Skip to content


CHEMISTGAMES is a modular backdoor that has been deployed by Sandworm Team.1

Item Value
ID S0555
Associated Names
Version 1.0
Created 31 December 2020
Last Modified 25 March 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1605 Command-Line Interface CHEMISTGAMES can run bash commands.1
mobile T1533 Data from Local System CHEMISTGAMES can collect files from the filesystem and account information from Google Chrome.1
mobile T1475 Deliver Malicious App via Authorized App Store CHEMISTGAMES has been distributed via the Google Play Store.1
mobile T1407 Download New Code at Runtime CHEMISTGAMES can download new modules while running.1
mobile T1430 Location Tracking CHEMISTGAMES has collected the device’s location.1
mobile T1444 Masquerade as Legitimate Application CHEMISTGAMES has masqueraded as popular South Korean applications.1
mobile T1575 Native Code CHEMISTGAMES has utilized native code to decrypt its malicious payload.1
mobile T1406 Obfuscated Files or Information CHEMISTGAMES has encrypted its DEX payload.1
mobile T1437 Standard Application Layer Protocol CHEMISTGAMES has used HTTPS for C2 communication.1
mobile T1521 Standard Cryptographic Protocol CHEMISTGAMES has used HTTPS for C2 communication.1
mobile T1474 Supply Chain Compromise CHEMISTGAMES has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.1
mobile T1426 System Information Discovery CHEMISTGAMES has fingerprinted devices to uniquely identify them.1

Groups That Use This Software

ID Name References
G0034 Sandworm Team 1


Back to top