S1013: ZxxZ
Analyst context for executives and security teams
ZxxZ matters because it represents a Windows trojan associated in ATT&CK with BITTER and a workflow that can start with a spearphishing attachment, collect local and system information, establish recurring execution through scheduled tasks, and hide artifacts through encoding or masquerading. For leaders, the practical question is not whether the name is blocked, but whether Windows endpoints, email controls, and SOC processes can connect the chain from malicious attachment to persistence, discovery, and possible tool transfer.
Executive priority
Prioritize this as a validation case for endpoint and email resilience rather than a standalone malware-name concern. The ATT&CK relationships point to risks that affect incident scoping and continuity: user-driven file execution, Windows registry and system discovery, scheduled-task persistence, security-tool discovery, and transfer of additional files. Executives should ask whether the organization can prove coverage across email attachment handling, Windows endpoint telemetry, scheduled task monitoring, and incident response triage for targeted phishing scenarios, especially in government, energy, or engineering-like environments referenced in the related BITTER context.
Technical view
The official object has no ATT&CK detection guidance, so defenders should build coverage from the related behaviors. On Windows, validate visibility for malicious file execution, registry queries, user/process/system/security software discovery, encoded or decoded file artifacts, scheduled task creation or modification, task/service masquerading, native API-driven execution indicators where available, and inbound transfer of tools or files. Detection engineering should correlate these behaviors rather than rely on a ZxxZ signature alone, because several individual actions can be legitimate administrative or software activity.
Likely telemetry
- Email security logs and attachment metadata for spearphishing attachment handling
- Windows endpoint process creation and command-line telemetry
- Windows Registry access/query telemetry where collected
- Scheduled task creation, modification, and execution events
- File creation, write, rename, decode/deobfuscation, and encoded-file indicators
Detection direction
- Correlate email attachment delivery or opening with new process execution on Windows endpoints.
- Alert or hunt for suspicious scheduled task creation or task names that imitate legitimate services or administrative tasks.
- Baseline common registry, user, process, system, and security-software discovery activity to reduce false positives from administrators and management tools.
- Look for encoded or encrypted files followed by local decoding/deobfuscation and execution, especially when tied to recent attachment execution.
- Review external file-transfer events occurring after initial endpoint execution, as related ATT&CK behavior includes ingress tool transfer.
Mitigation priorities
- Strengthen phishing attachment controls and user-facing safeguards for risky file types supported by the ATT&CK relationship.
- Ensure Windows endpoint monitoring captures process, registry, file, and scheduled task activity needed for investigation.
- Restrict and monitor scheduled task creation, especially by non-administrative users or unexpected processes.
- Maintain endpoint protection and logging resilience, recognizing that related behavior includes discovery of security software.
- Prepare IR playbooks to scope from the initial user and host outward to persistence mechanisms, local data access, and transferred tools.
Analyst notes and limits
ATT&CK identifies ZxxZ as a Visual C++ Windows trojan used by BITTER since at least August 2021, with reporting including Bangladeshi government personnel. The relationship set gives useful defensive anchors even though the malware object itself has no listed tactics and no official detection text. Local validation should focus on whether telemetry can reconstruct the related ATT&CK behaviors in sequence.
This take is limited to the supplied ATT&CK fields, external references, and relationships. It does not establish current activity, customer exposure, specific indicators, malware internals beyond the official description, or guaranteed detection logic. Several related techniques list broader platforms, but the supplied ZxxZ platform is Windows, so Windows coverage should be the primary validation focus.
ZxxZ
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1106 | Native API | |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | |
| Enterprise | T1012 | Query Registry | |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1204.002 | Malicious File Sub-technique | |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | |
| Enterprise | T1033 | System Owner/User Discovery | |
| Enterprise | T1005 | Data from Local System | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Groups, software, and campaigns
G1002: BITTER
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 5ff73d303212… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cisco Talos Bitter Bangladesh May 2022
Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022.
Open source URL -
[2]
mitre-attack S1013Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.