ANDROMEDA is commodity malware that was widespread in the early 2010's and continues to be observed in infections across a wide variety of industries. During the 2022 C0026 campaign, threat actors re-registered expired ANDROMEDA C2 domains to spread malware to select targets in Ukraine.[1]

ID: S1074
Platforms: Windows
Contributors: Yoshihiro Kori, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India
Version: 1.0
Created: 16 May 2023
Last Modified: 29 September 2023

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

ANDROMEDA has the ability to make GET requests to download files from C2.[1]

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

ANDROMEDA can establish persistence by dropping a sample of itself to C:\ProgramData\Local Settings\Temp\ and adding a Registry run key to execute every time a user logs on.[1]

Enterprise T1105 Ingress Tool Transfer

ANDROMEDA can download additional payloads from C2.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

ANDROMEDA has been installed to C:\Temp\TrustedInstaller.exe to mimic a legitimate Windows installer service.[1]

.008 Masquerading: Masquerade File Type

ANDROMEDA has been delivered through a LNK file disguised as a folder.[1]

Enterprise T1055 Process Injection

ANDROMEDA can inject into the wuauclt.exe process to perform C2 actions.[1]

Enterprise T1091 Replication Through Removable Media

ANDROMEDA has been spread via infected USB keys.[1]


ID Name Description
C0026 C0026

During C0026, the threat actors re-registered expired ANDROMEDA domains to profile past victims for further targeting.[1]