Naikon
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:14
- Updated at
- 27/03/2026 01:14
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 24 attack patterns (mitre), 12 malware, 2 sectors, 2 countries, 27 indicators, 7 tool
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Attack patterns (MITRE) (24)
-
T1566.001 usesSpearphishing Attachment MITRE
-
T1140 usesDeobfuscate/Decode Files or Information MITRE
-
T1018 usesRemote System Discovery MITRE
-
T1016 usesSystem Network Configuration Discovery MITRE
-
T1574.001 usesDLL MITRE
-
T1112 usesModify Registry MITRE
-
T1047 usesWindows Management Instrumentation MITRE
-
T1036.004 usesMasquerade Task or Service MITRE
-
T1071.001 usesWeb Protocols MITRE
-
T1574.002 uses
-
T1547.001 usesRegistry Run Keys / Startup Folder MITRE
-
T1046 usesNetwork Service Discovery MITRE
Malware (12)
-
HDoor usesFamily The MITRE Corporation Confidence 100
[HDoor](https://attack.mitre.org/software/S0061) is malware that has been customized and used by the [Naikon](https://attack.mitre.org/groups/G0019) group. (Citation: Baumgartner Naikon 2015)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Turian - S0647 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RainyDay usesFamily The MITRE Corporation Confidence 100
[RainyDay](https://attack.mitre.org/software/S0629) is a backdoor tool that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since at least 2020.(Citation: Bitdefender Naikon April 2021)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Aria-body usesFamily The MITRE Corporation Confidence 100
[Aria-body](https://attack.mitre.org/software/S0456) is a custom backdoor that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since approximately 2017.(Citation: CheckPoint Naikon May 2020)
First seen 01/01/1970 · Last seen 16/11/5138 · -
PlugX - S0013 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
WinMM usesFamily The MITRE Corporation Confidence 100
[WinMM](https://attack.mitre.org/software/S0059) is a full-featured, simple backdoor used by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Sys10 usesFamily The MITRE Corporation Confidence 100
[Sys10](https://attack.mitre.org/software/S0060) is a backdoor that was used throughout 2013 by [Naikon](https://attack.mitre.org/groups/G0019). (Citation: Baumgartner Naikon 2015)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Nebulae usesFamily The MITRE Corporation Confidence 100
[Nebulae](https://attack.mitre.org/software/S0630) Is a backdoor that has been used by [Naikon](https://attack.mitre.org/groups/G0019) since at least 2020.(Citation: Bitdefender Naikon April 2021)
First seen 01/01/1970 · Last seen 16/11/5138 · -
RainyDay - S0629 usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
RARSTONE usesFamily The MITRE Corporation Confidence 100
[RARSTONE](https://attack.mitre.org/software/S0055) is malware used by the [Naikon](https://attack.mitre.org/groups/G0019) group that has some characteristics similar to [PlugX](https://attack.mitre.org/software/S0013). (Citation: Aquino RARSTONE)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Thoper usesThe MITRE Corporation Confidence 100
[PlugX](https://attack.mitre.org/software/S0013) is a remote access tool (RAT) with modular plugins that has been used by multiple threat groups.(Citation: Lastline PlugX Analysis)(Citation: FireEye Clandestine Fox Part 2)(Citation: New DragonOK)(Citation:…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SslMM usesFamily The MITRE Corporation Confidence 100
[SslMM](https://attack.mitre.org/software/S0058) is a full-featured backdoor used by [Naikon](https://attack.mitre.org/groups/G0019) that has multiple variants. (Citation: Baumgartner Naikon 2015)
First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (2)
-
Manufacturing targets
-
Telecommunications targets
Countries (2)
-
Kazakhstan targets
-
Uzbekistan targets
Indicators (27)
-
stix 100/100· Valid until 20/09/2026 · Source: AlienVault
-
stix 100/100· Valid until 20/09/2026 · Source: AlienVault
Tool (7)
-
Systeminfo usesThe MITRE Corporation Confidence 100
[Systeminfo](https://attack.mitre.org/software/S0096) is a Windows utility that can be used to gather detailed information about a computer. (Citation: TechNet Systeminfo)
-
Ping usesThe MITRE Corporation Confidence 100
[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)
-
ftp usesThe MITRE Corporation Confidence 100
[ftp](https://attack.mitre.org/software/S0095) is a utility commonly available with operating systems to transfer information over the File Transfer Protocol (FTP). Adversaries can use it to transfer other tools onto a…
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
Tasklist usesThe MITRE Corporation Confidence 100
The [Tasklist](https://attack.mitre.org/software/S0057) utility displays a list of applications and services with their Process IDs (PID) for all tasks running on either a local or a remote computer. It…
-
netsh usesThe MITRE Corporation Confidence 100
[netsh](https://attack.mitre.org/software/S0108) is a scripting utility used to interact with networking components on local or remote systems. (Citation: TechNet Netsh)