Skip to content

S0340 Octopus

Octopus is a Windows Trojan written in the Delphi programming language that has been used by Nomadic Octopus to target government organizations in Central Asia since at least 2014.231

Item Value
ID S0340
Associated Names
Version 2.0
Created 30 January 2019
Last Modified 06 April 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Octopus has used HTTP GET and POST requests for C2 communications.21
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility Octopus has compressed data before exfiltrating it using a tool called Abbrevia.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Octopus achieved persistence by placing a malicious executable in the startup directory and has added the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run key to the Registry.2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding Octopus has encoded C2 communications in Base64.2
enterprise T1005 Data from Local System Octopus can exfiltrate files from the system using a documents collector tool.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Octopus has stored collected information in the Application Data directory on a compromised host.21
enterprise T1041 Exfiltration Over C2 Channel Octopus has uploaded stolen files and data from a victim’s machine over its C2 channel.2
enterprise T1567 Exfiltration Over Web Service -
enterprise T1567.002 Exfiltration to Cloud Storage Octopus has exfiltrated data to file sharing sites.1
enterprise T1083 File and Directory Discovery Octopus can collect information on the Windows directory and searches for compressed RAR files on the host.231
enterprise T1105 Ingress Tool Transfer Octopus can download additional files and tools onto the victim’s machine.231
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Octopus has been disguised as legitimate programs, such as Java and Telegram Messenger.21
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Octopus has been delivered via spearsphishing emails.1
enterprise T1113 Screen Capture Octopus can capture screenshots of the victims’ machine.231
enterprise T1082 System Information Discovery Octopus can collect system drive information, the computer name, the size of the disk, OS version, and OS architecture information.2
enterprise T1016 System Network Configuration Discovery Octopus can collect the host IP address from the victim’s machine.2
enterprise T1033 System Owner/User Discovery Octopus can collect the username from the victim’s machine.2
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File Octopus has relied upon users clicking on a malicious attachment delivered through spearphishing.1
enterprise T1047 Windows Management Instrumentation Octopus has used wmic.exe for local discovery information.2

Groups That Use This Software

ID Name References
G0133 Nomadic Octopus 321