Okrum

Okrum is a Windows backdoor that has been seen in use since December 2016 with strong links to Ke3chang.^[1]

ID: S0439

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Contributors: ESET

Version: 1.0

Created: 06 May 2020

Last Modified: 25 April 2025

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1134	.001	Access Token Manipulation: Token Impersonation/Theft	Okrum can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API.^[1]
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Okrum uses HTTP for communication with its C2.^[1]
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	Okrum was seen using a RAR archiver tool to compress/decompress data.^[1]
		.003	Archive Collected Data: Archive via Custom Method	Okrum has used a custom implementation of AES encryption to encrypt collected data.^[1]
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	Okrum establishes persistence by creating a .lnk shortcut to itself in the Startup folder.^[1]
		.009	Boot or Logon Autostart Execution: