Skip to content

Hide Navigation Hide TOC

KEYPLUG - S1051 (6c575670-d14c-4c7f-9b9d-fd1b363e255d)

KEYPLUG is a modular backdoor written in C++, with Windows and Linux variants, that has been used by APT41 since at least June 2021.(Citation: Mandiant APT41)

Cluster A Galaxy A Cluster B Galaxy B Level
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern KEYPLUG - S1051 (6c575670-d14c-4c7f-9b9d-fd1b363e255d) Malware 1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern KEYPLUG - S1051 (6c575670-d14c-4c7f-9b9d-fd1b363e255d) Malware 1
KEYPLUG - S1051 (6c575670-d14c-4c7f-9b9d-fd1b363e255d) Malware Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 1
KEYPLUG - S1051 (6c575670-d14c-4c7f-9b9d-fd1b363e255d) Malware Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 1
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern KEYPLUG - S1051 (6c575670-d14c-4c7f-9b9d-fd1b363e255d) Malware 1
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern KEYPLUG - S1051 (6c575670-d14c-4c7f-9b9d-fd1b363e255d) Malware 1
KEYPLUG - S1051 (6c575670-d14c-4c7f-9b9d-fd1b363e255d) Malware Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern 1
KEYPLUG - S1051 (6c575670-d14c-4c7f-9b9d-fd1b363e255d) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 1
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2