S0180: Volgmer

Volgmer matters because it is a Windows backdoor Trojan associated in ATT&CK with covert access to compromised systems and historical targeting of government, financial, automotive, and media organizations. For leaders, the decision point is not just whether a malware name is blocked; it is whether Windows endpoint, registry, service, command-shell, discovery, file-transfer, and encrypted command-and-control behaviors would be visible and actionable during an intrusion.

Executive priority

Prioritize Volgmer as a resilience and incident-readiness use case for Windows environments where sensitive operations, regulated data, or executive-facing services depend on rapid containment. ATT&CK provides no official detection guidance for this object, so executives should ask for evidence that the SOC can detect the related behaviors: Windows service persistence, registry activity, host and network discovery, command-shell execution, tool transfer, file deletion, and encrypted C2. This is also useful for audit and compliance discussions because it tests whether controls are measured against observable behaviors rather than malware names alone.

Technical view

Volgmer is documented by ATT&CK as Windows malware and a backdoor Trojan, with relationships to discovery, execution, persistence, defense evasion, command-and-control, and stealth techniques. SOC and IR teams should validate coverage around Windows Command Shell, Native API-driven execution indicators, Windows service creation or modification, registry query and modification, process/service/network/file discovery, ingress tool transfer, file deletion, fileless or encoded storage, masqueraded services or tasks, and encrypted C2 patterns. ATT&CK also relates Volgmer to Lazarus Group use; treat that as threat-intelligence context, not proof of local attribution.

Likely telemetry

Windows endpoint process creation and command-line telemetry
Windows service creation, modification, display name, binary path, and startup configuration records
Windows Registry query and modification telemetry
File creation, deletion, rename, and directory enumeration events
Network connection metadata from endpoints and network sensors

Detection direction

Because ATT&CK provides no official detection text for Volgmer, validate behavior-based analytics mapped to the related techniques rather than relying on signature-only coverage.
Tune for suspicious service creation or modification, especially services with misleading names, unusual binary paths, or registry-backed configuration changes.
Correlate discovery bursts: process, service, registry, file, directory, system, and network enumeration occurring close together on a Windows host.
Review command-shell activity that launches discovery utilities, modifies services or registry keys, deletes artifacts, or stages transferred tools.
Look for outbound encrypted communications that are unusual for the host role, while accounting for normal encrypted enterprise traffic to reduce false positives.

Mitigation priorities

Start with visibility: ensure Windows endpoints collect process, command-line, registry, service, file, and network telemetry needed to investigate the related ATT&CK behaviors.
Harden persistence surfaces by monitoring and controlling Windows service creation/modification and privileged registry locations.
Reduce spearphishing exposure where relevant, since ATT&CK notes suspected primary delivery by spearphishing, through user reporting, email security controls, and response playbooks.
Apply least privilege so routine users cannot easily create services, modify sensitive registry keys, or install unauthorized tools.
Prepare IR runbooks for backdoor containment: isolate affected Windows hosts, preserve volatile evidence where possible, review persistence points, and investigate outbound communications and transferred tools.

Analyst notes and limits

This take is based on ATT&CK S0180 Volgmer, external references from US-CERT and Symantec, and ATT&CK relationships showing associated techniques and Lazarus Group use. The most defensible defensive value is behavioral validation across Windows persistence, discovery, evasion, execution, and C2 rather than malware-name matching.

ATT&CK lists no official detection guidance and no tactics directly on the Volgmer malware object. The object platform is Windows, although some related techniques apply to additional platforms in ATT&CK generally. Local prioritization requires environment-specific evidence such as exposed business processes, Windows asset criticality, telemetry coverage, and current control performance.

Official MITRE ATT&CK definition

Volgmer

Volgmer is a backdoor Trojan designed to provide covert access to a compromised system. It has been used since at least 2013 to target the government, financial, automotive, and media industries. Its primary delivery mechanism is suspected to be spearphishing. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 19 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1083	File and Directory Discovery	Volgmer can list directories on a victim.[1]
Enterprise	T1543.003	Windows Service Sub-technique	Volgmer installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service's Registry entry. Some Volgmer variants also install .dll files as services with names generated by a list of hard-coded strings.[1][2][3]
Enterprise	T1012	Query Registry	Volgmer checks the system for certain Registry keys.[2]
Enterprise	T1082	System Information Discovery	Volgmer can gather system information, the computer name, OS version, drive and serial information from the victim's machine.[1][2][3]
Enterprise	T1106	Native API	Volgmer executes payloads using the Windows API call CreateProcessW().[2]
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	Volgmer uses a simple XOR cipher to encrypt traffic and files.[2]
Enterprise	T1007	System Service Discovery	Volgmer queries the system to identify existing services.[1]
Enterprise	T1105	Ingress Tool Transfer	Volgmer can download remote files and additional payloads to the victim's machine.[1][2][3]
Enterprise	T1057	Process Discovery	Volgmer can gather a list of processes.[3]
Enterprise	T1016	System Network Configuration Discovery	Volgmer can gather the IP address from the victim's machine.[3]
Enterprise	T1059.003	Windows Command Shell Sub-technique	Volgmer can execute commands on the victim's machine.[1][2]
Enterprise	T1573.002	Asymmetric Cryptography Sub-technique	Some Volgmer variants use SSL to encrypt C2 communications.[1]
Enterprise	T1027.011	Fileless Storage Sub-technique	Volgmer stores an encoded configuration file in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security`.[1][3]
Enterprise	T1112	Modify Registry	Volgmer modifies the Registry to store an encoded configuration file in `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Security`.[2][3]
Enterprise	T1036.004	Masquerade Task or Service Sub-technique	Some Volgmer variants add new services with display names generated by a list of hard-coded strings such as Application, Background, Security, and Windows, presumably as a way to masquerade as a legitimate service.[2][3]
Enterprise	T1027.013	Encrypted/Encoded File Sub-technique	A Volgmer variant is encoded using a simple XOR cipher.[2]
Enterprise	T1049	System Network Connections Discovery	Volgmer can gather information about TCP connection state.[3]
Enterprise	T1070.004	File Deletion Sub-technique	Volgmer can delete files and itself after infection to avoid analysis.[2]
Enterprise	T1140	Deobfuscate/Decode Files or Information	Volgmer deobfuscates its strings and APIs once its executed.[2]

Associated objects

Groups, software, and campaigns

G0032: Lazarus Group

Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]

North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.3
Created: Jan 16, 2018, 16:13 UTC (UTC+00:00)
Modified: Apr 10, 2024, 22:16 UTC (UTC+00:00)
Raw hash: 354a87500bbc2be9...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.3	Apr 10, 2024, 22:16 UTC (UTC+00:00)	Current bundle	`354a87500bbc…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
US-CERT Volgmer Nov 2017

US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017.
Open source URL
[2]
US-CERT Volgmer 2 Nov 2017

US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018.
Open source URL
[3]
Symantec Volgmer Aug 2014

Yagi, J. (2014, August 24). Trojan.Volgmer. Retrieved July 16, 2018.
Open source URL
[4]
Volgmer

(Citation: US-CERT Volgmer Nov 2017) (Citation: US-CERT Volgmer 2 Nov 2017) (Citation: Symantec Volgmer Aug 2014)
[5]
mitre-attack S0180
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams