S1191: Megazord

Megazord is a Rust-based variant of Akira ransomware that has been in use since at least August 2023 to target Windows environments. Megazord has been attributed to the Akira group based on overlapping infrastructure though is possibly not exclusive to the group.[1][2][3]

EnterpriseS1191MalwareObject v1.0 Modified Mar 11, 2025, 15:37 UTC (UTC+00:00)

Megazord is a Windows ransomware malware entry: a Rust-based variant of Akira associated with activity reported since at least August 2023. Its ATT&CK relationships show behavior that matters operationally: discovering processes, files, directories, and logs; using Windows command shell; stopping services; and encrypting data for impact. For leaders, the value is not just naming the malware, but validating whether Windows endpoints, critical services, logs, and recovery processes would give responders enough evidence and time to contain a ransomware event before business disruption escalates.

Executive priority

Treat this as a ransomware resilience validation item for Windows environments. Priority questions are: are critical Windows systems covered by process, command-line, service-control, file-system, and security-log telemetry; can the SOC distinguish administrative activity from ransomware staging and impact behavior; and can the organization recover encrypted data without relying on affected systems? Because MITRE does not provide detection guidance for this object, leadership should ask for evidence of coverage against the related ATT&CK behaviors rather than a vendor claim that “Megazord is detected.”

Technical view

For SOC, detection engineering, and IR teams, map coverage to the supplied relationships: T1059.003 Windows Command Shell, T1057 Process Discovery, T1083 File and Directory Discovery, T1654 Log Enumeration, T1489 Service Stop, and T1486 Data Encrypted for Impact. Validate Windows endpoint visibility for command-shell execution, process listings, broad file enumeration, service stop/disable activity, unusual access to logs, and rapid file modification/encryption patterns. Since official detection text is not provided, build behavior-focused analytics and response checks rather than relying solely on malware names or static indicators.

Likely telemetry

Windows process creation events with command-line context, especially cmd.exe activity
Endpoint detection and response telemetry for process discovery and file/directory enumeration
Windows service control activity, including service stop or disable events
File-system telemetry showing high-volume file access, modification, renaming, or encryption-like behavior
Security, system, and application log access or enumeration evidence

Detection direction

Confirm that Windows command-shell execution is logged with parent/child process and user context.
Tune analytics for combinations of discovery followed by service stopping and high-volume file changes, rather than treating each behavior in isolation.
Baseline legitimate administrative scripts, backup operations, software deployment, and maintenance activity to reduce false positives.
Validate that log enumeration and service stop events are retained even if the affected endpoint later becomes unavailable.
Use the Akira/Megazord relationship as threat-intelligence context, but avoid assuming attribution because MITRE notes overlapping infrastructure and possible non-exclusive use.

Mitigation priorities

Prioritize resilient, tested backups for critical Windows data and services, with recovery evidence available to incident leaders.
Limit administrative privileges and command-shell use where operationally feasible, especially on systems containing critical data.
Harden monitoring and alerting for service stop/disable actions affecting security, backup, business, or infrastructure services.
Segment critical Windows systems and restrict unnecessary lateral access paths to reduce ransomware blast radius.
Prepare IR playbooks for rapid isolation, evidence preservation, service restoration, and executive decision-making during encryption-impact events.

Analyst notes and limits

The object is a malware entry for Megazord, identified as S1191 in ATT&CK Enterprise. The supplied description supports Windows platform focus, ransomware context, Rust-based Akira variant language, and cautious attribution to the Akira group based on overlapping infrastructure. The relationship set supplies the main defensive pivot: discovery, command-shell execution, service disruption, log enumeration, and data encryption impact.

MITRE provides no official detection text for this object, no aliases, and no explicit tactics on the malware object itself. Technique relationships describe broader platforms, but the Megazord object platform supplied here is Windows, so local validation should focus on Windows unless additional environment-specific intelligence supports more. This summary does not establish current activity, customer exposure, guaranteed detection, or definitive attribution.

Official MITRE ATT&CK definition

Megazord

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 6 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1059.003	Windows Command Shell Sub-technique	Megazord can execute multiple commands post infection via `cmd.exe`.CitationPalo Alto Howling Scorpius DEC 2024
Enterprise	T1489	Service Stop	Megazord has the ability to terminate a list of services and processes.CitationPalo Alto Howling Scorpius DEC 2024
Enterprise	T1654	Log Enumeration	Megazord has the ability to print the trace, debug, error, info, and warning logs.CitationPalo Alto Howling Scorpius DEC 2024
Enterprise	T1057	Process Discovery	Megazord can terminate a list of specified services and processes.CitationPalo Alto Howling Scorpius DEC 2024
Enterprise	T1486	Data Encrypted for Impact	Megazord can encrypt files on targeted Windows hosts leaving them with a ".powerranges" file extension.CitationCISA Akira Ransomware APR 2024CitationCisco Akira Ransomware OCT 2024CitationPalo Alto Howling Scorpius DEC 2024
Enterprise	T1083	File and Directory Discovery	Megazord can ignore specified directories for encryption.CitationPalo Alto Howling Scorpius DEC 2024

Associated objects

Groups, software, and campaigns

G1024: Akira

Akira is a ransomware variant and ransomware deployment entity active since at least March 2023.[1] Akira uses compromised credentials to access single-factor external access mechanisms such as VPNs for initial access, then various publicly-available tools and techniques for lateral movement.[1][2] Akira operations are associated with "double extortion" ransomware activity, where data is exfiltrated from victim environments prior to encryption, with threats to publish files if a ransom is not paid. Technical analysis of Akira ransomware indicates variants capable of targeting Windows or VMWare ESXi hypervisors and multiple overlaps with Conti ransomware.[3][4][5]

Relationship explorer

All related ATT&CK context

uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1489: Service Stop Enterprise uses · Technique T1654: Log Enumeration Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Group G1024: Akira Enterprise uses · Technique T1486: Data Encrypted for Impact Enterprise uses · Technique T1083: File and Directory Discovery Enterprise

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Jan 8, 2025, 21:31 UTC (UTC+00:00)
Modified: Mar 11, 2025, 15:37 UTC (UTC+00:00)
Raw hash: eff199b0c818233b...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Mar 11, 2025, 15:37 UTC (UTC+00:00)	Current bundle	`eff199b0c818…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
CISA Akira Ransomware APR 2024

CISA et al. (2024, April 18). #StopRansomware: Akira Ransomware. Retrieved December 10, 2024.
Open source URL
[2]
Cisco Akira Ransomware OCT 2024

Nutland, J. and Szeliga, M. (2024, October 21). Akira ransomware continues to evolve. Retrieved December 10, 2024.
Open source URL
[3]
Palo Alto Howling Scorpius DEC 2024

Zemah, Y. (2024, December 2). Threat Assessment: Howling Scorpius (Akira Ransomware). Retrieved January 8, 2025.
Open source URL
[4]
mitre-attack S1191
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use