Skip to content


KEYMARBLE is a Trojan that has reportedly been used by the North Korean government. 1

Item Value
ID S0271
Associated Names
Version 1.1
Created 17 October 2018
Last Modified 30 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell KEYMARBLE can execute shell commands using cmd.exe.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography KEYMARBLE uses a customized XOR algorithm to encrypt C2 communications.1
enterprise T1083 File and Directory Discovery KEYMARBLE has a command to search for files on the victim’s machine.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion KEYMARBLE has the capability to delete files off the victim’s machine.1
enterprise T1105 Ingress Tool Transfer KEYMARBLE can upload files to the victim’s machine and can download additional payloads.1
enterprise T1112 Modify Registry KEYMARBLE has a command to create Registry entries for storing data under HKEY_CURRENT_USER\SOFTWARE\Microsoft\WABE\DataPath.1
enterprise T1057 Process Discovery KEYMARBLE can obtain a list of running processes on the system.1
enterprise T1113 Screen Capture KEYMARBLE can capture screenshots of the victim’s machine.1
enterprise T1082 System Information Discovery KEYMARBLE has the capability to collect the computer name, language settings, the OS version, CPU information, disk devices, and time elapsed since system start.1
enterprise T1016 System Network Configuration Discovery KEYMARBLE gathers the MAC address of the victim’s machine.1

Groups That Use This Software

ID Name References
G0032 Lazarus Group 1