Skip to content


STARWHALE is Windows Script File (WSF) backdoor that has been used by MuddyWater, possibly since at least November 2021; there is also a STARWHALE variant written in Golang with similar capabilities. Security researchers have also noted the use of STARWHALE by UNC3313, which may be associated with MuddyWater.21

Item Value
ID S1037
Associated Names CANOPY
Version 1.0
Created 18 August 2022
Last Modified 14 October 2022
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols STARWHALE has the ability to contact actor-controlled C2 servers via HTTP.21
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder STARWHALE can establish persistence by installing itself in the startup folder, whereas the GO variant has created a HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OutlookM registry key.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell STARWHALE has the ability to execute commands via cmd.exe.2
enterprise T1059.005 Visual Basic STARWHALE can use the VBScript function GetRef as part of its persistence mechanism.2
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service STARWHALE has the ability to create the following Windows service to establish persistence on an infected host: sc create Windowscarpstss binpath= "cmd.exe /c cscript.exe c:\\windows\\system32\\w7_1.wsf humpback_whale" start= "auto" obj= "LocalSystem".2
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding STARWHALE has the ability to hex-encode collected data from an infected host.1
enterprise T1005 Data from Local System STARWHALE can collect data from an infected local host.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging STARWHALE has stored collected data in a file called stari.txt.2
enterprise T1041 Exfiltration Over C2 Channel STARWHALE can exfiltrate collected data to its C2 servers.1
enterprise T1027 Obfuscated Files or Information STARWHALE has been obfuscated with hex-encoded strings.1
enterprise T1082 System Information Discovery STARWHALE can gather the computer name of an infected host.21
enterprise T1016 System Network Configuration Discovery STARWHALE has the ability to collect the IP address of an infected host.1
enterprise T1033 System Owner/User Discovery STARWHALE can gather the username from an infected host.21
enterprise T1204 User Execution -
enterprise T1204.002 Malicious File STARWHALE has relied on victims opening a malicious Excel file for execution.1

Groups That Use This Software

ID Name References
G0069 MuddyWater 1