0010: Turla
Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]
C0026: C0026
C0026 was a campaign identified in September 2022 that included the selective distribution of KOPILUWAK and QUIETCANARY malware to previous ANDROMEDA malware victims in Ukraine through re-registered ANDROMEDA C2 domains. Several tools and tactics used during C0026 were consistent with historic Turla operations.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 7cc265b7d6a3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Suspected Turla Campaign February 2023
Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
Open source URL -
[2]
mitre-attack S1075Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.