S0045 ADVSTORESHELL
ADVSTORESHELL achieves persistence by adding itself to the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry
key.[5][6][7]
Agent Tesla can add itself to the Registry as a startup program to establish persistence.[8][9]
S1025 AmadeyAmadey has changed the Startup folder to the one containing its executable by overwriting the registry keys.[10][11]
S0622 AppleSeedAppleSeed has the ability to create the Registry key name EstsoftAutoUpdate
at HKCU\Software\Microsoft/Windows\CurrentVersion\RunOnce
to establish
persistence.[12]
APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run
key.[13][14]
An APT19 HTTP malware variant establishes persistence by setting the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Windows Debug Tools-%LOCALAPPDATA%\
.[15]
APT28 has deployed malware that has copied itself to the startup directory for persistence.[16]
G0016 APT29APT29 added Registry Run keys to establish persistence.[17]
G0022 APT3APT3 places scripts in the startup folder for persistence.[18]
G0050 APT32APT32 established persistence using Registry Run keys, both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.[19][20][21]
G0064 APT33APT33 has deployed a tool known as DarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence.[22][23]
G0067 APT37APT37's has added persistence via the Registry key
HKCU\Software\Microsoft\CurrentVersion\Run\
.[24][25]
APT39 has maintained persistence using the startup folder.[26]
G0096 APT41APT41 created and modified startup files for
persistence.[27][28] APT41 added a registry key in HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
to establish persistence for Cobalt Strike.[29]
Aria-body has established persistence via the Startup folder or Run Registry key.[30]
S0373 AstarothAstaroth creates a startup item for persistence. [31]
S1029 AuTo StealerAuTo Stealer can place malicious executables in a victim's AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence.[32]
S0640 AvaddonAvaddon uses registry run keys for persistence.[33]
S0414 BabySharkBabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.[34][35]
S0093 Backdoor.OldreaBackdoor.Oldrea adds Registry Run keys to achieve persistence.[36][37]
S0031 BACKSPACEBACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.[38]
S0128 BADNEWSBADNEWS installs a registry Run key to establish persistence.[39]
S0337 BadPatchBadPatch establishes a foothold by adding a link to the malware executable in the startup folder.[40]
S0534 BazarBazar can create or add files to Registry Run Keys to establish persistence.[41][42]
S0127 BBSRATBBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ssonsvr.exe
.
Bisonal has added itself to the Registry key HKEY_CURRENT_USER\Software\Microsoft\CurrentVersion\Run\
for persistence.[43][44]
BitPaymer has set the run key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
for persistence.[45]
The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.[46]
S0635 BoomBoxBoomBox can establish persistence by writing the Registry value MicroNativeCacheSvc
to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
.[47]
Briba creates run key Registry entries pointing to malicious DLLs dropped to disk.[48]
G0060 BRONZE BUTLERBRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.[49]
S0471 build_downerbuild_downer has the ability to add itself to the Registry Run key for persistence.[50]
S0030 CarbanakCarbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.[51]
S0484 CarberpCarberp has maintained persistence by placing itself inside the current user's startup folder.[52]
S0348 Cardinal RATCardinal RAT establishes Persistence by setting the HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load
Registry key to point to its executable.[53]
Chaes has added persistence via the Registry key software\microsoft\windows\currentversion\run\microsoft windows html help
.[54]
ChChes establishes persistence by adding a Registry Run key.[55]
S1041 ChinoxyChinoxy has established persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run
registry key and by loading a dropper to
[%COMMON_ STARTUP%\\eoffice.exe]
.[56]
Clambling can establish persistence by adding a Registry run key.[57][58]
G0080 Cobalt GroupCobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.[59]
S0338 Cobian RATCobian RAT creates an autostart Registry key to ensure persistence.[60]
S0244 ComnieComnie achieves persistence by adding a shortcut of itself to the startup path in the Registry.[61]
S0608 ConfickerConficker adds Registry Run keys to establish persistence.[62]
G0142 ConfuciusConfucius has dropped malicious files into the startup folder %AppData%\Microsoft\Windows\Start Menu\Programs\Startup
on a compromised host in order to maintain persistence.[63]
CORESHELL has established persistence by creating autostart extensibility point [ASEP] Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder.[64]
S0046 CozyCarOne persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
[65]
Crimson can add Registry run keys for persistence.[66][67]
S0235 CrossRATCrossRAT uses run keys for persistence on Windows
