Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0267: FELIXROOT

FELIXROOT is a backdoor that has been used to target Ukrainian victims. [1]

EnterpriseS0267MalwareObject v2.2 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

FELIXROOT is a Windows backdoor documented by ATT&CK as having targeted Ukrainian victims. Its ATT&CK relationships show behavior that matters operationally: discovery of users, processes, system details, storage, network configuration, time, registry and security tools; execution through Windows command shell, WMI, and rundll32; persistence through registry run keys/startup mechanisms and shortcut modification; web-protocol command-and-control; tool transfer; archive creation; file deletion; and registry modification. For leaders, the value is not just naming the malware, but using it as a validation case for whether Windows endpoint, network, and registry telemetry can reconstruct a backdoor intrusion from initial execution through persistence, discovery, C2, staging, and cleanup.

Executive priority

Prioritize FELIXROOT as a Windows backdoor coverage test for SOC and incident response readiness, especially where business operations depend on Windows endpoints or where regional/geopolitical exposure is a concern. The object’s relationships point to controls and evidence auditors often ask about: endpoint monitoring, registry change visibility, command-line logging, WMI/rundll32 oversight, web egress monitoring, and retention sufficient to investigate file deletion and staged archives. Executives should ask whether teams can prove coverage for these behaviors, not whether a single malware name is blocked.

Technical view

ATT&CK provides no standalone detection text for FELIXROOT, so defenders should pivot from the software object to its mapped techniques. Validate Windows visibility for registry query and modification, run key/startup and shortcut persistence, command shell execution, WMI activity, rundll32 proxy execution, discovery commands or API activity, file transfer, archive creation, file deletion, and web-protocol C2-like traffic. Detection engineering should focus on behavior chains: discovery of host/user/security tooling followed by persistence changes, suspicious LOLBin execution, external web communications, transferred tools, archived data, or cleanup. IR playbooks should include registry and startup artifact collection, WMI/rundll32 process lineage review, network egress review, and timeline reconstruction around deleted files and staged archives.

Likely telemetry

  • Windows process creation events with command line and parent/child process lineage
  • Registry query and modification events, especially run keys and startup-related locations
  • Startup folder and shortcut creation or modification evidence
  • WMI activity logs and process execution context
  • rundll32.exe execution details including loaded DLL/path and command line where available

Detection direction

  • Build detections around combinations of mapped behaviors rather than the FELIXROOT name alone, because the official ATT&CK object does not provide detection guidance.
  • Tune for suspicious command shell, WMI, and rundll32 activity by examining parent process, command line, execution path, user context, and proximity to discovery or persistence activity.
  • Monitor registry run key/startup changes and shortcut modifications, while accounting for legitimate software installation and administrative activity as common false-positive sources.
  • Correlate discovery activity across user, process, system, network, time, local storage, and security software enumeration; single discovery commands may be benign, but clusters can indicate post-compromise reconnaissance.
  • Review outbound web-protocol traffic from unusual processes or newly persistent binaries, using proxy/DNS/firewall logs where endpoint visibility is incomplete.

Mitigation priorities

  • Harden Windows endpoint visibility first: process command lines, registry auditing, WMI activity, startup locations, file operations, and network egress logging.
  • Restrict and monitor administrative execution paths such as WMI, command shell usage, and rundll32 where business operations allow, with exceptions documented and reviewed.
  • Control persistence surfaces by monitoring registry run keys and startup folders, and by validating change-management coverage for legitimate modifications.
  • Apply least privilege so registry modification, persistence creation, and broad discovery actions are constrained to authorized users and tools.
  • Strengthen egress controls and web traffic inspection policies to make web-protocol command-and-control harder to blend into normal traffic.
Analyst notes and limits

The supplied ATT&CK data identifies FELIXROOT as a Windows backdoor and provides relationships to many ATT&CK techniques, but no official detection text and no tactics directly on the malware object. The relationships are therefore the best source for defensive planning. External references include FireEye reporting on Microsoft Office vulnerabilities used to distribute FELIXROOT and ESET GreyEnergy reporting, but this take avoids adding details not present in the supplied fields.

