MalwareUsed by 1 actor

CATRUNNER

CATRUNNER is a malware/tool referenced in reporting on the TEMP.Veles activity associated with the TRITON industrial control system intrusion. A recovered ZIP archive named schtasks.zip contained an installer and uninstaller for CATRUNNER, along with two XML scheduled task definitions for a masquerading service named "ProgramDataUpdater." Reporting states the package included scheduled-task artifacts where the malicious install task name/description were in English while the clean uninstall task name/description were in Cyrillic, and the modification timeline suggested Russian text was changed to English sequentially, consistent with an attempt to mask origin. The malware/tool is therefore associated with TEMP.Veles/TRITON-related post-compromise activity in an ICS-targeting intrusion at a critical infrastructure facility. High-confidence details in the provided content do not describe CATRUNNER’s full functionality, infection vector, or standalone command-and-control behavior beyond its packaging with installer/uninstaller components and persistence-related scheduled task definitions.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

TEMP.Veles

"...schtasks.zip, contained an installer and uninstaller of CATRUNNER... scheduled task definitions for a masquerading service ‘ProgramDataUpdater.’"

via fireeyefireeye.com

ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app

fireeyeNews

Oct 23, 2018

TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers

Tool with installer/uninstaller components leveraging scheduled tasks for persistence (masquerading as 'ProgramDataUpdater'); language artifacts suggest attempts to mask Russian origin.

web archiveNews

Oct 23, 2018

TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers | FireEye Inc

Tool used to establish persistence via scheduled tasks (masquerading as 'ProgramDataUpdater'); artifacts include both English and Cyrillic task metadata, suggesting attempted origin-masking.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.