S0439: Okrum

Okrum is a Windows backdoor documented by ATT&CK with strong links to Ke3chang. Its decision value is not just the malware name; the mapped behaviors show a backdoor that can support credential access, discovery, persistence through scheduled tasks, command execution, covert command-and-control, tool transfer, and exfiltration over its C2 channel. For leaders, this makes Okrum relevant to questions about how quickly the organization can detect and contain a compromised Windows endpoint before credentials, internal topology, and data access are used for follow-on activity.

Executive priority

Prioritize validation of Windows endpoint visibility, credential-theft defenses, and network monitoring for disguised web/C2 traffic. The relationship to Ke3chang is relevant for threat intelligence and risk briefings, especially for organizations in sectors or regions named in ATT&CK’s Ke3chang description, but local exposure should be confirmed with internal intelligence and telemetry. This object is also useful for audit and resilience discussions: can the organization prove it monitors scheduled tasks, LSASS access, command shell execution, suspicious discovery, file deletion, and outbound web traffic that may carry encoded or obfuscated data?

Technical view

ATT&CK does not provide an official detection section for Okrum, so SOC and detection engineering should pivot from the malware-to-technique relationships. Validate Windows coverage for scheduled task creation or modification, cmd.exe execution, LSASS memory access, cached credential access attempts, token impersonation indicators, keylogging-related behavior, file and directory discovery, user and system discovery, network configuration and connection discovery, file deletion, tool ingress, and outbound C2 over web protocols. Network detections should account for protocol/service impersonation, standard encoding, data obfuscation, external proxy use, steganography-related content handling, and exfiltration over the same C2 channel.

Likely telemetry

Windows endpoint process creation and command-line telemetry
Windows scheduled task creation, modification, and execution logs
Security events and EDR signals for LSASS access, token impersonation, cached credential access, and keylogging-like behavior
File creation, deletion, rename, and directory enumeration telemetry
User, host, system time, network configuration, and network connection discovery evidence

Detection direction

Build behavior-based detections around the related ATT&CK techniques rather than relying on an Okrum-specific signature, because no official ATT&CK detection text is provided.
Tune Windows scheduled task detections to distinguish administrative automation from unusual task names, locations, or execution chains consistent with masquerading.
Correlate command shell execution with discovery commands, credential access signals, file deletion, and outbound network activity to reduce false positives from routine administration.
Review outbound web traffic analytics for unusual destinations, encoded payload patterns, protocol or service impersonation, proxy chaining, and possible C2/exfiltration over established channels.
Validate that EDR or equivalent telemetry can observe sensitive access to LSASS and token impersonation attempts; absence of this telemetry is a material blind spot for this behavior set.

Mitigation priorities

Harden Windows endpoints first: restrict unnecessary administrative privileges, protect credential material, and monitor or limit access to LSASS where operationally feasible.
Control persistence paths by governing scheduled task creation and regularly reviewing task names, descriptions, authors, and execution targets for masquerading.
Improve egress control and monitoring for web protocols, external proxy use, and outbound connections that can carry C2 or exfiltrated data.
Strengthen least privilege and identity monitoring so credential theft or token abuse does not automatically become broad lateral access.
Ensure incident response playbooks collect endpoint, credential, scheduled task, and network artifacts quickly enough to assess discovery, exfiltration, and cleanup behavior.

Analyst notes and limits

This take is based on ATT&CK S0439, its official description, the ESET external reference, and supplied relationships showing Okrum uses multiple ATT&CK techniques. The malware object itself has no ATT&CK tactics listed and no official detection guidance, so the practical guidance is relationship-driven and should be validated against local Windows architecture, logging maturity, and business risk.

No active exploitation, current campaign activity, customer exposure, or guaranteed detection coverage is stated in the supplied fields. ATT&CK provides only a high-level Okrum description and relationship mappings here; local telemetry, malware analysis, and incident evidence are required for confident detection, scoping, and attribution.

