The sub-techniques beta is now live! Read the release blog post for more info.


RGDoor is a malicious Internet Information Services (IIS) backdoor developed in the C++ language. RGDoor has been seen deployed on webservers belonging to the Middle East government organizations. RGDoor provides backdoor access to compromised IIS servers. [1]

ID: S0258
Platforms: Windows
Version: 1.0
Created: 17 October 2018
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

RGDoor uses cmd.exe to execute commands on the victim’s machine.[1]

Enterprise T1022 Data Encrypted

RGDoor encrypts files with XOR before sending them back to the C2 server.[1]

Enterprise T1140 Deobfuscate/Decode Files or Information

RGDoor decodes Base64 strings and decrypts strings using a custom XOR algorithm.[1]

Enterprise T1105 Remote File Copy

RGDoor uploads and downloads files to and from the victim’s machine.[1]

Enterprise T1071 Standard Application Layer Protocol

RGDoor uses HTTP for C2 communications.[1]

Enterprise T1033 System Owner/User Discovery

RGDoor executes the whoami on the victim’s machine.[1]

Groups That Use This Software

ID Name References
G0049 OilRig [1]