S0022: Uroburos

Uroburos matters because ATT&CK describes it as a long-lived, sophisticated espionage tool with Windows, Linux, and macOS implants, stealthy communications, modular components, and use on external-facing nodes before further internal activity. For leaders, the decision value is not a single malware signature; it is whether the organization can find quiet command-and-control, rootkit-style hiding, discovery, local data collection, and cleanup behavior across internet-facing systems and internal hosts.

Executive priority

Prioritize Uroburos as a resilience and readiness test for high-value environments: external-facing nodes, sensitive data repositories, and cross-platform endpoint coverage. Executives should ask whether SOC, IR, and compliance evidence can show visibility into DNS/web/mail and non-application-layer C2, process and file discovery, registry queries on Windows, fileless or packed payloads, service masquerading, and suspicious file deletion. The related Turla context and cited espionage use make this especially relevant for organizations with sensitive government, research, defense, diplomatic, education, or pharmaceutical exposure, while still requiring local risk validation.

Technical view

ATT&CK provides no official detection text for S0022, so defenders should derive coverage from the related techniques. Validate host and network detections for C2 over web protocols, mail protocols, DNS, non-application-layer protocols, protocol impersonation, junk data, fallback channels, multi-stage channels, and multi-hop proxying. On endpoints, test visibility for rootkit indicators, packed or encoded files, embedded payloads, fileless storage, DLL injection on Windows, masqueraded tasks or services, command shell execution, process discovery, system information discovery, file and directory discovery, local data access, registry queries, and file deletion. Because Uroburos is described as modular and stealth-oriented, detection should emphasize behavior correlation rather than reliance on static indicators alone.

Likely telemetry

Endpoint process creation and command-line telemetry for Windows, Linux, and macOS
Windows registry access/query telemetry
Service, scheduled task, and systemd unit creation or modification records
File creation, modification, deletion, and directory enumeration telemetry
Endpoint memory, module load, and injection-related telemetry where available

Detection direction

Map current detections to the related ATT&CK techniques rather than to the malware name alone, since the official object has no detection guidance.
Correlate external-facing host activity with later discovery, collection, and C2 behaviors to reflect the described deployment pattern.
Tune network analytics for C2 that blends into web, DNS, mail, or lower-layer protocols, including fallback or multi-stage behavior; expect false positives from legitimate infrastructure and require baselining.
Review blind spots where encrypted, encoded, packed, embedded, or fileless artifacts may bypass file-signature controls.
Validate Windows-specific visibility for registry queries, DLL injection, and command shell execution, while also confirming Linux and macOS endpoint logging for process, file, service, and network activity.

Mitigation priorities

Start with exposure management for external-facing nodes, because the description says Uroburos is typically deployed there on targeted networks.
Harden and monitor egress paths across DNS, web, mail, and non-application-layer protocols; restrict unnecessary outbound communication where operationally feasible.
Improve cross-platform endpoint controls and logging for Windows, Linux, and macOS, including service/task changes, process execution, file activity, and privileged behavior.
Use least privilege and administrative access control to reduce the value of discovery, local data collection, registry access, and service manipulation.
Prepare IR playbooks for stealthy, modular malware where eradication may require rootkit-aware host triage, network C2 analysis, and validation of fallback channels.

Analyst notes and limits

This take is based on ATT&CK S0022 Uroburos, its official description and references, and listed relationships showing use by Turla and use of multiple command-and-control, discovery, collection, execution, privilege-escalation, and stealth techniques. The most important defensive implication is coverage depth: cross-platform endpoint visibility plus network telemetry capable of identifying covert or impersonated communications.

MITRE provides no official detection text for this object, and the supplied object lists no tactics directly. Recommendations are therefore inferred from the official description and relationship context, not from confirmed local incidents. Local asset criticality, internet exposure, logging maturity, and normal network baselines are required to determine actual priority and coverage.

