S1147 Nightdoor
Nightdoor is a backdoor exclusively associated with Daggerfly operations. Nightdoor uses common libraries with MgBot and MacMa, linking these malware families together.12
| Item | Value |
|---|---|
| ID | S1147 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.1 |
| Created | 25 July 2024 |
| Last Modified | 21 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1071 | Application Layer Protocol | Nightdoor uses TCP and UDP communication for command and control traffic.12 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Nightdoor creates a cmd.exe shell to send and receive commands from the command and control server via open pipes.2 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Nightdoor stores network configuration data in a file XOR encoded with the key value of 0x7A.2 |
| enterprise | T1574 | Hijack Execution Flow | Nightdoor uses a legitimate executable to load a malicious DLL file for installation.2 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Nightdoor can self-delete.1 |
| enterprise | T1680 | Local Storage Discovery | Nightdoor can collect information about disk drives, their total and free space, and file system type.1 |
| enterprise | T1057 | Process Discovery | Nightdoor can collect information on installed applications via Windows registry keys, as well as collecting information on running processes.1 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Nightdoor uses scheduled tasks for persistence to load the final malware payload into memory.2 |
| enterprise | T1082 | System Information Discovery | Nightdoor gathers information on the victim system such as CPU and Computer name as well as device drivers.1 |
| enterprise | T1016 | System Network Configuration Discovery | Nightdoor gathers information on victim system network configuration such as MAC addresses.1 |
| enterprise | T1033 | System Owner/User Discovery | Nightdoor gathers information on victim system users and usernames.1 |
| enterprise | T1124 | System Time Discovery | Nightdoor can identify the system local time information.1 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Nightdoor embeds code from the public al-khaser project, a repository that works to detect virtual machines, sandboxes, and malware analysis environments.2 |
| enterprise | T1102 | Web Service | Nightdoor can utilize Microsoft OneDrive or Google Drive for command and control purposes.12 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1034 | Daggerfly | Daggerfly uses Nightdoor as a backdoor mechanism for Windows hosts.12 |