S1106: NGLite
NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.[1]
Analyst context for executives and security teams
NGLite is a Windows backdoor whose business significance is less about many built-in features and more about dependable remote command execution through an unusual command-and-control path. MITRE notes it communicates via a decentralized network based on legitimate NKN, which can make simple blocklists and perimeter-only monitoring less reliable. For leaders, this is a test of whether the organization can spot suspicious outbound control channels and post-compromise discovery activity, not just known malware names.
Executive priority
Prioritize this behavior where Windows systems have broad outbound internet access, weak egress governance, or limited network telemetry. The key decision value is whether SOC and IR teams can prove they would notice a backdoor receiving commands, discovering user and network details, and hiding C2 through web protocols, multi-hop proxying, or encrypted traffic. It also supports audit and resilience discussions around outbound control, logging coverage, and incident containment readiness.
Technical view
NGLite is mapped to discovery and command-and-control behaviors: System Network Configuration Discovery, System Owner/User Discovery, Web Protocols, Multi-hop Proxy, and Symmetric Cryptography. Because ATT&CK provides no official detection text for this software, defenders should validate coverage from the related techniques rather than rely on a malware-specific analytic. On Windows, test visibility for suspicious command execution, collection of user and network configuration details, and outbound communications that do not fit expected application behavior, especially where traffic appears web-like, proxied, decentralized, or encrypted outside normal enterprise patterns.
Likely telemetry
- Windows process creation and command-line telemetry
- Endpoint detection logs showing child processes and command execution from unusual binaries or service contexts
- Windows user/session/account discovery evidence
- Network configuration discovery evidence, including use of administrative utilities or API-equivalent behavior
- Proxy, firewall, and network flow logs for outbound connections
Detection direction
- Build or validate analytics around the related ATT&CK techniques instead of expecting a named NGLite signature to be sufficient.
- Correlate host discovery commands with new or unusual outbound network sessions from the same Windows endpoint.
- Tune web-protocol C2 detections for abnormal destination patterns, uncommon client processes, repetitive beacon-like behavior, and traffic inconsistent with business applications.
- Account for blind spots created by multi-hop proxying and decentralized communications; last-hop infrastructure may not reveal the true operator source.
- Treat encrypted outbound traffic as a metadata problem when content inspection is unavailable: process, destination, timing, volume, and parent-child process context become critical.
Mitigation priorities
- Confirm Windows endpoints have prevention and logging controls capable of recording process execution, command-line context, and outbound network activity.
- Restrict unnecessary outbound internet access and enforce egress paths through monitored proxy or firewall controls where feasible.
- Use application control or execution policy controls to reduce unauthorized binaries and scripts running on Windows systems.
- Harden identity and endpoint privileges so a command-capable backdoor has less ability to discover or manipulate the environment.
- Prepare IR containment procedures for suspected C2, including host isolation, credential review, and network egress blocking based on observed destinations and processes.
Analyst notes and limits
The most important defensive lesson is that NGLite’s C2 design may defeat narrow detections based only on known infrastructure. Coverage should be assessed through behavior: command execution, discovery, and suspicious outbound control channels. The relationship set gives useful detection anchors even though the software object itself has no ATT&CK detection guidance.
ATT&CK does not provide official detection text, aliases, labels, or tactics for this object. The supplied platform is Windows, while several related technique platform lists are broader or do not explicitly include Windows in the provided excerpt. Local environment telemetry, approved software behavior, and network architecture are required to determine realistic detection and mitigation coverage.
NGLite
NGLite is a backdoor Trojan that is only capable of running commands received through its C2 channel. While the capabilities are standard for a backdoor, NGLite uses a novel C2 channel that leverages a decentralized network based on the legitimate NKN to communicate between the backdoor and the actors.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | NGLite will initially beacon out to the NKN network via an HTTP POST over TCP 30003.CitationNGLite Trojan |
| Enterprise | T1033 | System Owner/User Discovery | NGLite will run the |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | NGLite will use an AES encrypted channel for command and control purposes, in one case using the key |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | NGLite has abused NKN infrastructure for its C2 communication.CitationNGLite Trojan |
| Enterprise | T1016 | System Network Configuration Discovery | NGLite identifies the victim system MAC and IPv4 addresses and uses these to establish a victim identifier.CitationNGLite Trojan |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 50e13c4ca501… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NGLite Trojan
Robert Falcone, Jeff White, and Peter Renals. (2021, November 7). Targeted Attack Campaign Against ManageEngine ADSelfService Plus Delivers Godzilla Webshells, NGLite Trojan and KdcSponge Stealer. Retrieved February 8, 2024.
Open source URL -
[2]
mitre-attack S1106Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.