S0074: Sakula

Sakula is a Windows remote access tool documented by ATT&CK as surfacing in 2012 and being used in intrusions through 2015. Its business relevance is less about the age of the malware name and more about the behaviors ATT&CK links to it: persistence through Windows services and Run keys, execution through cmd.exe/rundll32/DLL abuse, file cleanup, tool transfer, and encrypted or web-based command-and-control. These are common decision points for whether a SOC can see and contain remote access after initial compromise.

Executive priority

Treat Sakula as a validation case for Windows intrusion readiness. Leaders should ask whether endpoint, identity, proxy, and incident response teams can prove visibility into service creation, startup persistence, suspicious command shell use, DLL/rundll32 execution, inbound tool transfer, and encrypted outbound communications. This object also supports budget and audit discussions around endpoint logging, egress control, privileged access governance, and evidence retention, because several related behaviors are designed to persist, elevate, blend into normal administration, or remove traces.

Technical view

ATT&CK provides no dedicated detection text for Sakula, so defenders should validate coverage from the related techniques rather than rely on a malware signature alone. For Windows hosts, prioritize process creation and parent-child analysis for cmd.exe and rundll32.exe, monitoring of service creation/modification and Registry Run key or startup folder changes, DLL loading or suspicious DLL execution paths, file creation followed by deletion, and evidence of tool transfer. Network teams should confirm visibility into outbound web-protocol communications and encrypted command-and-control patterns where metadata, destination reputation, proxy logs, and host correlation can be used without assuming payload inspection.

Likely telemetry

Windows endpoint process creation events, including cmd.exe and rundll32.exe parent-child relationships
Windows service creation, modification, and service configuration change logs
Registry monitoring for Run keys and startup persistence locations
File system telemetry for dropped tools, DLLs, encoded/encrypted files, and subsequent deletion
DLL load or module execution telemetry where available

Detection direction

Map current detections to the ATT&CK relationships: T1059.003, T1218.011, T1574.001, T1543.003, T1547.001, T1548.002, T1105, T1070.004, T1027.013, T1071.001, and T1573.001.
Tune detections for suspicious combinations, such as rundll32.exe or cmd.exe activity followed by service or Run key persistence, outbound web traffic, tool transfer, or file deletion.
Account for false positives from legitimate administration, software deployment, Windows services, login scripts, and normal DLL use; require context such as unusual path, user, host role, command line, timing, or external destination.
Do not depend only on static malware signatures because related behavior includes encrypted/encoded files and symmetric cryptography for command-and-control.
Use the Deep Panda relationship as threat-intelligence context only; do not infer current activity or attribution without local evidence.

Mitigation priorities

Reduce administrative exposure on Windows systems and review local administrator rights, since related behavior includes UAC bypass and persistence mechanisms that benefit from elevated privileges.
Harden and monitor Windows service creation/modification, Registry Run keys, startup folders, rundll32.exe usage, and DLL search/loading behavior.
Apply application control or execution control policies where feasible to constrain unauthorized binaries, DLLs, scripts, and administrative utilities.
Strengthen egress controls, proxy enforcement, DNS logging, and network monitoring for web-based and encrypted outbound communications.
Ensure incident response procedures preserve endpoint, service, registry, file system, proxy, DNS, and firewall evidence quickly, because related behavior includes file deletion and trace reduction.

Analyst notes and limits

The official ATT&CK description identifies Sakula as a RAT and cites Dell SecureWorks reporting. ATT&CK relates this software to Deep Panda and to multiple Windows-relevant execution, persistence, privilege-escalation, stealth, tool-transfer, and command-and-control techniques. The most useful defensive value is to test whether those behaviors are observable and actionable in the local environment.

ATT&CK provides no official detection guidance, no aliases, and no object-level tactics for Sakula in the supplied fields. The relationship data indicates techniques associated with the malware, but local telemetry is required to determine exposure, detection quality, or incident relevance. No active exploitation, current campaign activity, or guaranteed detection coverage is established by the supplied fields.

Official MITRE ATT&CK definition

Sakula

Sakula is a remote access tool (RAT) that first surfaced in 2012 and was used in intrusions throughout 2015. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 11 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1027.013	Encrypted/Encoded File Sub-technique	Sakula uses single-byte XOR obfuscation to obfuscate many of its files.[1]
Enterprise	T1105	Ingress Tool Transfer	Sakula has the capability to download files.[1]
Enterprise	T1547.001	Registry Run Keys / Startup Folder Sub-technique	Most Sakula samples maintain persistence by setting the Registry Run key `SOFTWARE\Microsoft\Windows\CurrentVersion\Run\` in the HKLM or HKCU hive, with the Registry value and file name varying by sample.[1]
Enterprise	T1071.001	Web Protocols Sub-technique	Sakula uses HTTP for C2.[1]
Enterprise	T1548.002	Bypass User Account Control Sub-technique	Sakula contains UAC bypass code for both 32- and 64-bit systems.[1]
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	Sakula encodes C2 traffic with single-byte XOR keys.[1]
Enterprise	T1574.001	DLL Sub-technique	Sakula uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.[1]
Enterprise	T1059.003	Windows Command Shell Sub-technique	Sakula calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. Sakula also has the capability to invoke a reverse shell.[1]
Enterprise	T1218.011	Rundll32 Sub-technique	Sakula calls cmd.exe to run various DLL files via rundll32.[1]
Enterprise	T1543.003	Windows Service Sub-technique	Some Sakula samples install themselves as services for persistence by calling WinExec with the `net start` argument.[1]
Enterprise	T1070.004	File Deletion Sub-technique	Some Sakula samples use cmd.exe to delete temporary files.[1]

Associated objects

Groups, software, and campaigns

G0009: Deep Panda

Deep Panda is a suspected Chinese threat group known to target many industries, including government, defense, financial, and telecommunications. [1] The intrusion into healthcare company Anthem has been attributed to Deep Panda. [2] This group is also known as Shell Crew, WebMasters, KungFu Kittens, and PinkPanther. [3] Deep Panda also appears to be known as Black Vine based on the attribution of both group names to the Anthem intrusion. [4] Some analysts track Deep Panda and APT19 as the same group, but it is unclear from open source information if the groups are the same. [5]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: May 31, 2017, 21:32 UTC (UTC+00:00)
Modified: Apr 11, 2024, 00:10 UTC (UTC+00:00)
Raw hash: 37c3845d9e9fb8f6...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.2	Apr 11, 2024, 00:10 UTC (UTC+00:00)	Current bundle	`37c3845d9e9f…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Dell Sakula

Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016.
Open source URL
[2]
mitre-attack S0074
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams