S0171: Felismus
Analyst context for executives and security teams
Felismus is a Windows modular backdoor documented by ATT&CK and reported as used by Sowbug. Its ATT&CK relationships show behaviors that matter to defenders after initial compromise: discovering users, system and network details, checking for security software, executing through Windows command shell, transferring tools, and communicating over web protocols with encoding/encryption. For leaders, the value is less about the malware name itself and more about whether the organization can see and respond to backdoor-style discovery and command-and-control activity before it enables broader intrusion activity.
Executive priority
Treat Felismus as a validation case for endpoint, network, and incident response readiness on Windows systems. Because ATT&CK provides no official detection text for this object, security leaders should ask whether coverage is behavior-based rather than dependent on a specific malware signature. Priority questions: can the SOC identify suspicious Windows command shell use, system/security-tool discovery, unusual inbound tool transfer, and web-based command-and-control patterns; can IR teams quickly scope affected users and hosts; and can compliance evidence demonstrate logging and monitoring for these behaviors?
Technical view
For SOC and detection engineering, build validation around the related ATT&CK behaviors rather than the malware label alone. On Windows endpoints, confirm visibility into command shell execution, parent/child process context, command-line arguments, user context, file creation or download activity, and discovery commands for user, system, network, and security software information. On the network side, review web protocol traffic for unusual destinations, encoded content patterns, encrypted C2-like sessions, and file transfer into the environment. The relationship to Sowbug is supplied by ATT&CK, but local detections should not rely on attribution; they should focus on observable behavior.
Likely telemetry
- Windows endpoint process execution events, including cmd.exe and parent/child process relationships
- Command-line logging for discovery activity related to users, host information, network configuration, and security software
- Endpoint file creation, modification, and downloaded/transferred tool evidence
- Network proxy, web gateway, DNS, and firewall logs for outbound web protocol communications
- EDR or host telemetry showing suspicious binaries placed in legitimate-looking names or locations
Detection direction
- Validate behavior-based detections for T1059.003 Windows Command Shell execution, especially when paired with discovery or file-transfer activity.
- Correlate T1016, T1033, T1082, and T1518.001-style discovery behaviors occurring close together on the same Windows host or user session.
- Review detections for T1036.005-like masquerading, including executables or resources using legitimate-looking names or locations; tune carefully to avoid broad false positives from normal software installations.
- Monitor for T1071.001 web protocol communications and T1132.001/T1573.001-style encoded or encrypted C2 patterns, recognizing that normal HTTPS and encoded application traffic can create false positives without endpoint correlation.
- Look for T1105 ingress tool transfer indicators such as unexpected file downloads followed by execution or discovery commands.
Mitigation priorities
- Prioritize reliable Windows endpoint logging and EDR coverage for process, command-line, file, and user-context telemetry.
- Restrict and monitor unnecessary command shell use where operationally feasible, especially on sensitive systems.
- Harden egress controls and web proxy monitoring so unusual outbound web communications and file transfers can be investigated.
- Maintain application control or allowlisting policies where appropriate to reduce execution of unapproved tools and masqueraded binaries.
- Ensure security tools are monitored for tampering or unexpected discovery activity, since the related techniques include Security Software Discovery.
Analyst notes and limits
ATT&CK identifies Felismus as a modular backdoor used by Sowbug and provides relationships to discovery, execution, command-and-control, ingress transfer, encoding/encryption, and masquerading techniques. The strongest defensive use is as a behavioral coverage checklist for Windows backdoor activity rather than a narrow malware-family alert.
The supplied ATT&CK object has no official detection text, no aliases, no labels, and no object-level tactics. Related techniques include platform mappings broader than the Felismus object; this take treats Windows as the supported malware platform and uses technique relationships only for behavioral context. Local telemetry, baselines, and environment architecture are required to determine actual exposure or coverage.
Felismus
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Felismus has masqueraded as legitimate Adobe Content Management System files.CitationATT Felismus |
| Enterprise | T1033 | System Owner/User Discovery | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique |
Groups, software, and campaigns
G0054: Sowbug
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 89d6ab364d6a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Sowbug Nov 2017
Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017.
Open source URL -
[2]
Forcepoint Felismus Mar 2017
Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017.
Open source URL -
[3]
Felismus
(Citation: Symantec Sowbug Nov 2017) (Citation: Forcepoint Felismus Mar 2017)
-
[4]
mitre-attack S0171Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.