The sub-techniques beta is now live! Read the release blog post for more info.


HOPLIGHT is a backdoor Trojan that has reportedly been used by the North Korean government.[1]

ID: S0376
Platforms: Windows
Version: 1.0
Created: 19 April 2019
Last Modified: 22 April 2019

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

HOPLIGHT can launch cmd.exe to execute commands on the system. [1]

Enterprise T1043 Commonly Used Port

HOPLIGHT has connected outbound over TCP port 443. [1]

Enterprise T1090 Connection Proxy

HOPLIGHT has multiple proxy options that mask traffic between the malware and the remote operators.

Enterprise T1003 Credential Dumping

HOPLIGHT has the capability to harvest credentials and passwords. [1]

Enterprise T1001 Data Obfuscation

HOPLIGHT has utilized Zlib compression to obfuscate the communications payload.

Enterprise T1089 Disabling Security Tools

HOPLIGHT has modified the firewall using netsh. [1]

Enterprise T1041 Exfiltration Over Command and Control Channel

HOPLIGHT has used its C2 channel to exfiltrate data. [1]

Enterprise T1008 Fallback Channels

HOPLIGHT has multiple C2 channels in place in case one fails. [1]

Enterprise T1083 File and Directory Discovery

HOPLIGHT has been observed enumerating system drives and partitions. [1]

Enterprise T1112 Modify Registry

HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system. [1]

Enterprise T1075 Pass the Hash

HOPLIGHT has been observed loading several APIs associated with Pass the Hash. [1]

Enterprise T1055 Process Injection

HOPLIGHT has injected into running processes. [1]

Enterprise T1012 Query Registry

A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key SYSTEM\CurrentControlSet\Control\Lsa Name.[1]

Enterprise T1105 Remote File Copy

HOPLIGHT has the ability to connect to a remote host in order to upload and download files. [1]

Enterprise T1035 Service Execution

HOPLIGHT has used svchost.exe to execute a malicious DLL .[1]

Enterprise T1082 System Information Discovery

HOPLIGHT has been observed collecting victim machine information like OS version, drivers, volume information and more.[1]

Enterprise T1124 System Time Discovery

HOPLIGHT has been observed collecting system time from victim machines.[1]

Enterprise T1065 Uncommonly Used Port

HOPLIGHT has used uncommon TCP "high port" to "high port" communication. [1]

Enterprise T1047 Windows Management Instrumentation

HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository. [1]

Groups That Use This Software

ID Name References
G0032 Lazarus Group [1]