G0070 Dark CaracalDark Caracal's version of Bandook adds a registry key to HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run
for
persistence.[68]
DarkComet adds several Registry entries to enable automatic execution at every system startup.[69][70]
G0012 DarkhotelDarkhotel has been known to establish persistence by adding programs to the Run Registry key.[71]
S1021 DnsSystemDnsSystem can write itself to the Startup folder to gain persistence.[72]
S0186 DownPaperDownPaper uses PowerShell to add a Registry Run key in order to establish persistence.[73]
G0035 DragonflyDragonfly has added the registry value ntdll to the Registry Run key to establish persistence.[74]
S0062 DustySkyDustySky achieves persistence by creating a Registry entry in HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
.[75]
If establishing persistence by installation as a new service fails, one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\svchost : %APPDATA%\Microsoft\Network\svchost.exe
. Other variants have set the following Registry keys for persistence: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\imejp : [self]
and
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IAStorD
.[76][77]
Variants of Emissary have added Run Registry keys to establish persistence.[78]
S0367 EmotetEmotet has been observed adding the downloaded payload to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
key to maintain
persistence.[79][80][81]
Empire can modify the registry run keys HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
for persistence.[82]
EvilBunny has created Registry keys for persistence in [HKLM|HKCU]\…\CurrentVersion\Run
.[83]
EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence.[55]
S0568 EVILNUMEVILNUM can achieve persistence through the Registry Run key.[84][85]
S0512 FatDukeFatDuke has used HKLM\SOFTWARE\Microsoft\CurrentVersion\Run
to establish persistence.[86]
FELIXROOT adds a shortcut file to the startup folder for persistence.[87]
G0051 FIN10FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.[88][82]
G0037 FIN6FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.[89]
G0046 FIN7FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.[90][91]
S0355 Final1stspyFinal1stspy creates a Registry Run key to establish persistence.[92]
S0182 FinFisherFinFisher establishes persistence by creating the Registry key
HKCU\Software\Microsoft\Windows\Run
.[93][94]
Flagpro has dropped an executable file to the startup directory.[95]
S0036 FLASHFLOODFLASHFLOOD achieves persistence by making an entry in the Registry's Run key.[38]
S0381 FlawedAmmyyFlawedAmmyy has established persistence via the HKCU\SOFTWARE\microsoft\windows\currentversion\run
registry key.[10]
FunnyDream can use a Registry Run Key and the Startup folder to establish persistence.[56]
G0047 Gamaredon GroupGamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence.[96][97][98]
S0168 GazerGazer can establish persistence by creating a .lnk file in the Start menu.[99][100]
S0666 GelsemiumGelsemium can set persistence with a Registry run key.[101]
S0032 gh0st RATgh0st RAT has added a Registry Run key to establish persistence.[102][103]
S0249 Gold DragonGold Dragon establishes persistence in the Startup folder.[104]
G0078 Gorgon GroupGorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.[105]
S0531 GrandoreiroGrandoreiro can use run keys and create link files in the startup folder for persistence.[106][107]
S0417 GRIFFONGRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon.[108]
S0632 GrimAgentGrimAgent can set persistence with a Registry run key.[109]
S0561 GuLoaderGuLoader can establish persistence via the Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
.[110]
Hancitor has added Registry Run keys to establish persistence.[111]
S0170 HelminthHelminth establishes persistence by creating a shortcut in the Start Menu folder.[112]
S1027 Heyoka BackdoorHeyoka Backdoor can establish persistence with the auto start function including using the value
EverNoteTrayUService
.[113]
Hi-Zor creates a Registry Run key to establish persistence.[114]
G0126 HigaisaHigaisa added a spoofed binary to the start-up folder for persistence.[115][116]
S0070 HTTPBrowserHTTPBrowser has established persistence by setting the HKCU\Software\Microsoft\Windows\CurrentVersion\Run
key value for wdm
to the path of the executable. It has also used the Registry entry HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run vpdn "%ALLUSERPROFILE%\%APPDATA%\vpdn\VPDN_LU.exe"
to establish
persistence.[117][118]
IcedID has established persistence by creating a Registry run key.[119]
G0100 InceptionInception has maintained persistence by modifying Registry run key value HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
.[120]
Some InnaputRAT variants establish persistence by modifying the Registry key HKU\\Software\Microsoft\Windows\CurrentVersion\Run:%appdata%\NeutralApp\NeutralApp.exe
.[121]
InvisiMole can place a lnk file in the Startup Folder to achieve persistence.[122]
S0015 IxesheIxeshe can achieve persistence by adding itself to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Registry key.[123]
JCry has created payloads in the Startup directory to maintain persistence. [124]
S0044 JHUHUGITJHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.[125]
S0088 KasidetKasidet creates a Registry Run key to establish persistence.[126][127]
S0265 KazuarKazuar adds a sub-key under several Registry run keys.[128]
G0004 Ke3changSeveral Ke3chang backdoors achieved persistence by adding a Run key.[129]
G0094 KimsukyKimsuky has placed scripts in the startup folder for persistence and modified the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Registry
key.[130][35][131][132][133]
Koadic has added persistence to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Registry key.[134]
KOCTOPUS can set the AutoRun Registry key with a PowerShell command.[134]
S0356 KONNIA version of KONNI has dropped a Windows shortcut into the Startup folder to establish persistence.[135]
G0032 Lazarus GroupLazarus Group has maintained persistence by loading malicious code into a startup folder or by adding a Registry Run key.[136][137][138][139][140]
G0140 LazyScripterLazyScripter has achieved persistence via writing a PowerShell script to the autorun registry key.[134]
G0065 LeviathanLeviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.[141][142]
S0513 LiteDukeLiteDuke can create persistence by adding a shortcut in the CurrentVersion\Run
Registry key.[86]
LoJax has modified the Registry key ‘HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute’
from ‘autocheck autochk ’
to ‘autocheck autoche ’
in order to execute its payload during Windows startup.[143]
LookBack sets up a Registry Run key to establish a persistence mechanism.[144]
S0532 LuciferLucifer can persist by setting Registry key values HKLM\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic
and HKCU\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic
.[145]
Machete used the startup folder for persistence.[146][147]
G0059 Magic HoundMagic Hound malware has used Registry Run keys to establish persistence.[148]
S0652 MarkiRATMarkiRAT can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started.[149]
S0167 MatryoshkaMatryoshka can establish persistence by adding Registry Run keys.[150][151]
S0449 MazeMaze has created a file named "startup_vrun.bat" in the Startup folder of a virtual machine to establish persistence.[152]
S0500 MCMDMCMD can use Registry Run Keys for persistence.[153]
S0455 MetamorfoMetamorfo has configured persistence to the Registry ket HKCU\Software\Microsoft\Windows\CurrentVersion\Run, Spotify =% APPDATA%\Spotify\Spotify.exe
and used .LNK files in the startup folder to achieve
persistence.[154][155][156][157]
Mivast creates the following Registry entry: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Micromedia
.[158]
MoleNet can achieve persitence on the infected machine by setting the Registry run key.[159]
G0021 MoleratsMolerats saved malicious files within the AppData and Startup folders to maintain persistence.[160]
S1026 MongallMongall can establish persistence with the auto start function including using the value
EverNoteTrayUService
.[113]
Mosquito establishes persistence under the Registry key HKCU\Software\Run auto_update
.[161]
MuddyWater has added Registry Run key KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding
to establish
persistence.[162][163][164][165][166][167]
Mustang Panda has created the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AdobelmdyU
to maintain persistence.[168]
Naikon has modified a victim's Windows Run registry to establish persistence.[169]
S0228 NanHaiShuNanHaiShu modifies the %regrun% Registry to point itself to an autostart mechanism.[170]
S0336 NanoCoreNanoCore creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine.[171]
S0247 NavRATNavRAT creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence.[172]
S0630 NebulaeNebulae can achieve persistence through a Registry Run key.[169]
S0034 NETEAGLEThe "SCOUT" variant of NETEAGLE achieves persistence by adding itself to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry key.[38]
NETWIRE creates a Registry start-up entry to establish persistence.[173][174][110][175]
S0385 njRATnjRAT has added persistence via the Registry key HKCU\Software\Microsoft\CurrentVersion\Run\
and dropped a shortcut in
%STARTUP%
.[176][177]
NOKKI has established persistence by writing the payload to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
.[178]
ObliqueRAT can gain persistence by a creating a shortcut in the infected user's Startup directory.[179]
S0340 OctopusOctopus achieved persistence by placing a malicious executable in the startup directory and has added the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
key to the Registry.[180]
Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder.[181]
C0006 Operation HoneybeeDuring Operation Honeybee, the threat actors used batch files that allowed them to establish persistence by adding the following Registry key:
