KOPILUWAK is a JavaScript-based reconnaissance tool that has been used for victim profiling and C2 since at least 2017.[1]

ID: S1075
Platforms: Windows
Contributors: Yoshihiro Kori, NEC Corporation; Manikantan Srinivasan, NEC Corporation India; Pooja Natarajan, NEC Corporation India
Version: 1.0
Created: 17 May 2023
Last Modified: 25 July 2023

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

KOPILUWAK has used HTTP POST requests to send data to C2.[1]

Enterprise T1059 .007 Command and Scripting Interpreter: JavaScript

KOPILUWAK had used Javascript to perform its core functions.[1]

Enterprise T1005 Data from Local System

KOPILUWAK can gather information from compromised hosts.[1]

Enterprise T1074 .001 Data Staged: Local Data Staging

KOPILUWAK has piped the results from executed C2 commands to %TEMP%\result2.dat on the local machine.[1]

Enterprise T1041 Exfiltration Over C2 Channel

KOPILUWAK has exfiltrated collected data to its C2 via POST requests.[1]

Enterprise T1135 Network Share Discovery

KOPILUWAK can use netstat and Net to discover network shares.[1]

Enterprise T1566 .001 Phishing: Spearphishing Attachment

KOPILUWAK has been delivered to victims as a malicious email attachment.[1]

Enterprise T1057 Process Discovery

KOPILUWAK can enumerate current running processes on the targeted machine.[1]

Enterprise T1082 System Information Discovery

KOPILUWAK can discover logical drive information on compromised hosts.[1]

Enterprise T1016 System Network Configuration Discovery

KOPILUWAK can use Arp to discover a target's network configuration setttings.[1]

Enterprise T1049 System Network Connections Discovery

KOPILUWAK can use netstat, Arp, and Net to discover current TCP connections.[1]

Enterprise T1033 System Owner/User Discovery

KOPILUWAK can conduct basic network reconnaissance on the victim machine with whoami, to get user details.[1]

Enterprise T1204 .002 User Execution: Malicious File

KOPILUWAK has gained execution through malicious attachments.[1]

Groups That Use This Software

ID Name References
G0010 Turla



ID Name Description
C0026 C0026

KOPILUWAK was used as a first-stage profiling utility for previous victims of ANDROMEDA during C0026.[1]