S1140: Spica
Spica is a custom backdoor written in Rust that has been used by Star Blizzard since at least 2023.[1]
Analyst context for executives and security teams
Spica matters because ATT&CK identifies it as a custom Rust backdoor for Windows that has been used by Star Blizzard. Even without an official ATT&CK detection section, the related behaviors point to practical risk areas: persistence through scheduled tasks, PowerShell execution, masqueraded tasks or services, file discovery, tool transfer, command-and-control, data archiving, deobfuscation, and web session cookie theft.
Executive priority
Treat Spica as a validation case for whether Windows endpoint monitoring, identity/session protection, and incident response playbooks can recognize backdoor activity beyond simple malware signatures. Leaders should ask whether SOC evidence covers scheduled task abuse, PowerShell execution, suspicious network protocols, and session-cookie theft indicators, and whether IR can quickly revoke sessions, scope affected hosts, and preserve endpoint evidence.
Technical view
For SOC and IR teams, coverage should be mapped to the supplied relationships: T1053.005 Scheduled Task, T1036.004 Masquerade Task or Service, T1059.001 PowerShell, T1083 File and Directory Discovery, T1095 Non-Application Layer Protocol, T1105 Ingress Tool Transfer, T1140 Deobfuscate/Decode Files or Information, T1539 Steal Web Session Cookie, and T1560 Archive Collected Data. Because MITRE provides no official detection text for Spica, detection engineering should focus on behavior chains on Windows rather than a single indicator set.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell execution and script logging where available
- Windows Task Scheduler events and task metadata
- Service or task names, descriptions, paths, and creation/modification times for masquerading review
- File system access patterns showing discovery, archive creation, or decode/deobfuscation activity
Detection direction
- Validate that detections correlate scheduled task creation or modification with suspicious process ancestry, unusual paths, or misleading task/service names.
- Tune PowerShell analytics for unusual execution context, encoded or obfuscated content, and follow-on process or network activity while accounting for administrative automation noise.
- Look for behavior sequences: discovery followed by archiving, deobfuscation, tool transfer, or unusual outbound communications.
- Review whether network monitoring can identify non-application-layer protocol use or anomalous protocol patterns, not just HTTP/S indicators.
- For T1539 context, validate session anomaly monitoring and incident procedures for revoking potentially stolen web sessions.
Mitigation priorities
- Prioritize hardening and monitoring of Windows scheduled tasks and administrative scripting.
- Restrict and audit PowerShell usage according to business need, with logging enabled where feasible.
- Maintain endpoint controls that expose process, file, persistence, and network behaviors rather than relying only on known hashes.
- Strengthen identity/session controls, including session revocation procedures and monitoring for abnormal session use.
- Prepare IR playbooks for backdoor containment: isolate host, preserve endpoint evidence, identify persistence, review tool transfer, and reset or revoke affected credentials and sessions.
Analyst notes and limits
The ATT&CK object is a malware entry for Spica, a custom Rust backdoor for Windows, with a relationship showing use by Star Blizzard and relationships to several ATT&CK techniques. The defensive value is primarily in mapping those behaviors to telemetry and response readiness.
MITRE does not provide an official detection section, aliases, labels, or object-level tactics for Spica in the supplied fields. Local indicators, file names, infrastructure, and confirmed exposure are not supplied; organizations must rely on their own telemetry and intelligence sources for environment-specific assessment.
Spica
Spica is a custom backdoor written in Rust that has been used by Star Blizzard since at least 2023.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.001 | PowerShell Sub-technique | Spica can use an obfuscated PowerShell command to create a scheduled task for persistence.CitationGoogle TAG COLDRIVER January 2024 |
| Enterprise | T1105 | Ingress Tool Transfer | Spica can upload and download files to and from compromised hosts.CitationGoogle TAG COLDRIVER January 2024 |
| Enterprise | T1560 | Archive Collected Data | Spica can archive collected documents for exfiltration.CitationGoogle TAG COLDRIVER January 2024 |
| Enterprise | T1083 | File and Directory Discovery | Spica can list filesystem contents on targeted systems.CitationGoogle TAG COLDRIVER January 2024 |
| Enterprise | T1539 | Steal Web Session Cookie | Spica has the ability to steal cookies from Chrome, Firefox, Opera, and Edge browsers.CitationGoogle TAG COLDRIVER January 2024 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Spica has created a scheduled task named `CalendarChecker` to establish persistence.CitationGoogle TAG COLDRIVER January 2024 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Spica has created a scheduled task named `CalendarChecker` for persistence on compromised hosts.CitationGoogle TAG COLDRIVER January 2024 |
| Enterprise | T1095 | Non-Application Layer Protocol | Spica can use JSON over WebSockets for C2 communications.CitationGoogle TAG COLDRIVER January 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Upon execution Spica can decode an embedded .pdf and write it to the desktop as a decoy document.CitationGoogle TAG COLDRIVER January 2024 |
Groups, software, and campaigns
G1033: Star Blizzard
Star Blizzard is a cyber espionage and influence group originating in Russia that has been active since at least 2019. Star Blizzard campaigns align closely with Russian state interests and have included persistent phishing and credential theft against academic, defense, government, NGO, and think tank organizations in NATO countries, particularly the US and the UK.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 072e8c0309a6… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Google TAG COLDRIVER January 2024
Shields, W. (2024, January 18). Russian threat group COLDRIVER expands its targeting of Western officials to include the use of malware. Retrieved June 13, 2024.
Open source URL -
[2]
mitre-attack S1140Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.