Official MITRE ATT&CK definition

Uroburos

Uroburos is a sophisticated cyber espionage tool written in C that has been used by units within Russia's Federal Security Service (FSB) associated with the Turla toolset to collect intelligence on sensitive targets worldwide. Uroburos has several variants and has undergone nearly constant upgrade since its initial development in 2003 to keep it viable after public disclosures. Uroburos is typically deployed to external-facing nodes on a targeted network and has the ability to leverage additional tools and TTPs to further exploit an internal network. Uroburos has interoperable implants for Windows, Linux, and macOS, employs a high level of stealth in communications and architecture, and can easily incorporate new or replacement components.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 36 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1573.002	Asymmetric Cryptography Sub-technique	Uroburos has used a combination of a Diffie-Hellman key exchange mixed with a pre-shared key (PSK) to encrypt its top layer of C2 communications.[1]
Enterprise	T1620	Reflective Code Loading	Uroburos has the ability to load new modules directly into memory using its `Load Modules Mem` command.[1]
Enterprise	T1106	Native API	Uroburos can use native Windows APIs including `GetHostByName`.[1]
Enterprise	T1005	Data from Local System	Uroburos can use its `Get` command to exfiltrate specified files from the compromised system.[1]
Enterprise	T1027.002	Software Packing Sub-technique	Uroburos uses a custom packer.CitationSymantec Waterbug[1]
Enterprise	T1095	Non-Application Layer Protocol	Uroburos can communicate through custom methodologies for UDP, ICMP, and TCP that use distinct sessions to ride over the legitimate protocols.[1]
Enterprise	T1071.003	Mail Protocols Sub-technique	Uroburos can use custom communications protocols that ride over SMTP.[1]
Enterprise	T1001.001	Junk Data Sub-technique	Uroburos can add extra characters in encoded strings to help mimic DNS legitimate requests.[1]
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	Uroburos can encrypt the data beneath its http2 or tcp encryption at the session layer with CAST-128, using a different key for incoming and outgoing data.[1]
Enterprise	T1071.001	Web Protocols Sub-technique	Uroburos can use a custom HTTP-based protocol for large data communications that can blend with normal network traffic by riding on top of standard HTTP.[1]
Enterprise	T1090.003	Multi-hop Proxy Sub-technique	Uroburos can use implants on multiple compromised machines to proxy communications through its worldwide P2P network.[1]
Enterprise	T1059.003	Windows Command Shell Sub-technique	Uroburos has the ability to use the command line for execution on the targeted system.[1]
Enterprise	T1564.005	Hidden File System Sub-technique	Uroburos can use concealed storage mechanisms including an NTFS or FAT-16 filesystem encrypted with CAST-128 in CBC mode.[1]
Enterprise	T1027.011	Fileless Storage Sub-technique	Uroburos can store configuration information for the kernel driver and kernel driver loader components in an encrypted blob typically found at `HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds.`[1]
Enterprise	T1112	Modify Registry	Uroburos can store configuration information in the Registry including the initialization vector and AES key needed to find and decrypt other Uroburos components.[1]
Enterprise	T1036.004	Masquerade Task or Service Sub-technique	Uroburos has registered a service named `WerFaultSvc`, likely to spoof the legitimate Windows error reporting service.[1]
Enterprise	T1132.002	Non-Standard Encoding Sub-technique	Uroburos can use a custom base62 and a de-facto base32 encoding that uses digits 0-9 and lowercase letters a-z in C2 communications.[1]
Enterprise	T1012	Query Registry	Uroburos can query the Registry, typically `HKLM:\SOFTWARE\Classes\.wav\OpenWithProgIds`, to find the key and path to decrypt and load its kernel driver and kernel driver loader.[1]
Enterprise	T1559	Inter-Process Communication	Uroburos has the ability to move data between its kernel and user mode components, generally using named pipes.[1]
Enterprise	T1082	System Information Discovery	Uroburos has the ability to gather basic system information and run the POSIX API `gethostbyname`.[1]
