Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0113: Prikormka

Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. [1]

EnterpriseS0113MalwareObject v1.4 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Prikormka is a Windows malware family documented by MITRE as used in Operation Groundbait, observed predominantly in Ukraine and as early as 2008. Its ATT&CK relationships make it important as a defensive benchmark: it combines host discovery, credential and user activity collection, removable media collection, local staging/archiving, persistence, and stealthy execution/communications behaviors. For leaders, the value is not a single malware label; it is whether endpoint, identity, and incident response programs can prove they would notice and contain this pattern of surveillance-oriented activity.

Executive priority

Prioritize Prikormka as a coverage-validation case for Windows endpoint resilience and credential-risk response. Executives should ask whether the organization can detect suspicious persistence through Run keys/startup folders, abuse of rundll32/DLL execution, access to browser/password stores, keylogging or screen capture indicators, removable media collection, local staging, and encoded or encrypted command-and-control patterns. This supports budget and audit discussions around EDR logging, credential protection, removable media policy, and incident response evidence quality.

Technical view

MITRE does not provide a dedicated detection section for Prikormka, so SOC and detection teams should validate coverage through the related techniques. Focus on Windows telemetry for discovery activity, security software discovery, file and directory enumeration, peripheral/removable media access, credential store and browser credential access, keylogging/screen capture indicators, local data staging and archiving, file deletion, Run key/startup persistence, rundll32/DLL abuse, and encoded/encrypted C2. Tune detections around behavior chains rather than isolated events, because rundll32, registry changes, archive utilities, and discovery commands may be legitimate in normal administration.

Likely telemetry

  • Windows process creation and command-line telemetry
  • Registry monitoring for Run keys and startup folder persistence
  • File system telemetry for staging directories, archive creation, encoded/encrypted files, and deletion
  • DLL load and rundll32.exe execution telemetry
  • Browser credential store and password store file access events where available

Detection direction

  • Map detections to the related ATT&CK techniques rather than relying on a Prikormka-specific signature, since official detection guidance is not provided.
  • Correlate discovery behaviors with later collection behaviors, such as file enumeration followed by local staging, archiving, removable media access, or credential store access.
  • Baseline legitimate rundll32.exe usage and alert on unusual parent processes, command lines, DLL paths, or user contexts.
  • Monitor Run key and startup folder changes, especially when paired with newly written executables or DLLs.
  • Treat browser/password store access, keylogging indicators, and screen capture activity as high-value credential and privacy signals requiring rapid triage.

Mitigation priorities

  • Strengthen Windows endpoint visibility first: process, registry, file, module-load, removable media, and network metadata collection.
  • Apply least privilege and application control where feasible to reduce abuse of rundll32, DLL loading paths, and unauthorized persistence locations.
  • Harden credential handling by reducing stored browser/password credentials where possible and protecting credential stores with enterprise policy.
  • Use removable media controls and monitoring for environments where USB or optical media can carry sensitive data.
  • Ensure EDR and logging policies preserve evidence for local staging, archive creation, and deletion events.
Analyst notes and limits

This take is based on the supplied MITRE software object and its listed relationships. The software object itself has no specified tactics and no official detection text, so the defensive guidance is derived from the related ATT&CK techniques: discovery, collection, credential access, persistence, execution/stealth, and command-and-control behaviors associated with Prikormka.

The supplied fields do not provide indicators of compromise, active exploitation status, victim exposure, detailed procedures, or guaranteed detection logic. Local telemetry, asset context, user roles, and business process baselines are required to determine material risk and detection quality.

Official MITRE ATT&CK definition

Prikormka

Prikormka is a malware family used in a campaign known as Operation Groundbait. It has predominantly been observed in Ukraine and was used as early as 2008. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

20 rows
Domain ID Name Relationship / procedure
Enterprise T1573.001 Symmetric Cryptography Sub-technique

Prikormka encrypts some C2 traffic with the Blowfish cipher.[1]
Enterprise T1056.001 Keylogging Sub-technique

Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.[1]
Enterprise T1218.011 Rundll32 Sub-technique

Prikormka uses rundll32.exe to load its DLL.[1]
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

Some resources in Prikormka are encrypted with a simple XOR operation or encoded with Base64.[1]
Enterprise T1113 Screen Capture

Prikormka contains a module that captures screenshots of the victim's desktop.[1]
Enterprise T1120 Peripheral Device Discovery

A module in Prikormka collects information on available printers and disk drives.[1]
Enterprise T1016 System Network Configuration Discovery

A module in Prikormka collects information from the victim about its IP addresses and MAC addresses.[1]
Enterprise T1555.003 Credentials from Web Browsers Sub-technique

A module in Prikormka gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers.[1]
Enterprise T1555 Credentials from Password Stores

A module in Prikormka collects passwords stored in applications installed on the victim.[1]
Enterprise T1574.001 DLL Sub-technique

Prikormka uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.[1]
Enterprise T1082 System Information Discovery

A module in Prikormka collects information from the victim about Windows OS version, computer name, battery info, and physical memory.[1]
Enterprise T1025 Data from Removable Media

Prikormka contains a module that collects documents with certain extensions from removable media or fixed drives connected via USB.[1]
Enterprise T1518.001 Security Software Discovery Sub-technique

A module in Prikormka collects information from the victim about installed anti-virus software.[1]
Enterprise T1132.001 Standard Encoding Sub-technique

Prikormka encodes C2 traffic with Base64.[1]
Enterprise T1070.004 File Deletion Sub-technique

After encrypting its own log files, the log encryption module in Prikormka deletes the original, unencrypted files from the host.[1]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

Prikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.[1]
Enterprise T1074.001 Local Data Staging Sub-technique

Prikormka creates a directory, %USERPROFILE%\AppData\Local\SKC\, which is used to store collected log files.[1]
Enterprise T1083 File and Directory Discovery

A module in Prikormka collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file.[1]
Enterprise T1560 Archive Collected Data

After collecting documents from removable media, Prikormka compresses the collected files, and encrypts it with Blowfish.[1]
Enterprise T1033 System Owner/User Discovery

A module in Prikormka collects information from the victim about the current user name.[1]
Relationship explorer

All related ATT&CK context

uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1218.011: Rundll32 Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1120: Peripheral Device Discovery Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1555.003: Credentials from Web Browsers Enterprise uses · Technique T1555: Credentials from Password Stores Enterprise uses · Technique T1574.001: DLL Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1025: Data from Removable Media Enterprise uses · Technique T1518.001: Security Software Discovery Enterprise uses · Technique T1132.001: Standard Encoding Enterprise uses · Technique T1070.004: File Deletion Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1074.001: Local Data Staging Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1560: Archive Collected Data Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.4
Created
Modified
Raw hash
a35eee39dcca0c4f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.4 Current bundle a35eee39dcca…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ESET Operation Groundbait

    Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016.

    Open source URL
  2. [2]
    mitre-attack S0113
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use