The sub-techniques beta is now live! Read the release blog post for more info.


Vasport is a trojan used by Elderwood to open a backdoor on compromised hosts. [1] [2]

ID: S0207
Platforms: Windows
Version: 1.0
Created: 18 April 2018
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1090 Connection Proxy

Vasport is capable of tunneling though a proxy.[2]

Enterprise T1060 Registry Run Keys / Startup Folder

Vasport copies itself to disk and creates an associated run key Registry entry to establish.[2]

Enterprise T1105 Remote File Copy

Vasport can download files.[2]

Enterprise T1071 Standard Application Layer Protocol

Vasport creates a backdoor by making a connection using a HTTP POST.[2]

Groups That Use This Software

ID Name References
G0066 Elderwood [1]