Register to stream ATT&CKcon 2.0 October 29-30


HARDRAIN is a Trojan malware variant reportedly used by the North Korean government. [1]

ID: S0246
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface HARDRAIN uses cmd.exe to execute netshcommands. [1]
Enterprise T1043 Commonly Used Port HARDRAIN binds and listens on port 443. [1]
Enterprise T1090 Connection Proxy HARDRAIN uses the command cmd.exe /c netsh firewall add portopening TCP 443 "adp" and makes the victim machine function as a proxy server. [1]
Enterprise T1024 Custom Cryptographic Protocol HARDRAIN uses FakeTLS to communicate with its C2 server. [1]
Enterprise T1089 Disabling Security Tools HARDRAIN opens the Windows Firewall to modify incoming connections. [1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group [1]