S0532: Lucifer

Lucifer matters because ATT&CK describes it as Windows malware combining cryptomining with DDoS capability and lateral spread through well-known exploits. For leaders, the practical risk is not just malware cleanup: it can consume compute, degrade services, move across Windows environments, and create incident-response pressure where vulnerability management, endpoint visibility, SMB/WMI controls, and log retention are weak.

Executive priority

Prioritize Lucifer-style behavior as a resilience and control-validation issue for Windows environments. Ask whether critical Windows systems are patched against known remote-service vulnerabilities, whether lateral movement over SMB and WMI is monitored, whether abnormal compute/network consumption would trigger response, and whether Windows event logs are protected from clearing. This object has no official ATT&CK detection guidance, so confidence should come from local telemetry validation, not from assuming named-malware coverage.

Technical view

SOC and IR teams should validate coverage across the related ATT&CK behaviors: discovery of registry, users, processes, system/network configuration, services, and connections; execution via Windows command shell and WMI; persistence through Scheduled Tasks and Registry Run Keys/Startup Folder; lateral movement and transfer via SMB/Windows Admin Shares, exploitation of remote services, and lateral tool transfer; command-and-control using application-layer protocols and symmetric cryptography; defense impairment through Windows event log clearing; and impact patterns consistent with compute hijacking and network DoS. Because the malware object is Windows-scoped and detection text is not provided, detections should be behavior-led and correlated rather than dependent on a single signature.

Likely telemetry

Windows process creation and command-line telemetry, especially cmd.exe, schtasks, reg, WMI-related execution, discovery commands, and file transfer utilities
Windows Registry auditing for Run Keys, startup persistence, and registry queries where available
Scheduled Task creation, modification, and execution events
WMI activity, including local and remote execution indicators
SMB and Windows Admin Share access logs, file copy events, and authentication records

Detection direction

Build detections around sequences: discovery commands followed by tool transfer, SMB/WMI execution, persistence creation, and abnormal compute or network usage.
Tune for administrative false positives by baselining legitimate WMI, scheduled task, registry, SMB admin share, and service-discovery activity by host role and admin identity.
Correlate password guessing and failed authentication patterns with subsequent SMB or remote-service access attempts where telemetry exists.
Validate that event-log clearing is detected quickly and that downstream logging preserves evidence when endpoint logs are deleted.
Account for software packing and deobfuscation by combining static file signals with runtime behavior, child processes, network activity, and persistence artifacts.

Mitigation priorities

Maintain a vulnerability-management priority lane for high-risk Windows remote services and externally or broadly reachable internal services.
Restrict and monitor SMB/Windows Admin Shares and WMI remote execution to approved administrative paths and identities.
Harden credential controls against password guessing, including account policy, monitoring, and response workflows appropriate to the environment.
Limit unnecessary lateral movement paths through segmentation and least-privilege administration.
Control persistence opportunities by monitoring and governing Scheduled Tasks, Registry Run Keys, and startup locations.

Analyst notes and limits

The strongest decision value from this ATT&CK object is the combination of Windows malware, exploitation-enabled spread, discovery-heavy behavior, persistence, lateral movement, command-and-control, compute hijacking, and network DoS-related impact. This supports a control validation exercise across endpoint, identity, network, vulnerability management, and incident response rather than a narrow malware-family lookup.

The supplied ATT&CK object does not provide official detection guidance, aliases, labels, or malware-level tactics. Several related techniques list broader platforms, but the Lucifer malware object itself is scoped to Windows; do not infer Lucifer coverage on other platforms from those relationships alone. Local environment evidence is required to determine exposure, detection coverage, and prioritization.

Official MITRE ATT&CK definition

Lucifer

Lucifer is a crypto miner and DDoS hybrid malware that leverages well-known exploits to spread laterally on Windows platforms.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 24 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1496.001	Compute Hijacking Sub-technique	Lucifer can use system resources to mine cryptocurrency, dropping XMRig to mine Monero.[1]
Enterprise	T1016	System Network Configuration Discovery	Lucifer can collect the IP address of a compromised host.[1]
Enterprise	T1049	System Network Connections Discovery	Lucifer can identify the IP and port numbers for all remote connections from the compromised host.[1]
Enterprise	T1140	Deobfuscate/Decode Files or Information	Lucifer can decrypt its C2 address upon execution.[1]
Enterprise	T1057	Process Discovery	Lucifer can identify the process that owns remote connections.[1]
Enterprise	T1547.001	Registry Run Keys / Startup Folder Sub-technique	Lucifer can persist by setting Registry key values `HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic` and `HKCU\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic`.[1]
Enterprise	T1105	Ingress Tool Transfer	Lucifer can download and execute a replica of itself using certutil.[1]
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	Lucifer can perform a decremental-xor encryption on the initial C2 request before sending it over the wire.[1]
Enterprise	T1033	System Owner/User Discovery	Lucifer has the ability to identify the username on a compromised host.[1]
Enterprise	T1570	Lateral Tool Transfer	Lucifer can use certutil for propagation on Windows hosts within intranets.[1]
Enterprise	T1497.001	System Checks Sub-technique	Lucifer can check for specific usernames, computer names, device drivers, DLL's, and virtual devices associated with sandboxed environments and can enter an infinite loop and stop itself if any are detected.[1]
Enterprise	T1027.002	Software Packing Sub-technique	Lucifer has used UPX packed binaries.[1]
Enterprise	T1053.005	Scheduled Task Sub-technique	Lucifer has established persistence by creating the following scheduled task `schtasks /create /sc minute /mo 1 /tn QQMusic ^ /tr C:Users\%USERPROFILE%\Downloads\spread.exe /F`.[1]
Enterprise	T1082	System Information Discovery	Lucifer can collect the computer name, system architecture, default language, and processor frequency of a compromised host.[1]
Enterprise	T1110.001	Password Guessing Sub-technique	Lucifer has attempted to brute force TCP ports 135 (RPC) and 1433 (MSSQL) with the default username or list of usernames and passwords.[1]
Enterprise	T1498	Network Denial of Service	Lucifer can execute TCP, UDP, and HTTP denial of service (DoS) attacks.[1]
Enterprise	T1059.003	Windows Command Shell Sub-technique	Lucifer can issue shell commands to download and execute additional payloads.[1]
Enterprise	T1071	Application Layer Protocol	Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server.[1]
Enterprise	T1210	Exploitation of Remote Services	Lucifer can exploit multiple vulnerabilities including EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0144).[1]
Enterprise	T1685.005	Clear Windows Event Logs Sub-technique	Lucifer can clear and remove event logs.[1]
Enterprise	T1046	Network Service Discovery	Lucifer can scan for open ports including TCP ports 135 and 1433.[1]
Enterprise	T1021.002	SMB/Windows Admin Shares Sub-technique	Lucifer can infect victims by brute forcing SMB.[1]
Enterprise	T1012	Query Registry	Lucifer can check for existing stratum cryptomining information in `HKLM\Software\Microsoft\Windows\CurrentVersion\spreadCpuXmr – %stratum info%`.[1]
Enterprise	T1047	Windows Management Instrumentation	Lucifer can use WMI to log into remote machines for propagation.[1]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.1
Created: Nov 16, 2020, 18:40 UTC (UTC+00:00)
Modified: Apr 25, 2025, 14:43 UTC (UTC+00:00)
Raw hash: 13c892239ec165cf...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.1	Apr 25, 2025, 14:43 UTC (UTC+00:00)	Current bundle	`13c892239ec1…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Unit 42 Lucifer June 2020

Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
Open source URL
[2]
mitre-attack S0532
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams