S1147: Nightdoor
Analyst context for executives and security teams
Nightdoor matters because ATT&CK describes it as a Windows backdoor exclusively associated with Daggerfly operations and linked by common libraries to MgBot and MacMa. For leaders, the practical issue is not a single malware name; it is whether the organization can recognize a quiet post-compromise implant that performs host discovery, establishes persistence, communicates through application-layer or web-service channels, and removes traces.
Executive priority
Prioritize this as an operational resilience and incident-readiness validation item for Windows environments. Executives should ask whether SOC and IR teams can prove visibility into scheduled tasks, command-shell execution, discovery activity, file deletion, and outbound application-layer communications. Because ATT&CK provides no official detection text for Nightdoor, coverage should be evidenced through mapped behavior and telemetry rather than claims that a specific signature will detect it.
Technical view
ATT&CK lists Nightdoor as Windows malware and relates it to techniques for discovery, execution, persistence, command and control, and stealth: System Network Configuration Discovery, System Owner/User Discovery, Scheduled Task, Process Discovery, Windows Command Shell, File Deletion, Application Layer Protocol, System Information Discovery, Web Service, System Time Discovery, Deobfuscate/Decode Files or Information, System Checks, Hijack Execution Flow, and Local Storage Discovery. SOC teams should validate behavior-based detections around unusual scheduled task creation or execution, suspicious cmd.exe use, clustered host/network/user/process discovery, deletion of recently created artifacts, execution-flow hijack indicators, and outbound traffic that blends into normal application-layer or web-service use.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Scheduled task creation, modification, and execution records
- File creation, modification, deletion, and artifact cleanup events
- Endpoint module/load path or execution-flow telemetry where available
- Host discovery evidence such as user, process, system, time, storage, and network configuration queries
Detection direction
- Build detections from the related ATT&CK behaviors because no official Nightdoor detection is provided.
- Correlate discovery commands or API-driven enumeration with later scheduled task activity, command-shell execution, file deletion, or outbound application-layer communications.
- Tune scheduled task detections against known administrative automation to reduce false positives while preserving alerts for unusual users, paths, timing, or newly introduced binaries.
- Review web-service and application-layer C2 visibility; legitimate services can create blind spots if proxy, DNS, or endpoint network telemetry is incomplete.
- Account for anti-analysis/system-check behavior; sandbox-only testing may miss behavior that changes outside analysis environments.
Mitigation priorities
- First, confirm Windows endpoint and network telemetry coverage for the related behaviors before relying on tool claims.
- Harden and monitor scheduled task usage, command-shell execution, and unusual execution-flow paths in high-value Windows environments.
- Restrict unnecessary outbound application-layer and web-service access where business processes allow, and ensure exceptions are reviewed.
- Maintain IR procedures for collecting endpoint artifacts quickly, since file deletion is part of the related behavior set.
- Use behavior mapping for compliance and audit evidence: show which controls and logs cover persistence, discovery, C2, and stealth behaviors.
Analyst notes and limits
Nightdoor is documented by ATT&CK as a backdoor associated with Daggerfly operations, with external references to ESET and Symantec reporting. The most useful defensive approach is behavior-led validation across the related techniques rather than malware-name-only alerting.
ATT&CK provides no official detection text, no aliases, no labels, and no object-level tactics for Nightdoor. The supplied platform is Windows, while several related techniques list broader or different platform sets. Local baselines, approved administration patterns, and available telemetry are required to determine actual detection quality.
Nightdoor
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1102 | Web Service | Nightdoor can utilize Microsoft OneDrive or Google Drive for command and control purposes.CitationESET EvasivePanda 2024CitationSymantec Daggerfly 2024 |
| Enterprise | T1057 | Process Discovery | Nightdoor can collect information on installed applications via Windows registry keys, as well as collecting information on running processes.CitationESET EvasivePanda 2024 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Nightdoor uses scheduled tasks for persistence to load the final malware payload into memory.CitationSymantec Daggerfly 2024 |
| Enterprise | T1680 | Local Storage Discovery | Nightdoor can collect information about disk drives, their total and free space, and file system type.CitationESET EvasivePanda 2024 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Nightdoor creates a cmd.exe shell to send and receive commands from the command and control server via open pipes.CitationSymantec Daggerfly 2024 |
| Enterprise | T1574 | Hijack Execution Flow | Nightdoor uses a legitimate executable to load a malicious DLL file for installation.CitationSymantec Daggerfly 2024 |
| Enterprise | T1497.001 | System Checks Sub-technique | Nightdoor embeds code from the public `al-khaser` project, a repository that works to detect virtual machines, sandboxes, and malware analysis environments.CitationSymantec Daggerfly 2024 |
| Enterprise | T1124 | System Time Discovery | Nightdoor can identify the system local time information.CitationESET EvasivePanda 2024 |
| Enterprise | T1016 | System Network Configuration Discovery | Nightdoor gathers information on victim system network configuration such as MAC addresses.CitationESET EvasivePanda 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Nightdoor can self-delete.CitationESET EvasivePanda 2024 |
| Enterprise | T1033 | System Owner/User Discovery | Nightdoor gathers information on victim system users and usernames.CitationESET EvasivePanda 2024 |
| Enterprise | T1082 | System Information Discovery | Nightdoor gathers information on the victim system such as CPU and Computer name as well as device drivers.CitationESET EvasivePanda 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Nightdoor stores network configuration data in a file XOR encoded with the key value of `0x7A`.CitationSymantec Daggerfly 2024 |
| Enterprise | T1071 | Application Layer Protocol | Nightdoor uses TCP and UDP communication for command and control traffic.CitationESET EvasivePanda 2024CitationSymantec Daggerfly 2024 |
Groups, software, and campaigns
G1034: Daggerfly
Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | a628b77b4a59… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET EvasivePanda 2024
Ahn Ho, Facundo Muñoz, & Marc-Etienne M.Léveillé. (2024, March 7). Evasive Panda leverages Monlam Festival to target Tibetans. Retrieved July 25, 2024.
Open source URL -
[2]
Symantec Daggerfly 2024
Threat Hunter Team. (2024, July 23). Daggerfly: Espionage Group Makes Major Update to Toolset. Retrieved July 25, 2024.
Open source URL -
[3]
mitre-attack S1147Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.