S1107: NKAbuse
Analyst context for executives and security teams
NKAbuse matters because it is described by ATT&CK as a Go-based, multi-platform implant with backdoor and flooder capabilities that abuses NKN technology for peer-to-peer data exchange. For leaders, the practical issue is not just “malware exists”; it is whether the organization can see unusual cross-platform implants, persistence on Unix-like systems, discovery activity, proxy-like command-and-control patterns, screen capture behavior, and potential network denial-of-service activity before they affect operations.
Executive priority
Prioritize NKAbuse as a resilience and visibility question across Linux, macOS, and Windows estates. Security leaders should ask whether SOC telemetry can connect endpoint discovery, scheduled execution, unusual peer-to-peer or multi-hop network traffic, and flood-like outbound activity into one incident narrative. This is also useful for audit and readiness discussions: can the organization prove it collects the evidence needed to investigate backdoor activity, persistence, collection, and availability-impact behavior?
Technical view
ATT&CK provides no official detection text for NKAbuse, so defenders should validate coverage through the related techniques: Internet Connection Discovery, Cron persistence, Process Discovery, Unix Shell execution, System Information Discovery, Multi-hop Proxy, Screen Capture, and Network Denial of Service. SOC and IR teams should focus on correlating process execution, scheduled task or cron changes, system and process enumeration, screenshot-related activity, and anomalous network communications. Because the malware is described as multi-platform, validation should include Linux, macOS, and Windows where applicable, while noting that some related behaviors such as Cron and Unix Shell are specific to Unix-like environments.
Likely telemetry
- Endpoint process creation and command-line telemetry
- Linux and macOS cron/crontab file and job modification evidence
- Shell execution logs or EDR events on Linux and macOS
- System and process discovery events
- Network flow, DNS, proxy, and firewall logs showing unusual outbound peer-to-peer or multi-hop patterns
Detection direction
- Build detections around behavior chains rather than a single indicator: discovery followed by persistence, network connectivity checks, proxy-like communications, collection, or flood-like traffic.
- Validate that Linux and macOS cron monitoring captures both file changes and executed scheduled commands; tune for legitimate administrative automation.
- Review network analytics for unusual peer-to-peer-style outbound communications and multi-hop proxy patterns, while accounting for legitimate distributed networking tools.
- Correlate screen capture events with unusual parent processes, newly observed binaries, or remote-control-like activity to reduce false positives.
- For denial-of-service risk, monitor abnormal outbound volume, connection fan-out, and repeated traffic patterns from endpoints or servers.
Mitigation priorities
- Ensure endpoint detection and response coverage is consistent across Linux, macOS, and Windows assets in scope.
- Restrict and monitor scheduled execution mechanisms such as cron on Unix-like systems, especially for unexpected users or newly written jobs.
- Apply least privilege so malware running as a user has reduced ability to persist, enumerate sensitive context, or capture screens.
- Use egress controls and network monitoring to limit and investigate unusual outbound peer-to-peer or proxy-like communications.
- Maintain response playbooks for backdoor containment and for hosts generating excessive outbound traffic that could indicate flooder behavior.
Analyst notes and limits
This take is based on the ATT&CK software object S1107 and its listed relationships. The decision value is in validating whether existing controls can observe the related behaviors across supported platforms, especially where official detection guidance is absent.
The supplied ATT&CK object does not provide official detection logic, aliases, tactics for the malware object, indicators, affected products, attribution, or evidence of current exploitation. Conclusions about exposure, impact, or detection coverage require local telemetry and environment-specific analysis.
NKAbuse
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.004 | Unix Shell Sub-technique | NKAbuse is initially installed and executed through an initial shell script.CitationNKAbuse SL |
| Enterprise | T1057 | Process Discovery | NKAbuse will check victim systems to ensure only one copy of the malware is running.CitationNKAbuse SL |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | NKAbuse utilizes external services such as |
| Enterprise | T1498 | Network Denial of Service | NKAbuse enables multiple types of network denial of service capabilities across several protocols post-installation.CitationNKAbuse SL |
| Enterprise | T1082 | System Information Discovery | NKAbuse conducts multiple system checks and includes these in subsequent "heartbeat" messages to the malware's command and control server.CitationNKAbuse SL |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | NKAbuse has abused the NKN public blockchain protocol for its C2 communications.CitationNKAbuse BCCitationNKAbuse SL |
| Enterprise | T1113 | Screen Capture | NKAbuse can take screenshots of the victim machine.CitationNKAbuse SL |
| Enterprise | T1053.003 | Cron Sub-technique | NKAbuse uses a Cron job to establish persistence when infecting Linux hosts.CitationNKAbuse SL |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e222179e348f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NKAbuse BC
Bill Toulas. (2023, December 14). New NKAbuse malware abuses NKN blockchain for stealthy comms. Retrieved February 8, 2024.
Open source URL -
[2]
NKAbuse SL
KASPERSKY GERT. (2023, December 14). Unveiling NKAbuse: a new multiplatform threat abusing the NKN protocol. Retrieved February 8, 2024.
Open source URL -
[3]
mitre-attack S1107Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.