Official MITRE ATT&CK definition

Okrum

Okrum is a Windows backdoor that has been seen in use since December 2016 with strong links to Ke3chang.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 34 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1003.005	Cached Domain Credentials Sub-technique	Okrum was seen using modified Quarks PwDump to perform credential dumping.[1]
Enterprise	T1547.009	Shortcut Modification Sub-technique	Okrum can establish persistence by creating a .lnk shortcut to itself in the Startup folder.[1]
Enterprise	T1560.001	Archive via Utility Sub-technique	Okrum was seen using a RAR archiver tool to compress/decompress data.[1]
Enterprise	T1497.001	System Checks Sub-technique	Okrum's loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total.[1]
Enterprise	T1497.002	User Activity Based Checks Sub-technique	Okrum loader only executes the payload after the left mouse button has been pressed at least three times, in order to avoid being executed within virtualized or emulated environments.[1]
Enterprise	T1105	Ingress Tool Transfer	Okrum has built-in commands for uploading, downloading, and executing files to the system.[1]
Enterprise	T1059.003	Windows Command Shell Sub-technique	Okrum's backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.[1]
Enterprise	T1497.003	Time Based Checks Sub-technique	Okrum's loader can detect presence of an emulator by using two calls to GetTickCount API, and checking whether the time has been accelerated.[1]
Enterprise	T1543.003	Windows Service Sub-technique	To establish persistence, Okrum can install itself as a new service named NtmSsvc.[1]
Enterprise	T1016	System Network Configuration Discovery	Okrum can collect network information, including the host IP address, DNS, and proxy information.[1]
Enterprise	T1071.001	Web Protocols Sub-technique	Okrum uses HTTP for communication with its C2.[1]
Enterprise	T1001	Data Obfuscation	Okrum leverages the HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.[1]
Enterprise	T1053.005	Scheduled Task Sub-technique	Okrum's installer can attempt to achieve persistence by creating a scheduled task.[1]
Enterprise	T1027.003	Steganography Sub-technique	Okrum's payload is encrypted and embedded within its loader, or within a legitimate PNG file.[1]
Enterprise	T1036.004	Masquerade Task or Service Sub-technique	Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager.[1]
Enterprise	T1033	System Owner/User Discovery	Okrum can collect the victim username.[1]
Enterprise	T1082	System Information Discovery	Okrum can collect computer name, locale information, and information about the OS and architecture.[1]
Enterprise	T1041	Exfiltration Over C2 Channel	Data exfiltration is done by Okrum using the already opened channel with the C2 server.[1]
Enterprise	T1132.001	Standard Encoding Sub-technique	Okrum has used base64 to encode C2 communication.[1]
Enterprise	T1569.002	Service Execution Sub-technique	Okrum's loader can create a new service named NtmsSvc to execute the payload.[1]
Enterprise	T1134.001	Token Impersonation/Theft Sub-technique	Okrum can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.[1]
Enterprise	T1083	File and Directory Discovery	Okrum has used DriveLetterView to enumerate drive information.[1]
Enterprise	T1564.001	Hidden Files and Directories Sub-technique	Before exfiltration, Okrum's backdoor has used hidden files to store logs and outputs from backdoor commands.[1]
Enterprise	T1090.002	External Proxy Sub-technique	Okrum can identify proxy servers configured and used by the victim, and use it to make HTTP requests to C2 its server.[1]
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	Okrum uses AES to encrypt network traffic. The key can be hardcoded or negotiated with the C2 server in the registration phase. [1]
Enterprise	T1140	Deobfuscate/Decode Files or Information	Okrum's loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption.[1]
Enterprise	T1070.004	File Deletion Sub-technique	Okrum's backdoor deletes files after they have been successfully uploaded to C2 servers.[1]
Enterprise	T1547.001	Registry Run Keys / Startup Folder Sub-technique	Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder.[1]
Enterprise	T1049	System Network Connections Discovery	Okrum was seen using NetSess to discover NetBIOS sessions.[1]
Enterprise	T1560.003	Archive via Custom Method Sub-technique	Okrum has used a custom implementation of AES encryption to encrypt collected data.[1]
Enterprise	T1056.001	Keylogging Sub-technique	Okrum was seen using a keylogger tool to capture keystrokes. [1]
Enterprise	T1124	System Time Discovery	Okrum can obtain the date and time of the compromised system.[1]
Enterprise	T1003.001	LSASS Memory Sub-technique	Okrum was seen using MimikatzLite to perform credential dumping.[1]
Enterprise	T1001.003	Protocol or Service Impersonation Sub-technique	Okrum leverages the HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.[1]

Associated objects

Groups, software, and campaigns

G0004: Ke3chang

Ke3chang is a threat group attributed to actors operating out of China. Ke3chang has targeted oil, government, diplomatic, military, and NGOs in Central and South America, the Caribbean, Europe, and North America since at least 2010.[1][2][3][4]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: May 6, 2020, 21:12 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:43 UTC (UTC+00:00)
Raw hash: c0f051c7ee8422c4...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.0	Apr 25, 2025, 14:43 UTC (UTC+00:00)	Current bundle	`c0f051c7ee84…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
ESET Okrum July 2019

Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020.
Open source URL
[2]
mitre-attack S0439
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams