Threat Group Cards: A Threat Actor Encyclopedia
Archived: 2026-04-05 20:43:07 UTC
Home > List all groups > List all tools > List all groups using tool ELMER
 Tool: ELMER
Names
ELMER
Elmost
Category Malware
Type Reconnaissance, Backdoor, Info stealer, Exfiltration
Description
(FireEye) The exploit documents delivered during the December campaigns dropped a
binary containing an embedded variant of a backdoor we refer to as ELMER. ELMER is
a non-persistent proxy-aware HTTP backdoor written in Delphi, and is capable of
performing file uploads and downloads, file execution, and process and directory
listings.
To retrieve commands, ELMER sends HTTP GET requests to a hard-coded CnC server,
and parses the HTTP response packets received from the CnC server for an integer
string corresponding to the command that needs to be executed. Table 2 lists the
ELMER backdoors observed during the December campaigns.
Information
MITRE ATT&CK Malpedia Last change to this tool card: 23 April 2020
Download this tool card in JSON format
All groups using tool ELMER
Changed Name Country Observed
APT groups
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b2351a30-d7be-4309-8f5d-9818164c9811
Page 1 of 2

APT 16, SVCMONDR 2015  
1 group listed (1 APT, 0 other, 0 unknown)
Source: https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b2351a30-d7be-4309-8f5d-9818164c9811
https://apt.etda.or.th/cgi-bin/listgroups.cgi?u=b2351a30-d7be-4309-8f5d-9818164c9811
Page 2 of 2