S0148: RTM

RTM is a Windows malware family written in Delphi and associated in ATT&CK with the RTM cybercriminal group. Its mapped behaviors matter because they combine credential and user-data collection, host discovery, persistence, command-and-control, and cleanup/stealth techniques. For leaders, the practical issue is not only whether a signature exists, but whether the organization can see and investigate Windows activity that looks like banking-trojan-style credential theft and persistence.

Executive priority

Prioritize RTM as a validation case for Windows endpoint resilience, identity risk, and incident response readiness. The ATT&CK relationships show behaviors that can affect credential exposure, fraud risk, and investigation quality: keylogging, screen and clipboard collection, scheduled task persistence, registry modification, web-based C2, ingress tool transfer, obfuscation, masquerading, and file/persistence cleanup. Executives should ask whether SOC coverage is behavior-based, whether evidence survives cleanup attempts, and whether high-risk financial or remote-banking users receive stronger monitoring and access controls.

Technical view

ATT&CK does not provide an official detection section for RTM, so coverage should be validated against the mapped techniques rather than a single malware name. On Windows, focus on suspicious scheduled task creation or modification, registry changes linked to persistence or defense evasion, command shell execution, user/system/process/file discovery, and collection behaviors such as keylogging, screen capture, clipboard access, and automated collection. Network teams should validate visibility into outbound web-protocol C2 patterns and use of legitimate web services as dead-drop resolvers. IR teams should also plan for obfuscated/compressed payloads, masqueraded task or service names, file deletion, and clearing of persistence artifacts.

Likely telemetry

Windows endpoint process creation and command-line events, especially cmd.exe and discovery command patterns
Windows Task Scheduler events and task XML/name/description changes
Windows Registry modification telemetry for persistence- and defense-evasion-relevant keys
File creation, deletion, compression/archive, and executable metadata telemetry on endpoints
Endpoint alerts or behavioral telemetry for keyboard, screen capture, clipboard, and automated collection activity

Detection direction

Because MITRE provides no official RTM detection text, build detections around technique clusters: persistence plus masquerading, discovery plus collection, and web C2 plus tool transfer.
Tune scheduled-task detections for suspicious task names, descriptions, paths, or timing, while accounting for legitimate administrative and software-update tasks.
Correlate registry modification, task creation, and command shell execution from the same host or user context to reduce false positives.
Look for discovery activity followed by credential or collection behavior, including keylogging, screen capture, clipboard access, or automated file collection.
Review network detections for outbound HTTP/S patterns that blend into normal traffic, including contacts to legitimate external services that may act as dead-drop resolvers.

Mitigation priorities

Confirm Windows endpoint logging and EDR coverage for task scheduling, registry modification, process creation, file deletion, and suspicious collection behavior.
Harden persistence surfaces by limiting who can create scheduled tasks or modify sensitive registry locations, and review administrative access regularly.
Reduce credential-theft impact with strong identity controls for high-risk users, especially users of remote banking or financial systems.
Apply egress monitoring and filtering appropriate to business requirements, with attention to unusual HTTP/S destinations and web-service-based resolver behavior.
Prepare IR playbooks to preserve volatile endpoint evidence quickly, because the mapped techniques include file deletion and clearing persistence artifacts.

Analyst notes and limits

The supplied ATT&CK object identifies RTM as custom Delphi malware, newer versions publicly reported as Redaman, and links it to the RTM group. Relationship context maps RTM to multiple ATT&CK techniques across stealth, discovery, execution, persistence, credential access, collection, and command-and-control behaviors. The group description states interest in users of remote banking systems in Russia and neighboring countries; this should inform threat-intelligence context without being treated as proof of local exposure.

No official MITRE detection guidance is provided for this object, and the object itself lists Windows as the platform with no object-level tactics specified. Technique relationship descriptions include broader platform coverage, but this take treats RTM coverage as Windows-focused unless local intelligence supports otherwise. Local telemetry, asset criticality, user population, and incident evidence are required to determine actual risk or detection coverage.

