Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0438: Attor

Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadable plugin architecture to customize functionality for specific targets.[1]

EnterpriseS0438MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

Attor matters because ATT&CK describes it as a Windows-based espionage platform with loadable plugins, meaning its observed behaviors span discovery, persistence, collection, stealth, command-and-control, and exfiltration rather than a single easily contained action. For leaders, the practical issue is whether Windows monitoring can connect quiet endpoint changes, user-data collection, and outbound data movement into one incident story before sensitive information leaves the environment.

Executive priority

Treat this as a coverage-validation case for Windows endpoint resilience and data-loss readiness, not as evidence of current exposure. Ask whether the organization can prove visibility into scheduled tasks, logon scripts, registry changes, process injection, screen/clipboard/keylogging-related collection, local staging, and outbound C2/exfiltration paths. The decision value is in prioritizing controls and audit evidence around espionage-style intrusions that may rely on stealth, automation, and modular functionality.

Technical view

ATT&CK has no official detection text for Attor, so SOC and IR teams should validate detections against the related techniques: Application Window Discovery, Query/Modify Registry, Scheduled Task, Windows Logon Script, Process Injection including APC injection, Native API use, Keylogging, Screen Capture, Clipboard Data, Local Data Staging, Automated Collection/Exfiltration, Exfiltration Over C2 Channel, File Transfer Protocols, Multi-hop Proxy, Ingress Tool Transfer, File Deletion, Timestomp, Encrypted/Encoded File, and Masquerade Task or Service. Focus on correlations across Windows host telemetry and network egress rather than single indicators.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry
  • Scheduled task creation/modification events
  • Windows service creation, modification, names, and display names
  • Registry query and modification events, including logon-script related keys
  • EDR memory/injection signals, including APC-style injection indicators where available

Detection direction

  • Because no official ATT&CK detection guidance is provided, build coverage from the related techniques and test whether alerts link persistence, collection, stealth, and exfiltration behaviors into one investigation.
  • Tune scheduled task, service, and logon-script detections for masquerading: suspicious names, paths, descriptions, unexpected parents, and uncommon users, while accounting for legitimate administration tools.
  • Correlate registry modification/query activity with new persistence artifacts, process injection, and subsequent outbound communications.
  • Hunt for local staging followed by automated outbound transfer; include encrypted or encoded files and file deletion as potential evasion context rather than standalone proof of malware.
  • Validate visibility into screen capture, clipboard access, and keylogging-like behavior, recognizing these signals can be noisy, privacy-sensitive, or unavailable in some environments.

Mitigation priorities

  • Prioritize Windows endpoint hardening and monitoring for persistence locations: scheduled tasks, services, logon scripts, and registry autostart or configuration changes.
  • Limit administrative privileges and write access to persistence-sensitive registry keys, task locations, and service configuration paths.
  • Use application control or allow-listing where feasible to reduce unauthorized plugin/tool execution and ingress tool transfer risk.
  • Strengthen egress controls and logging for file-transfer protocols, proxy use, and unusual outbound data flows, especially from endpoints that do not normally communicate externally.
  • Protect sensitive data through least privilege, segmentation, and data handling controls so collection or staging on one Windows host has limited business impact.
Analyst notes and limits

The ATT&CK object identifies Attor as a Windows-based espionage platform observed since 2013 with a loadable plugin architecture. The most useful defensive interpretation comes from the relationship context: it maps to discovery, persistence, privilege escalation, stealth, collection, credential access, command-and-control, and exfiltration techniques. Coverage should be assessed as a behavior chain rather than as a malware-name signature.

This take uses only the supplied ATT&CK fields, external references, and relationships. The object provides no official detection text, no ATT&CK tactics on the malware object itself, no indicators of compromise, no sectors, no vulnerabilities, and no current activity claim. Local telemetry, legal/privacy constraints, and environment-specific baselines are required to determine actual exposure or detection quality.

Official MITRE ATT&CK definition

Attor

Attor is a Windows-based espionage platform that has been seen in use since 2013. Attor has a loadable plugin architecture to customize functionality for specific targets.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

35 rows
Domain ID Name Relationship / procedure
Enterprise T1083 File and Directory Discovery

Attor has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files.[1]
Enterprise T1560.003 Archive via Custom Method Sub-technique

Attor encrypts collected data with a custom implementation of Blowfish and RSA ciphers.[1]
Enterprise T1010 Application Window Discovery

Attor can obtain application window titles and then determines which windows to perform Screen Capture on.[1]
Enterprise T1573.001 Symmetric Cryptography Sub-technique

Attor has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key.[1]
Enterprise T1036.004 Masquerade Task or Service Sub-technique

Attor's dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legitimate).[1]
Enterprise T1497.001 System Checks Sub-technique

Attor can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts, such as communication with I/O ports and using VM-specific instructions.[1]
Enterprise T1090.003 Multi-hop Proxy Sub-technique