"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" /v COMSysApp /t REG_MULTI_SZ /d "COMSysApp" /f
.[182]
During Operation Sharpshooter, a first-stage downloader installed Rising Sun to %Startup%\mssync.exe
on a compromised
host.[183]
Patchwork has added the path of its second-stage malware to the startup folder to achieve persistence. One of its file stealers has also persisted by adding a Registry Run key.[184][185]
S0124 PisloaderPisloader establishes persistence via a Registry Run key.[186]
S0254 PLAINTEEPLAINTEE gains persistence by adding the Registry key HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
.[187]
PlugX adds Run key entries in the Registry to establish persistence.[188][55][189]
S0428 PoetRATPoetRAT has added a registry key in the hive for persistence.[190]
S0012 PoisonIvyPoisonIvy creates run key Registry entries pointing to a malicious executable dropped to disk.[191]
S0139 PowerDukePowerDuke achieves persistence by using various Registry Run keys.[192]
S0441 PowerShowerPowerShower sets up persistence with a Registry run key.[193]
S0145 POWERSOURCEPOWERSOURCE achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access.[194]
S0194 PowerSploitPowerSploit's New-UserPersistenceOption
Persistence argument can be used to establish via the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Registry
key.[195][196]
POWERTON can install a Registry Run key for persistence.[197]
S0113 PrikormkaPrikormka adds itself to a Registry Run key with the name guidVGA or guidVSA.[198]
G0056 PROMETHIUMPROMETHIUM has used Registry run keys to establish persistence.[199]
S0147 PteranodonPteranodon copies itself to the Startup folder to establish persistence.[200]
S0196 PUNCHBUGGYPUNCHBUGGY has been observed using a Registry Run key.[201][202]
S0192 PupyPupy adds itself to the startup folder or adds itself to the Registry key SOFTWARE\Microsoft\Windows\CurrentVersion\Run
for persistence.[203]
A dropper used by Putter Panda installs itself into the ASEP Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
with a value named McUpdate.[204]
QakBot can maintain persistence by creating an auto-run Registry key.[205][206][207][208]
S0262 QuasarRATIf the QuasarRAT client process does not have administrator privileges it will add a registry key to HKCU\Software\Microsoft\Windows\CurrentVersion\Run
for
persistence.[209][210]
Ramsay has created Registry Run keys to establish persistence.[211]
S0662 RCSessionRCSession has the ability to modify a Registry Run key to establish persistence.[57][212]
S0172 ReaverReaver creates a shortcut file and saves it in a Startup folder to establish persistence.[213]
S0153 RedLeavesRedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys.[55][214]
S0332 RemcosRemcos can add itself to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run
for persistence.[215]
Remexi utilizes Run Registry keys in the HKLM hive as a persistence mechanism.[216]
S0379 Revenge RATRevenge RAT creates a Registry key at HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell
to survive a system
reboot.[217]
Rifdoor has created a new registry entry at HKEY_CURRENT_USERS\Software\Microsoft\Windows\CurrentVersion\Run\Graphics
with a value of C:\ProgramData\Initech\Initech.exe /run
.[218]
Rocke's miner has created UPX-packed files in the Windows Start Menu Folder.[219]
S0270 RogueRobinRogueRobin created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence.[220]
S0090 RoverRover persists by creating a Registry entry in HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
.[221]
RTM tries to add a Registry Run key under the name "Windows Update" to establish persistence.[222]
G0048 RTMRTM has used Registry run keys to establish persistence for the RTM Trojan and other tools, such as a modified version of TeamViewer remote desktop software.[222][223]
S0253 RunningRATRunningRAT adds itself to the Registry key Software\Microsoft\Windows\CurrentVersion\Run
to establish persistence upon
reboot.[104]
Ryuk has used the Windows command line to create a Registry entry under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
to establish persistence.[224]
S-Type may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ IMJPMIJ8.1{3 characters of Unique Identifier}
.[225]
Saint Bot has established persistence by being copied to the Startup directory or through the \Software\Microsoft\Windows\CurrentVersion\Run
registry
key.[226][227]
Most Sakula samples maintain persistence by setting the Registry Run key SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
in the HKLM or HKCU hive, with the Registry value and file name varying by
sample.[228]
SDBbot has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege. [229][230]
S0053 SeaDukeSeaDuke is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory.[231]
S0345 SeasaltSeasalt creates a Registry entry to ensure infection after reboot under HKLM\Software\Microsoft\Windows\currentVersion\Run
.[232]
ServHelper may attempt to establish persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
run key.[233]
