Skip to content


CHEMISTGAMES is a modular backdoor that has been deployed by Sandworm Team.1

Item Value
ID S0555
Associated Names
Version 1.0
Created 31 December 2020
Last Modified 25 March 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols CHEMISTGAMES has used HTTPS for C2 communication.1
mobile T1623 Command and Scripting Interpreter -
mobile T1623.001 Unix Shell CHEMISTGAMES can run bash commands.1
mobile T1533 Data from Local System CHEMISTGAMES can collect files from the filesystem and account information from Google Chrome.1
mobile T1407 Download New Code at Runtime CHEMISTGAMES can download new modules while running.1
mobile T1521 Encrypted Channel -
mobile T1521.002 Asymmetric Cryptography CHEMISTGAMES has used HTTPS for C2 communication.1
mobile T1430 Location Tracking CHEMISTGAMES has collected the device’s location.1
mobile T1575 Native API CHEMISTGAMES has utilized native code to decrypt its malicious payload.1
mobile T1406 Obfuscated Files or Information CHEMISTGAMES has encrypted its DEX payload.1
mobile T1474 Supply Chain Compromise -
mobile T1474.003 Compromise Software Supply Chain CHEMISTGAMES has been distributed as updates to legitimate applications. This was accomplished by compromising legitimate app developers, and subsequently gaining access to their Google Play Store developer account.1
mobile T1426 System Information Discovery CHEMISTGAMES has fingerprinted devices to uniquely identify them.1

Groups That Use This Software

ID Name References
G0034 Sandworm Team 1