S1075 KOPILUWAK
KOPILUWAK is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.1
| Item | Value |
|---|---|
| ID | S1075 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 17 May 2023 |
| Last Modified | 16 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | KOPILUWAK has used HTTP POST requests to send data to C2.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.007 | JavaScript | KOPILUWAK had used Javascript to perform its core functions.1 |
| enterprise | T1005 | Data from Local System | KOPILUWAK can gather information from compromised hosts.1 |
| enterprise | T1074 | Data Staged | - |
| enterprise | T1074.001 | Local Data Staging | KOPILUWAK has piped the results from executed C2 commands to %TEMP%\result2.dat on the local machine.1 |
| enterprise | T1041 | Exfiltration Over C2 Channel | KOPILUWAK has exfiltrated collected data to its C2 via POST requests.1 |
| enterprise | T1680 | Local Storage Discovery | KOPILUWAK can discover logical drive information on compromised hosts.1 |
| enterprise | T1135 | Network Share Discovery | KOPILUWAK can use netstat and Net to discover network shares.1 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | KOPILUWAK has been delivered to victims as a malicious email attachment.1 |
| enterprise | T1057 | Process Discovery | KOPILUWAK can enumerate current running processes on the targeted machine.1 |
| enterprise | T1016 | System Network Configuration Discovery | KOPILUWAK can use Arp to discover a target’s network configuration setttings.1 |
| enterprise | T1049 | System Network Connections Discovery | KOPILUWAK can use netstat, Arp, and Net to discover current TCP connections.1 |
| enterprise | T1033 | System Owner/User Discovery | KOPILUWAK can conduct basic network reconnaissance on the victim machine with whoami, to get user details.1 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.002 | Malicious File | KOPILUWAK has gained execution through malicious attachments.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0010 | Turla | 1 |