Official MITRE ATT&CK definition

RTM

RTM is custom malware written in Delphi. It is used by the group of the same name (RTM). Newer versions of the malware have been reported publicly as Redaman.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 38 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1548.002	Bypass User Account Control Sub-technique	RTM can attempt to run the program as admin, then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.[1]
Enterprise	T1219	Remote Access Tools	RTM has the capability to download a VNC module from command and control (C2).[1]
Enterprise	T1059.003	Windows Command Shell Sub-technique	RTM uses the command line and rundll32.exe to execute.[1]
Enterprise	T1115	Clipboard Data	RTM collects data from the clipboard.[1][2]
Enterprise	T1056.001	Keylogging Sub-technique	RTM can record keystrokes from both the keyboard and virtual keyboard.[1][2]
Enterprise	T1568	Dynamic Resolution	RTM has resolved Pony C2 server IP addresses by either converting Bitcoin blockchain transaction data to specific octets, or accessing IP addresses directly within the Namecoin blockchain.CitationCheckPoint Redaman October 2019[2]
Enterprise	T1566.001	Spearphishing Attachment Sub-technique	RTM has been delivered via spearphishing attachments disguised as PDF documents.[2]
Enterprise	T1027.015	Compression Sub-technique	RTM has been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.[1][2]
Enterprise	T1547.001	Registry Run Keys / Startup Folder Sub-technique	RTM tries to add a Registry Run key under the name "Windows Update" to establish persistence.[1]
Enterprise	T1120	Peripheral Device Discovery	RTM can obtain a list of smart card readers attached to the victim.[1][2]
Enterprise	T1124	System Time Discovery	RTM can obtain the victim time zone.[1]
Enterprise	T1559.002	Dynamic Data Exchange Sub-technique	RTM can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.[1]
Enterprise	T1553.002	Code Signing Sub-technique	RTM samples have been signed with a code-signing certificates.[1]
Enterprise	T1497	Virtualization/Sandbox Evasion	RTM can detect if it is running within a sandbox or other virtualized analysis environment.[2]
Enterprise	T1053.005	Scheduled Task Sub-technique	RTM tries to add a scheduled task to establish persistence.[1][2]
Enterprise	T1036.004	Masquerade Task or Service Sub-technique	RTM has named the scheduled task it creates "Windows Update".[2]
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	RTM encrypts C2 traffic with a custom RC4 variant.[1]
Enterprise	T1112	Modify Registry	RTM can delete all Registry entries created during its execution.[1]
Enterprise	T1102.001	Dead Drop Resolver Sub-technique	RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names. RTM has also hidden Pony C2 server IP addresses within transactions on the Bitcoin and Namecoin blockchain.[1]CitationCheckPoint Redaman October 2019[2]
Enterprise	T1106	Native API	RTM can use the `FindNextUrlCacheEntryA` and `FindFirstUrlCacheEntryA` functions to search for specific strings within browser history.[1]
Enterprise	T1119	Automated Collection	RTM monitors browsing activity and automatically captures screenshots if a victim browses to a URL matching one of a list of strings.[1][2]
Enterprise	T1033	System Owner/User Discovery	RTM can obtain the victim username and permissions.[1]
Enterprise	T1553.004	Install Root Certificate Sub-technique	RTM can add a certificate to the Windows store.[1][2]
Enterprise	T1071.001	Web Protocols Sub-technique	RTM has initiated connections to external domains using HTTPS.[2]
Enterprise	T1218.011	Rundll32 Sub-technique	RTM runs its core DLL file using rundll32.exe.[1][2]
Enterprise	T1571	Non-Standard Port	RTM used Port 44443 for its VNC module.[1]
Enterprise	T1082	System Information Discovery	RTM can obtain the computer name, OS version, and default language identifier.[1]
Enterprise	T1105	Ingress Tool Transfer	RTM can download additional files.[1][2]
Enterprise	T1083	File and Directory Discovery	RTM can check for specific files and directories associated with virtualization and malware analysis.[2]
Enterprise	T1027	Obfuscated Files or Information	RTM strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm.[1][2]
Enterprise	T1518.001	Security Software Discovery Sub-technique	RTM can obtain information about security software on the victim.[1]
Enterprise	T1204.002	Malicious File Sub-technique	RTM has relied on users opening malicious email attachments, decompressing the attached archive, and double-clicking the executable within.[2]
Enterprise	T1057	Process Discovery	RTM can obtain information about process integrity levels.[1]
Enterprise	T1518	Software Discovery	RTM can scan victim drives to look for specific banking software on the machine to determine next actions.[1]
Enterprise	T1113	Screen Capture	RTM can capture screenshots.[1][2]
Enterprise	T1070.009	Clear Persistence Sub-technique	RTM has the ability to remove Registry entries that it created for persistence.[1]
Enterprise	T1036	Masquerading	RTM has been delivered as archived Windows executable files masquerading as PDF documents.[2]
Enterprise	T1070.004	File Deletion Sub-technique	RTM can delete all files created during its execution.[1][2]

Associated objects

Groups, software, and campaigns

G0048: RTM

RTM is a cybercriminal group that has been active since at least 2015 and is primarily interested in users of remote banking systems in Russia and neighboring countries. The group uses a Trojan by the same name (RTM). [1]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: May 31, 2017, 21:33 UTC (UTC+00:00)
Modified: Apr 16, 2025, 20:38 UTC (UTC+00:00)
Raw hash: cfbd4a3aa6386118...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.2	Apr 16, 2025, 20:38 UTC (UTC+00:00)	Current bundle	`cfbd4a3aa638…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
ESET RTM Feb 2017

Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017.
Open source URL
[2]
Unit42 Redaman January 2019

Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020.
Open source URL
[3]
Redaman

(Citation: Unit42 Redaman January 2019)
[4]
mitre-attack S0148
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams