S1211 Hannotog
Hannotog is a type of backdoor malware uniquely assoicated with Lotus Blossom operations since at least 2022.1
| Item | Value |
|---|---|
| ID | S1211 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 16 March 2025 |
| Last Modified | 04 April 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1020 | Automated Exfiltration | Hannotog can upload encyrpted data for exfiltration.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.003 | Windows Command Shell | Hannotog can execute various cmd.exe /c %s commands.1 |
| enterprise | T1543 | Create or Modify System Process | - |
| enterprise | T1543.003 | Windows Service | Hannotog creates a new service for persistence.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.004 | Disable or Modify System Firewall | Hannotog can modify local firewall settings via netsh commands to open a listening UDP port.1 |
| enterprise | T1105 | Ingress Tool Transfer | Hannotog can download additional files to the victim machine.1 |
| enterprise | T1571 | Non-Standard Port | Hannotog uses non-standard listening ports, such as UDP 5900, for command and control purposes.1 |
| enterprise | T1489 | Service Stop | Hannotog can stop Windows services.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G0030 | Lotus Blossom | Hannotog is a backdoor associated with Lotus Blossom operations.1 |