S0412: ZxShell
Analyst context for executives and security teams
ZxShell matters because it represents a Windows remote administration/backdoor capability with a long public history and ATT&CK relationships to discovery, credential collection, lateral movement, command-and-control, proxying, tool transfer, and cleanup behaviors. For leaders, the practical issue is not the malware name alone; it is whether Windows endpoint, identity, remote access, and network monitoring can prove what happened after a backdoor is present.
Executive priority
Prioritize ZxShell-related readiness where Windows systems support sensitive operations, regulated data, or remote administration pathways. The ATT&CK relationships point to business-impacting questions: can the organization detect unauthorized RDP/VNC use, credential capture attempts, registry changes, local discovery, inbound tool transfer, and web/file-transfer based command-and-control? This is useful for incident response planning, audit evidence around privileged access and endpoint monitoring, and control prioritization for remote access and Windows hardening.
Technical view
Treat ZxShell as a Windows backdoor/RAT profile with relationship-driven validation across execution, discovery, credential access, lateral movement, command-and-control, persistence/defense impairment, and stealth. ATT&CK does not provide official detection text for this software, so SOC teams should map detections to the linked techniques: Windows command shell execution, Native API behavior, DLL injection, keylogging/API hooking indicators, registry query and modification, service/process/user/system/file discovery, RDP and VNC activity, proxy behavior, web and file-transfer C2 patterns, ingress tool transfer, and file deletion. Group relationships to Axiom, Threat Group-3390, and APT41 provide threat-intelligence context, but local evidence is required before making attribution or exposure claims.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and discovery utilities
- Windows registry access and modification events
- EDR telemetry for DLL injection, suspicious API usage, credential API hooking, and keylogging-like behavior
- Windows service, process, user, system, file, and directory enumeration events
- Authentication and remote access logs for RDP and VNC sessions
Detection direction
- Because ATT&CK provides no official detection guidance for ZxShell, build coverage from the related techniques rather than relying on a malware-specific signature alone.
- Validate that Windows endpoint detections correlate discovery sequences, registry activity, command-shell execution, and network connections from the same host or user context.
- Tune remote access monitoring for unusual RDP or VNC use, especially new source/destination pairs, atypical times, or sessions inconsistent with normal administration.
- Review C2-oriented detections for web and file-transfer protocols, but account for high false-positive potential because these protocols are common in enterprise environments.
- Look for proxy or relay behavior that may hide direct infrastructure connections, including unexpected internal-to-external forwarding patterns.
Mitigation priorities
- Start with remote access governance: restrict and monitor RDP and VNC, require strong authentication, and ensure administrative access is limited and reviewable.
- Harden Windows endpoints against persistence and defense impairment by controlling registry modification paths, privileged execution, and unauthorized administrative tooling.
- Ensure endpoint protection and EDR policies are configured to observe injection, credential capture, suspicious command execution, and file deletion behaviors.
- Strengthen egress controls and logging for web, proxy, and file-transfer protocols so command-and-control and tool transfer activity has reviewable evidence.
- Maintain incident response procedures for Windows backdoor cases, including host isolation, credential reset decisions, registry and filesystem review, and scoping of lateral movement.
Analyst notes and limits
Official ATT&CK identifies ZxShell as a remote administration tool and backdoor downloadable from the Internet, particularly from Chinese hacker websites, and states it has been used since at least 2004. ATT&CK relationships associate it with Axiom, Threat Group-3390, and APT41, and with numerous techniques spanning discovery, execution, credential access, lateral movement, command-and-control, persistence/defense impairment, stealth, and collection. The object platform is Windows; some related technique platform lists are broader because they describe the general ATT&CK technique, not necessarily this malware instance.
No official ATT&CK detection text, aliases, labels, or malware-level tactics are supplied. The summary is based only on the provided STIX fields, external references, and relationships. It does not assert current exploitation, customer exposure, guaranteed detection, or attribution. Local telemetry, binaries, network indicators, and case evidence are required for operational conclusions.
ZxShell
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
Groups, software, and campaigns
G0001: Axiom
Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[1][2][3]
G0096: APT41
APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]
G0027: Threat Group-3390
Threat Group-3390 is a Chinese threat group that has extensively used strategic Web compromises to target victims.[1] The group has been active since at least 2010 and has targeted organizations in the aerospace, government, defense, technology, energy, manufacturing and gambling/betting sectors.[2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | a37cc1a95112… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT41 Aug 2019
Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019.
Open source URL -
[2]
Talos ZxShell Oct 2014
Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019.
Open source URL -
[3]
Sensocode
(Citation: Talos ZxShell Oct 2014)
-
[4]
ZxShell
(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014)
-
[5]
mitre-attack S0412Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.