This assessment is constrained to the supplied ATT&CK fields, references, and relationships. It does not assert current activity, attribution, victim exposure beyond the official description, specific indicators, exploitability in any environment, or guaranteed detection coverage. Local validation is required to determine whether relevant Windows endpoint, registry, WMI, file, and network telemetry is actually collected and retained.

Official MITRE ATT&CK definition

FELIXROOT

FELIXROOT is a backdoor that has been used to target Ukrainian victims. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

19 rows
Domain ID Name Relationship / procedure
Enterprise T1057 Process Discovery

FELIXROOT collects a list of running processes.[2]
Enterprise T1112 Modify Registry

FELIXROOT deletes the Registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open.[1]
Enterprise T1680 Local Storage Discovery

FELIXROOT collects the victim’s volume serial number.[1][2]
Enterprise T1518.001 Security Software Discovery Sub-technique

FELIXROOT checks for installed security software like antivirus and firewall.[2]
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

FELIXROOT encrypts strings in the backdoor using a custom XOR algorithm.[1][2]
Enterprise T1082 System Information Discovery

FELIXROOT collects the victim’s computer name, processor architecture, OS version, and system type.[1][2]
Enterprise T1012 Query Registry

FELIXROOT queries the Registry for specific keys for potential privilege escalation and proxy information. FELIXROOT has also used WMI to query the Windows Registry.[1][2]
Enterprise T1071.001 Web Protocols Sub-technique

FELIXROOT uses HTTP and HTTPS to communicate with the C2 server.[1][2]
Enterprise T1016 System Network Configuration Discovery

FELIXROOT collects information about the network including the IP address and DHCP server.[2]
Enterprise T1047 Windows Management Instrumentation

FELIXROOT uses WMI to query the Windows Registry.[2]
Enterprise T1124 System Time Discovery

FELIXROOT gathers the time zone information from the victim’s machine.[2]
Enterprise T1560 Archive Collected Data

FELIXROOT encrypts collected data with AES and Base64 and then sends it to the C2 server.[1]
Enterprise T1218.011 Rundll32 Sub-technique

FELIXROOT uses Rundll32 for executing the dropper program.[1][2]
Enterprise T1033 System Owner/User Discovery

FELIXROOT collects the username from the victim’s machine.[1][2]
Enterprise T1547.009 Shortcut Modification Sub-technique

FELIXROOT creates a .LNK file for persistence.[2]
Enterprise T1105 Ingress Tool Transfer

FELIXROOT downloads and uploads files to and from the victim’s machine.[1][2]
Enterprise T1059.003 Windows Command Shell Sub-technique

FELIXROOT executes batch scripts on the victim’s machine, and can launch a reverse shell for command execution.[1][2]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

FELIXROOT adds a shortcut file to the startup folder for persistence.[2]
Enterprise T1070.004 File Deletion Sub-technique

FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components.[1]
Relationship explorer

All related ATT&CK context

uses · Technique T1057: Process Discovery Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Technique T1680: Local Storage Discovery Enterprise uses · Technique T1518.001: Security Software Discovery Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1012: Query Registry Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1047: Windows Management Instrumentation Enterprise uses · Technique T1124: System Time Discovery Enterprise uses · Technique T1560: Archive Collected Data Enterprise uses · Technique T1218.011: Rundll32 Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise uses · Technique T1547.009: Shortcut Modification Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1070.004: File Deletion Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
2.2
Created
Modified
Raw hash
0b6eadca550816ee...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 2.2 Current bundle 0b6eadca5508…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye FELIXROOT July 2018

    Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved November 17, 2024.

    Open source URL
  2. [2]
    ESET GreyEnergy Oct 2018

    Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018.

    Open source URL
  3. [3]
    FELIXROOT

    (Citation: FireEye FELIXROOT July 2018)(Citation: ESET GreyEnergy Oct 2018)

  4. [4]
    GreyEnergy mini

    (Citation: ESET GreyEnergy Oct 2018)

  5. [5]
    mitre-attack S0267
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use