Skip to content


HOPLIGHT is a backdoor Trojan that has reportedly been used by the North Korean government.1

Item Value
ID S0376
Associated Names
Version 1.2
Created 19 April 2019
Last Modified 28 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell HOPLIGHT can launch cmd.exe to execute commands on the system.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding HOPLIGHT has utilized Zlib compression to obfuscate the communications payload. 1
enterprise T1652 Device Driver Discovery HOPLIGHT can enumerate device drivers located in the registry at HKLM\Software\WBEM\WDM.1
enterprise T1041 Exfiltration Over C2 Channel HOPLIGHT has used its C2 channel to exfiltrate data.1
enterprise T1008 Fallback Channels HOPLIGHT has multiple C2 channels in place in case one fails.1
enterprise T1083 File and Directory Discovery HOPLIGHT has been observed enumerating system drives and partitions.1
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall HOPLIGHT has modified the firewall using netsh.1
enterprise T1105 Ingress Tool Transfer HOPLIGHT has the ability to connect to a remote host in order to upload and download files.1
enterprise T1112 Modify Registry HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system.1
enterprise T1571 Non-Standard Port HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager HOPLIGHT has the capability to harvest credentials and passwords from the SAM database.1
enterprise T1055 Process Injection HOPLIGHT has injected into running processes.1
enterprise T1090 Proxy HOPLIGHT has multiple proxy options that mask traffic between the malware and the remote operators.1
enterprise T1012 Query Registry A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value ‘rdpproto’ under the key SYSTEM\CurrentControlSet\Control\Lsa Name.1
enterprise T1082 System Information Discovery HOPLIGHT has been observed collecting victim machine information like OS version, volume information, and more.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution HOPLIGHT has used svchost.exe to execute a malicious DLL .1
enterprise T1124 System Time Discovery HOPLIGHT has been observed collecting system time from victim machines.1
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash HOPLIGHT has been observed loading several APIs associated with Pass the Hash.1
enterprise T1047 Windows Management Instrumentation HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository.1

Groups That Use This Software

ID Name References
G0082 APT38 2
G0032 Lazarus Group 1