Attor has used Tor for C2 communication.[1]
Enterprise T1037.001 Logon Script (Windows) Sub-technique

Attor's dispatcher can establish persistence via adding a Registry key with a logon script HKEY_CURRENT_USER\Environment "UserInitMprLogonScript" .[1]
Enterprise T1218.011 Rundll32 Sub-technique

Attor's installer plugin can schedule rundll32.exe to load the dispatcher.[1]
Enterprise T1115 Clipboard Data

Attor has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs.[1]
Enterprise T1573.002 Asymmetric Cryptography Sub-technique

Attor's Blowfish key is encrypted with a public RSA key.[1]
Enterprise T1105 Ingress Tool Transfer

Attor can download additional plugins, updates and other files. [1]
Enterprise T1074.001 Local Data Staging Sub-technique

Attor has staged collected data in a central upload directory prior to exfiltration.[1]
Enterprise T1120 Peripheral Device Discovery

Attor has a plugin that collects information about inserted storage devices, modems, and phone devices.[1]
Enterprise T1112 Modify Registry

Attor's dispatcher can modify the Run registry key.[1]
Enterprise T1113 Screen Capture

Attor's has a plugin that captures screenshots of the target applications.[1]
Enterprise T1041 Exfiltration Over C2 Channel

Attor has exfiltrated data over the C2 channel.[1]
Enterprise T1129 Shared Modules

Attor's dispatcher can execute additional plugins by loading the respective DLLs.[1]
Enterprise T1543.003 Windows Service Sub-technique

Attor's dispatcher can establish persistence by registering a new service.[1]
Enterprise T1027.013 Encrypted/Encoded File Sub-technique

Strings in Attor's components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA.[1]
Enterprise T1071.002 File Transfer Protocols Sub-technique

Attor has used FTP protocol for C2 communication.[1]
Enterprise T1119 Automated Collection

Attor has automatically collected data about the compromised system.[1]
Enterprise T1053.005 Scheduled Task Sub-technique

Attor's installer plugin can schedule a new task that loads the dispatcher on boot/logon.[1]
Enterprise T1070.006 Timestomp Sub-technique

Attor has manipulated the time of last access to files and registry keys after they have been created or modified.[1]
Enterprise T1055 Process Injection

Attor's dispatcher can inject itself into running processes to gain higher privileges and to evade detection.[1]
Enterprise T1056.001 Keylogging Sub-technique

One of Attor's plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process.[1]
Enterprise T1569.002 Service Execution Sub-technique

Attor's dispatcher can be executed as a service.[1]
Enterprise T1564.001 Hidden Files and Directories Sub-technique

Attor can set attributes of log files and directories to HIDDEN, SYSTEM, ARCHIVE, or a combination of those.[1]
Enterprise T1070.004 File Deletion Sub-technique

Attor’s plugin deletes the collected files and log files after exfiltration.[1]
Enterprise T1123 Audio Capture

Attor's has a plugin that is capable of recording audio using available input sound devices.[1]
Enterprise T1106 Native API

Attor's dispatcher has used CreateProcessW API for execution.[1]
Enterprise T1020 Automated Exfiltration

Attor has a file uploader plugin that automatically exfiltrates the collected data and log files to the C2 server.[1]
Enterprise T1055.004 Asynchronous Procedure Call Sub-technique

Attor performs the injection by attaching its code into the APC queue using NtQueueApcThread API.[1]
Enterprise T1680 Local Storage Discovery

Attor monitors the free disk space on the system.[1]
Enterprise T1012 Query Registry

Attor has opened the registry and performed query searches.[1]
Relationship explorer

All related ATT&CK context

uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1560.003: Archive via Custom Method Enterprise uses · Technique T1010: Application Window Discovery Enterprise uses · Technique T1573.001: Symmetric Cryptography Enterprise uses · Technique T1036.004: Masquerade Task or Service Enterprise uses · Technique T1497.001: System Checks Enterprise uses · Technique T1090.003: Multi-hop Proxy Enterprise uses · Technique T1037.001: Logon Script (Windows) Enterprise uses · Technique T1218.011: Rundll32 Enterprise uses · Technique T1115: Clipboard Data Enterprise uses · Technique T1573.002: Asymmetric Cryptography Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1074.001: Local Data Staging Enterprise uses · Technique T1120: Peripheral Device Discovery Enterprise uses · Technique T1112: Modify Registry Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1129: Shared Modules Enterprise uses · Technique T1543.003: Windows Service Enterprise uses · Technique T1027.013: Encrypted/Encoded File Enterprise uses · Technique T1071.002: File Transfer Protocols Enterprise uses · Technique T1119: Automated Collection Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1070.006: Timestomp Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
101444c4e97e16e2...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 101444c4e97e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    ESET Attor Oct 2019

    Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020.

    Open source URL
  2. [2]
    Attor

    (Citation: ESET Attor Oct 2019)

  3. [3]
    mitre-attack S0438
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use