S0632: GrimAgent
GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020; it is likely used by FIN6 and Wizard Spider.[1]
Analyst context for executives and security teams
GrimAgent matters because ATT&CK describes it as a Windows backdoor observed before Ryuk ransomware deployment. For leaders, the key decision value is not the malware name itself, but whether the organization can recognize backdoor behavior that enables discovery, persistence, command-and-control, tool transfer, data collection, and exfiltration before a ransomware event becomes operationally disruptive.
Executive priority
Treat GrimAgent as a ransomware-predecessor readiness use case. Security leaders should ask whether Windows endpoint, network, and proxy telemetry can show: new persistence through scheduled tasks or Run keys, suspicious command shell activity, host and file discovery, unusual web-based C2, inbound tool transfer, and data leaving over the same channel. This is useful for incident response preparedness, managed detection validation, control prioritization, and audit evidence that the organization can detect and investigate pre-ransomware intrusion activity rather than only final-stage encryption.
Technical view
ATT&CK provides no dedicated detection text for GrimAgent, so defenders should validate coverage through the related behaviors. On Windows, prioritize detections for Scheduled Task creation or modification, Registry Run key and Startup Folder persistence, suspicious cmd.exe execution, file and directory enumeration, system/user/network discovery, local data collection, file deletion, persistence cleanup, ingress tool transfer, and web-protocol C2 using encoding, junk data, or symmetric cryptography. Because the object is associated with obfuscation, binary padding, decoding/deobfuscation, mutex checks, and time-based checks, static hash-only detection and sandbox-only analysis are likely weak control points.
Likely telemetry
- Windows process creation and command-line logging
- Windows Scheduled Task creation, modification, and execution events
- Windows Registry monitoring for Run keys and Startup Folder persistence paths
- Endpoint file creation, deletion, rename, and directory enumeration activity
- EDR or host telemetry for mutex creation, API usage, and suspicious process behavior
Detection direction
- Map existing detections to the related ATT&CK techniques rather than relying on a GrimAgent signature alone.
- Correlate persistence events with nearby command shell execution, discovery commands, tool transfer, outbound web traffic, and file cleanup activity.
- Tune web C2 analytics for suspicious encoded content, junk data patterns, unusual destinations, and data exfiltration over the same channel, while accounting for normal enterprise web traffic volume.
- Review whether file size limits, binary padding, encryption, or obfuscation reduce endpoint scanning and malware-analysis effectiveness.
- Validate that cleanup behaviors such as file deletion and removal of persistence artifacts are retained in logs long enough for incident reconstruction.
Mitigation priorities
- Prioritize hardening and monitoring of Windows persistence locations, especially Scheduled Tasks, Registry Run keys, and Startup Folder paths.
- Restrict and monitor command shell usage where business processes allow, with emphasis on unusual parent-child process chains.
- Improve outbound network control and logging for web protocols, including proxy visibility and egress review for unmanaged destinations.
- Ensure endpoint controls can inspect or detonate large, padded, obfuscated, or encoded binaries where feasible.
- Maintain incident response playbooks for pre-ransomware backdoor activity, including host isolation, credential review, persistence removal, and evidence preservation.
Analyst notes and limits
The strongest business relevance is the ATT&CK description that GrimAgent has been used before Ryuk ransomware deployment and is likely used by FIN6 and Wizard Spider. The most actionable defensive content comes from the related techniques: Windows persistence, execution, discovery, C2, tool transfer, local collection, exfiltration, obfuscation, and cleanup. Attribution should remain tentative because the supplied description says likely used, not definitively exclusive to those groups.
MITRE does not provide official detection guidance for this malware object, and the object-level tactics are not specified. The supplied platform is Windows, although several related techniques are cross-platform in ATT&CK. Local telemetry, baselines, malware samples, and incident evidence are required to determine actual exposure or detection coverage.
GrimAgent
GrimAgent is a backdoor that has been used before the deployment of Ryuk ransomware since at least 2020; it is likely used by FIN6 and Wizard Spider.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
Groups, software, and campaigns
G0037: FIN6
G0102: Wizard Spider
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 70bd28a09a4e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Group IB GrimAgent July 2021
Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved September 19, 2024.
Open source URL -
[2]
mitre-attack S0632Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.