Snake

"IRON HUNTER tactics include strategic web compromises..."

"IRON HUNTER tactics include... fake software update files..."

"IRON HUNTER tactics include... themed spearphishing lures..."

During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.

The following analytic detects the creation of a new service named WerFaultSvc with a binary path in the Windows WinSxS directory... This behavior is significant because it indicates the presence of Snake malware, which uses this service to maintain persistence by blending in with legitimate Windows services.

Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry. | The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”

Annotations ID Technique Tactic T1547.006 Kernel Modules and Extensions Persistence

“Sandworm Team used an arbitrary system service to load at system boot for persistence for Industroyer… replaced the ImagePath registry value of a Windows service with a new backdoor binary… [multiple groups/malware] creating a service / installing as a service / modifying service configurations for persistence.”

Annotations ID Technique Tactic T1547.006 Kernel Modules and Extensions Persistence

2014-03-12 ⋅ Blog (Artem Baranov) ⋅ Uroburos: the snake rootkit

The content repeatedly describes payloads, strings, configuration files, scripts, URLs, and binaries being obfuscated or encoded using Base64, XOR, RC4, AES, RSA, hex encoding, custom algorithms, and other methods across many malware families and threat actors.

"Sandworm Team used UPX to pack a copy of Mimikatz"; "APT38 has used several code packing methods such as Themida, Enigma, VMProtect, and Obsidium"; "Lazarus Group packed malicious .db files with Themida to evade detection."

Description Generated datasets for Windows Possible Turla Snake Malware Installer in attack range. MITRE ATT&CK Techniques Environment Details Datasets The following datasets were collected during this attack simulation: Snapattack Path: /datasets/attack_techniques/T1027.009/snapattack/snaattack.log

Examples throughout the content include 'encrypted payloads decrypted and executed in memory,' 'encrypts its configuration file,' 'AES-encrypted resource,' 'RC4 encrypted embedded scripts,' and 'payload includes an encrypted main component.'

"...sending the malware a command to delete itself"

The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.

The content repeatedly describes malware and threat actors decoding, decrypting, or deobfuscating payloads, strings, configuration data, commands, and C2 traffic prior to execution or use, e.g., 'APT28 macro uses the command certutil -decode to decode contents of a .txt file storing the base64 encoded payload' and 'Action RAT can use Base64 to decode actor-controlled C2 server communications.'

Many malware families store configuration, payloads, encryption keys, C2 addresses, or other operational data in Registry keys, such as QakBot storing configuration in a randomly named subkey under HKCU\Software\Microsoft and PolyglotDuke writing encrypted JSON configuration files to the Registry. | The content repeatedly describes threat actors and malware modifying, creating, deleting, or storing data in Windows Registry keys and values for persistence, configuration storage, defense evasion, credential access, privilege escalation, and execution.

"Those tools include password stealers"

The content repeatedly describes malware and threat actors querying, enumerating, searching, reading, or checking Windows Registry keys and values, e.g., "ADVSTORESHELL can enumerate registry keys," "APT41 queried registry values to determine items such as configured RDP ports and network configurations," and "Reg may be used to gather details from the Windows Registry of a local or remote system at the command-line interface."

The content repeatedly describes malware and threat actors obtaining lists of running processes, using utilities such as tasklist, ps, WMI, Get-Process, CreateToolhelp32Snapshot, EnumProcesses, and similar APIs/commands to enumerate active processes on victim systems.

The content repeatedly describes malware and threat actors collecting host details such as OS version, hostname, architecture, CPU, memory, BIOS, domain, language, and other configuration data; e.g., "APT41 uses multiple built-in commands such as systeminfo and net config Workstation to enumerate victim system basic configuration information."

"...has a command to retrieve metadata for files on disk as well as a command to list the current working directory." / "...can list files and directories." / "...used the following commands... to obtain information about files and directories: dir c:\ >> %temp%\download ..."

"and document stealers"

"By infiltrating Turla's network of hacked machines and sending the malware a command to delete itself"

The content repeatedly describes threat actors, malware, and campaigns using HTTP and/or HTTPS for command and control, including examples such as BlackEnergy communicating with C2 over HTTP POST requests and many other families using HTTP/S for C2.

During the 2025 Poland Wiper Attacks, the adversaries utilized Tor nodes for C2. APT28 has routed traffic over Tor and VPN servers to obfuscate their activities. A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP), 139 (Netbios), and 445 (SMB) enabling full remote access from outside the network.

"Anchor has used ICMP in C2 communications." / "COATHANGER uses ICMP for transmitting configuration information..." / "PHOREAL communicates via ICMP for C2." / "Regin ... can use ICMP to communicate between infected computers." / "Cobalt Strike can be configured to use TCP, ICMP, and UDP for C2 communications."

"The operators can download specialized tools onto an infected system, adding any functionality they want by including it in the encrypted file system"

Multiple malware families and intrusion sets are described as encrypting C2 traffic using SSL/TLS/HTTPS (e.g., "used HTTPS for command and control", "encrypts C2 communications with TLS", "uses SSL for encrypting C2 communications", "TLS-encrypted WebSocket Protocol (WSS) for C2").

Many entries state malware or actors can upload, transfer, send, or exfiltrate files from compromised hosts to command-and-control servers or attacker infrastructure.