SharpStage has the ability to create persistence for the malware using the Registry autorun key and startup folder.[159]
S0444 ShimRatShimRat has installed a registry based start-up key HKCU\Software\microsoft\windows\CurrentVersion\Run
to maintain persistence should other methods fail.[234]
SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.[38]
G0121 SidewinderSidewinder has added paths to executables in the Registry to establish persistence.[235][236][237]
G0091 SilenceSilence has used HKCU\Software\Microsoft\Windows\CurrentVersion\Run
, HKLM\Software\Microsoft\Windows\CurrentVersion\Run
, and the Startup folder to establish persistence.[238]
SILENTTRINITY can establish a LNK file in the startup folder for persistence.[239]
S1035 Small SieveSmall Sieve has the ability to add itself to HKCU\Software\Microsoft\Windows\CurrentVersion\Run\OutlookMicrosift
for persistence.[240]
Smoke Loader adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload.[241]
S0649 SMOKEDHAMSMOKEDHAM has used reg.exe
to create a Registry Run key.[242]
SNUGRIDE establishes persistence through a Registry Run key.[243]
S0035 SPACESHIPSPACESHIP achieves persistence by creating a shortcut in the current user's Startup folder.[38]
S0058 SslMMTo establish persistence, SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as an "Office Start," "Yahoo Talk," "MSN Gaming Z0ne," or "MSN Talk" shortcut.[244]
S1037 STARWHALESTARWHALE can establish persistence by installing itself in the startup folder, whereas the GO variant has created a HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OutlookM
registry key.[245][246]
StrongPity can use the HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Registry key for persistence.[199]
Sykipot has been known to establish persistence by adding programs to the Run Registry key.[247]
S0663 SysUpdateSysUpdate can use a Registry Run key to establish persistence.[248]
S0011 TaidoorTaidoor has modified the HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
key for persistence.[249]
TAINTEDSCRIBE can copy itself into the current user’s Startup folder as "Narrator.exe" for persistence.[250]
G0139 TeamTNTTeamTNT has added batch scripts to the startup folder.[251]
G0027 Threat Group-3390A Threat Group-3390 tool can add the binary’s path to the Registry key Software\Microsoft\Windows\CurrentVersion\Run
to add persistence.[252]
ThreatNeedle can be loaded into the Startup folder [%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\OneDrives.lnk
] as a Shortcut file for persistence.[253]
TINYTYPHON installs itself under Registry Run key to establish persistence.[39]
S0004 TinyZBotTinyZBot can create a shortcut in the Windows startup folder for persistence.[254]
S0266 TrickBotTrickBot establishes persistence in the Startup folder.[255]
S0094 Trojan.KaraganyTrojan.Karagany can create a link to itself in the Startup folder to automatically start itself upon system restart.[36][256]
G0081 Tropic TrooperTropic Trooper has created shortcuts in the Startup folder to establish persistence.[257][258]
S0178 TruvasysTruvasys adds a Registry Run key to establish persistence.[259]
S0647 TurianTurian can establish persistence by adding Registry Run keys.[260]
G0010 TurlaA Turla Javascript backdoor added a local_update_check value under the Registry key HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
to establish persistence. Additionally, a Turla custom executable containing Metasploit shellcode is saved to the Startup folder to gain
persistence.[161][261]
TURNEDUP is capable of writing to a Registry Run key to establish.[262]
S0386 UrsnifUrsnif has used Registry Run keys to establish automatic execution at system startup.[263][264]
S0136 USBStealerUSBStealer registers itself under a Registry Run key with the name "USB Disk Security."[265]
S0207 VasportVasport copies itself to disk and creates an associated run key Registry entry to establish.[266]
S0442 VBShowerVBShower used HKCU\Software\Microsoft\Windows\CurrentVersion\Run\[a-f0-9A-F]{8}
to maintain persistence.[267]
WarzoneRAT can add itself to the HKCU\Software\Microsoft\Windows\CurrentVersion\Run
and HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UIF2IS20VK
Registry keys.[268]
Windshift has created LNK files in the Startup folder to establish persistence.[269]
S0141 Winnti for WindowsWinnti for Windows can add a service named wind0ws
to the Registry to achieve persistence after reboot.[270]
Wizard Spider has established persistence via the Registry key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run and a shortcut within the startup folder.[271][272]
S0341 XbashXbash can create a Startup item for persistence if it determines it is on a Windows system.[273]
S0251 ZebrocyZebrocy creates an entry in a Registry Run key for the malware to execute on startup.[274][275][276]
S0330 Zeus PandaZeus Panda adds persistence by creating Registry Run keys.[277][278]
G0128 ZIRCONIUMZIRCONIUM has created a Registry Run key named Dropbox Update Setup
to establish persistence for a malicious Python
binary.[279]