S1085: Sardonic
Analyst context for executives and security teams
Sardonic matters because it is a Windows backdoor associated in ATT&CK with FIN8 and a prior financial-sector targeting report. Its plugin-based DLL capability means defenders should treat it as more than a single executable: the operational risk is follow-on execution, discovery, tool transfer, persistence, and concealed command-and-control activity after initial compromise.
Executive priority
Prioritize Sardonic as a validation case for Windows endpoint visibility, incident response readiness, and financially motivated intrusion playbooks. Leaders should ask whether the organization can prove collection and alerting for WMI abuse, PowerShell and command-shell execution, process injection indicators, suspicious DLL/plugin loading, discovery commands, unusual network egress, and evidence tampering. This is especially relevant for sectors noted in the FIN8 relationship context, including hospitality, retail, entertainment, insurance, technology, chemical, and financial organizations, but local exposure depends on the environment.
Technical view
ATT&CK provides no dedicated detection text for Sardonic, so coverage should be built from its mapped behaviors. Validate Windows telemetry for execution through WMI, PowerShell, cmd, and native APIs; persistence through WMI event subscriptions; stealth through obfuscation, command obfuscation, deobfuscation, indicator removal, and APC process injection; discovery of services, processes, system information, network configuration, network connections, and shares; collection from local systems; ingress tool transfer; and C2 patterns involving non-application-layer protocols, non-standard ports, standard encoding, and symmetric or asymmetric cryptography.
Likely telemetry
- Windows process creation and command-line telemetry
- PowerShell script block, module, and transcription logs where enabled
- WMI activity logs, including event filter/consumer/binding creation
- Endpoint detection telemetry for DLL loading, process injection, APC activity, and native API usage
- File creation, modification, deletion, and decoding/deobfuscation artifacts
Detection direction
- Map detections to the related ATT&CK techniques rather than relying on a Sardonic-specific signature, because official detection guidance is not provided.
- Correlate discovery bursts with suspicious execution sources such as WMI, PowerShell, cmd, or unusual parent-child process chains.
- Tune for administrative false positives: WMI, PowerShell, service queries, network discovery, and share enumeration can be legitimate, so prioritize unusual users, hosts, timing, command structure, and follow-on C2 or file activity.
- Review visibility gaps around encoded commands, obfuscated command lines, DLL/plugin loading, APC-style injection, and native API behaviors, which may be underrepresented in basic logging.
- Hunt for network behavior that violates expected protocol-port pairings or uses non-application-layer protocols, while recognizing that encryption and standard encoding may limit payload inspection.
Mitigation priorities
- Start with telemetry assurance: confirm Windows endpoint, PowerShell, WMI, process, file, and network logs are collected and retained for investigation.
- Harden and monitor administrative execution paths, especially WMI, PowerShell, and command shell usage, with least privilege and change-control expectations.
- Restrict unnecessary outbound connectivity and monitor non-standard protocol/port usage to reduce C2 opportunities.
- Control DLL loading and unapproved tool transfer through application control, endpoint policy, and software inventory practices where feasible.
- Prepare IR procedures for plugin-capable backdoors: scope for additional DLLs, transferred tools, persistence mechanisms, discovery output, and possible evidence removal.
Analyst notes and limits
Sardonic is documented by ATT&CK as a C/C++ Windows backdoor with a plugin system that can load specially made DLLs and execute their functions. ATT&CK links it to FIN8 and maps it to execution, discovery, collection, stealth, persistence/privilege escalation, and command-and-control techniques through relationships. The strongest defensive value is validating whether the organization can see the behaviors around the malware, not merely whether a named malware alert exists.
Official ATT&CK detection guidance is not provided, tactics are not specified on the malware object itself, and the relationship descriptions are technique-level summaries rather than environment-specific indicators. This take does not assert current exploitation, customer exposure, or guaranteed detection. Local baselines, asset criticality, network architecture, and available logs are required to turn this into a concrete detection or response plan.
Sardonic
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1047 | Windows Management Instrumentation | Sardonic can use WMI to execute PowerShell commands on a compromised machine.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Sardonic PowerShell scripts can be encrypted with RC4 and compressed using Gzip.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1016 | System Network Configuration Discovery | Sardonic has the ability to execute the `ipconfig` command.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Sardonic has the ability to use an RC4 key to encrypt communications to and from actor-controlled C2 servers.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | Sardonic can use a WMI event filter to invoke a command-line event consumer to gain persistence.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Sardonic has the ability to upload additional malicious files to a compromised machine.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1135 | Network Share Discovery | Sardonic has the ability to execute the `net view` command.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Sardonic can first decrypt with the RC4 algorithm using a hardcoded decryption key before decompressing.CitationSymantec FIN8 Jul 2023 |
| Enterprise | T1005 | Data from Local System | Sardonic has the ability to collect data from a compromised machine to deliver to the attacker.CitationSymantec FIN8 Jul 2023 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Sardonic has the ability to run `cmd.exe` or other interactive processes on a compromised computer.CitationSymantec FIN8 Jul 2023 |
| Enterprise | T1680 | Local Storage Discovery | Sardonic has the ability to collect the C:\ drive serial number from a compromised machine.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1571 | Non-Standard Port | Sardonic has the ability to connect with actor-controlled C2 servers using a custom binary protocol over port 443.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1057 | Process Discovery | Sardonic has the ability to execute the `tasklist` command.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1007 | System Service Discovery | Sardonic has the ability to execute the `net start` command.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1106 | Native API | Sardonic has the ability to call Win32 API functions to determine if `powershell.exe` is running.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Sardonic can encode client ID data in 32 uppercase hex characters and transfer to the actor-controlled C2 server.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1070 | Indicator Removal | Sardonic has the ability to delete created WMI objects to evade detections.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1620 | Reflective Code Loading | Sardonic has a plugin system that can load specially made DLLs into memory and execute their functions.CitationBitdefender Sardonic Aug 2021CitationSymantec FIN8 Jul 2023 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Sardonic has the ability to send a random 64-byte RC4 key to communicate with actor-controlled C2 servers by using an RSA public key.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | Sardonic can use certain ConfuserEx features for obfuscation and can be encoded in a base64 string.CitationSymantec FIN8 Jul 2023 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Sardonic has the ability to execute PowerShell commands on a compromised machine.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1049 | System Network Connections Discovery | Sardonic has the ability to execute the `netstat` command.CitationBitdefender Sardonic Aug 2021 |
| Enterprise | T1055.004 | Asynchronous Procedure Call Sub-technique | Sardonic can use the `QueueUserAPC` API to execute shellcode on a compromised machine.CitationSymantec FIN8 Jul 2023 |
| Enterprise | T1095 | Non-Application Layer Protocol | Sardonic can communicate with actor-controlled C2 servers by using a custom little-endian binary protocol.CitationBitdefender Sardonic Aug 2021 |
Groups, software, and campaigns
G0061: FIN8
FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 770b016ead95… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Bitdefender Sardonic Aug 2021
Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023.
Open source URL -
[2]
Symantec FIN8 Jul 2023
Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023.
Open source URL -
[3]
mitre-attack S1085Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.