Enterprise	T1104	Multi-Stage Channels	Individual Uroburos implants can use multiple communication channels based on one of four available modes of operation.[1]
Enterprise	T1001.003	Protocol or Service Impersonation Sub-technique	Uroburos can use custom communication methodologies that ride over common protocols including TCP, UDP, HTTP, SMTP, and DNS in order to blend with normal network traffic. [1]
Enterprise	T1008	Fallback Channels	Uroburos can use up to 10 channels to communicate between implants.[1]
Enterprise	T1543.003	Windows Service Sub-technique	Uroburos has registered a service, typically named `WerFaultSvc`, to decrypt and find a kernel driver and kernel driver loader to maintain persistence.[1]
Enterprise	T1105	Ingress Tool Transfer	Uroburos can use a `Put` command to write files to an infected machine.[1]
Enterprise	T1572	Protocol Tunneling	Uroburos has the ability to communicate over custom communications methodologies that ride over common network protocols including raw TCP and UDP sockets, HTTP, SMTP, and DNS.[1]
Enterprise	T1140	Deobfuscate/Decode Files or Information	Uroburos can decrypt command parameters sent through C2 and use unpacking code to extract its packed executable.[1]
Enterprise	T1055.001	Dynamic-link Library Injection Sub-technique	Uroburos can use DLL injection to load embedded files and modules.[1]
Enterprise	T1205	Traffic Signaling	Uroburos can intercept the first client to server packet in the 3-way TCP handshake to determine if the packet contains the correct unique value for a specific Uroburos implant. If the value does not match, the packet and the rest of the TCP session are passed to the legitimate listening application.[1]
Enterprise	T1057	Process Discovery	Uroburos can use its `Process List` command to enumerate processes on compromised hosts.[1]
Enterprise	T1014	Rootkit	Uroburos can use its kernel module to prevent its host components from being listed by the targeted system's OS and to mediate requests between user mode and concealed components.[2][1]
Enterprise	T1027.013	Encrypted/Encoded File Sub-technique	Uroburos can use AES and CAST-128 encryption to obfuscate resources.[1]
Enterprise	T1070.004	File Deletion Sub-technique	Uroburos can run a `Clear Agents Track` command on an infected machine to delete Uroburos-related logs.[1]
Enterprise	T1071.004	DNS Sub-technique	Uroburos has encoded outbound C2 communications in DNS requests consisting of character strings made to resemble standard domain names. The actual information transmitted by Uroburos is contained in the part of the character string prior to the first ‘.’ character.[1]
Enterprise	T1083	File and Directory Discovery	Uroburos can search for specific files on a compromised system.[1]
Enterprise	T1027.009	Embedded Payloads Sub-technique	The Uroburos Queue file contains embedded executable files along with key material, communication channels, and modes of operation.[1]

Associated objects

Groups, software, and campaigns

G0010: Turla

Turla is a cyber espionage threat group that has been attributed to Russia's Federal Security Service (FSB). They have compromised victims in over 50 countries since at least 2004, spanning a range of industries including government, embassies, military, education, research and pharmaceutical companies. Turla is known for conducting watering hole and spearphishing campaigns, and leveraging in-house tools and malware, such as Uroburos.[1][2][3][4][5]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 2.1
Created: May 31, 2017, 21:32 UTC (UTC+00:00)
Modified: Apr 10, 2024, 22:18 UTC (UTC+00:00)
Raw hash: a6a4018c7d97abd9...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	2.1	Apr 10, 2024, 22:18 UTC (UTC+00:00)	Current bundle	`a6a4018c7d97…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023

FBI et al. (2023, May 9). Hunting Russian Intelligence “Snake” Malware. Retrieved June 8, 2023.
Open source URL
[2]
Kaspersky Turla

Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014.
Open source URL
[3]
Snake

(Citation: Joint Cybersecurity Advisory AA23-129A Snake Malware May 2023)
[4]
mitre-attack S0022
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams