menuPass
Essential information
- Confidence
- 100/100
- Published
- 16/12/2025 19:39
- Modified
- 27/03/2026 01:13
- Updated at
- 27/03/2026 01:13
- Revoked
- No
- Author / Source
- The MITRE Corporation
- Resource level
- —
- Primary motivation
- —
- Related entities
- 70 attack patterns (mitre), 19 malware, 8 sectors, 2 countries, 61 indicators, 12 tool
Aliases
Cicada POTASSIUM Stone Panda Red Apollo CVNX HOGFISH BRONZE RIVERSIDE APT10
Description
Marking (TLP)
TLP:CLEAR Copyright 2015-2025, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation.
External references
- DOJ APT10 Dec 2018
- SecureWorks BRONZE STARLIGHT Ransomware Operations June 2022
- Palo Alto menuPass Feb 2017
- Crowdstrike CrowdCast Oct 2013
- FireEye Poison Ivy
- FireEye APT10 April 2017
- Symantec Cicada November 2020
- Accenture Hogfish April 2018
- FireEye APT10 Sept 2018
- PWC Cloud Hopper April 2017
- District Court of NY APT10 Indictment December 2018
- mitre-attack (G0045)
Related entities
Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.
Attack patterns (MITRE) (70)
-
T1059.005 usesVisual Basic MITRE
-
T1005 usesData from Local System MITRE
-
T1070.004 usesFile Deletion MITRE
-
T1573 usesEncrypted Channel MITRE
-
T1568 usesDynamic Resolution MITRE
-
T1047 usesWindows Management Instrumentation MITRE
-
T1016 usesSystem Network Configuration Discovery MITRE
-
T1003.002 usesSecurity Account Manager MITRE
-
T1059.007 usesJavaScript MITRE
-
T1570 usesLateral Tool Transfer MITRE
Malware (19)
-
HUI Loader usesFamily The MITRE Corporation Confidence 100
[HUI Loader](https://attack.mitre.org/software/S1097) is a custom DLL loader that has been used since at least 2015 by China-based threat groups including [Cinnamon Tempest](https://attack.mitre.org/groups/G1021) and [menuPass](https://attack.mitre.org/groups/G0045) to deploy malware on…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SNUGRIDE usesFamily The MITRE Corporation Confidence 100
[SNUGRIDE](https://attack.mitre.org/software/S0159) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045) as first stage malware. (Citation: FireEye APT10 April 2017)
First seen 01/01/1970 · Last seen 16/11/5138 · -
RedLeaves usesFamily The MITRE Corporation Confidence 100
[RedLeaves](https://attack.mitre.org/software/S0153) is a malware family used by [menuPass](https://attack.mitre.org/groups/G0045). The code overlaps with [PlugX](https://attack.mitre.org/software/S0013) and may be based upon the open source tool Trochilus. (Citation: PWC Cloud Hopper Technical…
First seen 01/01/1970 · Last seen 16/11/5138 · -
LODEINFO usesAlienVault Confidence 100
[LODEINFO](https://attack.mitre.org/software/S9020) is a fileless backdoor malware first identified in 2020 that has been used by actors including [MirrorFace](https://attack.mitre.org/groups/G1054), primarily against media, diplomatic, governmental, and public sector organizations in…
First seen 01/01/1970 · Last seen 16/11/5138 · -
EvilGrab usesFamily The MITRE Corporation Confidence 100
[EvilGrab](https://attack.mitre.org/software/S0152) is a malware family with common reconnaissance capabilities. It has been deployed by [menuPass](https://attack.mitre.org/groups/G0045) via malicious Microsoft Office documents as part of spearphishing campaigns. (Citation: PWC Cloud…
First seen 01/01/1970 · Last seen 16/11/5138 · -
NOOPDOOR usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
PoisonIvy usesFamily The MITRE Corporation Confidence 100
[PoisonIvy](https://attack.mitre.org/software/S0012) is a popular remote access tool (RAT) that has been used by many groups.(Citation: FireEye Poison Ivy)(Citation: Symantec Elderwood Sept 2012)(Citation: Symantec Darkmoon Aug 2005)
First seen 01/01/1970 · Last seen 16/11/5138 · -
NOOPLDR usesAlienVault Confidence 100
[NOOPLDR](https://attack.mitre.org/software/S9025) is a shellcode loader with XML/C# and DLL versions that has been used by [MirrorFace](https://attack.mitre.org/groups/G1054) to load [HiddenFace](https://attack.mitre.org/software/S9023).(Citation: Trend Micro Earth Kasha NOV 2024)
First seen 01/01/1970 · Last seen 16/11/5138 · -
SharpHound usesAlienVault Confidence 100First seen 01/01/1970 · Last seen 16/11/5138 ·
-
UPPERCUT usesFamily The MITRE Corporation Confidence 100
[UPPERCUT](https://attack.mitre.org/software/S0275) is a backdoor that has been used by [menuPass](https://attack.mitre.org/groups/G0045). (Citation: FireEye APT10 Sept 2018)
First seen 01/01/1970 · Last seen 16/11/5138 · -
Cobalt Strike usesFamily The MITRE Corporation Confidence 100
[Cobalt Strike](https://attack.mitre.org/software/S0154) is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced…
First seen 01/01/1970 · Last seen 16/11/5138 · -
SodaMaster usesFamily The MITRE Corporation Confidence 100
[SodaMaster](https://attack.mitre.org/software/S0627) is a fileless malware used by [menuPass](https://attack.mitre.org/groups/G0045) to download and execute payloads since at least 2020.(Citation: Securelist APT10 March 2021)
First seen 01/01/1970 · Last seen 16/11/5138 ·
Sectors (8)
-
Diplomacy targets
-
Research targets
-
Government targets
-
Legal targets
-
Media targets
-
Healthcare services targets
-
Defense targets
-
Healthcare targets
Countries (2)
-
Australia targets
-
Japan targets
Indicators (61)
-
https://covid19.gov.gd/xmlrpc.phpindicatesstix 100/100 Revoked· Valid until 27/02/2023 · Source: AlienVault -
https://fx-arabia.com/xmlrpc.phpindicatesstix 100/100 Revoked· Valid until 27/02/2023 · Source: AlienVault -
stix 100/100 Revoked· Valid until 04/10/2025 · Source: AlienVault
-
stix 100/100 Revoked· Valid until 15/04/2024 · Source: AlienVault
-
https://sayhueque.com/xmlrpc.phpindicatesstix 100/100 RevokedASCII text, with no line terminators b5318ac100f7dc6756f712e319e37178338d0a63a4c1eff3ed41ef5c3c599138
· Valid until 27/02/2023 · Source: AlienVault -
stix 100/100 Revoked· Valid until 15/04/2024 · Source: AlienVault
-
http://bodilbruun.dk/xmlrpc.phpindicatesstix 100/100 Revoked· Valid until 27/02/2023 · Source: AlienVault -
https://ntumatches.tw/xmlrpc.phpindicatesstix 100/100 Revoked· Valid until 27/02/2023 · Source: AlienVault
Tool (12)
-
esentutl usesThe MITRE Corporation Confidence 100
[esentutl](https://attack.mitre.org/software/S0404) is a command-line tool that provides database utilities for the Windows Extensible Storage Engine.(Citation: Microsoft Esentutl)
-
AdFind usesThe MITRE Corporation Confidence 100
[AdFind](https://attack.mitre.org/software/S0552) is a free command-line query tool that can be used for gathering information from Active Directory.(Citation: Red Canary Hospital Thwarted Ryuk October 2020)(Citation: FireEye FIN6 Apr 2019)(Citation:…
-
Impacket usesThe MITRE Corporation Confidence 100
[Impacket](https://attack.mitre.org/software/S0357) is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. [Impacket](https://attack.mitre.org/software/S0357) contains several tools for remote service execution, Kerberos manipulation,…
-
PsExec usesThe MITRE Corporation Confidence 100
[PsExec](https://attack.mitre.org/software/S0029) is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.(Citation: Russinovich Sysinternals)(Citation: SANS…
-
PowerSploit usesThe MITRE Corporation Confidence 100
[PowerSploit](https://attack.mitre.org/software/S0194) is an open source, offensive security framework comprised of [PowerShell](https://attack.mitre.org/techniques/T1059/001) modules and scripts that perform a wide range of tasks related to penetration testing such as code…
-
pwdump usesThe MITRE Corporation Confidence 100
[pwdump](https://attack.mitre.org/software/S0006) is a credential dumper. (Citation: Wikipedia pwdump)
-
Ping usesThe MITRE Corporation Confidence 100
[Ping](https://attack.mitre.org/software/S0097) is an operating system utility commonly used to troubleshoot and verify network connections. (Citation: TechNet Ping)
-
Net usesThe MITRE Corporation Confidence 100
The [Net](https://attack.mitre.org/software/S0039) utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. (Citation: Microsoft…
-
Mimikatz usesThe MITRE Corporation Confidence 100
[Mimikatz](https://attack.mitre.org/software/S0002) is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of…
-
cmd usesThe MITRE Corporation Confidence 100
[cmd](https://attack.mitre.org/software/S0106) is the Windows command-line interpreter that can be used to interact with systems and execute other processes and utilities. (Citation: TechNet Cmd) Cmd.exe contains native functionality to…
-
QuasarRAT usesThe MITRE Corporation Confidence 100
[QuasarRAT](https://attack.mitre.org/software/S0262) is an open-source, remote access tool that has been publicly available on GitHub since at least 2014. [QuasarRAT](https://attack.mitre.org/software/S0262) is developed in the C# language.(Citation: GitHub QuasarRAT)(Citation: Volexity…
-
certutil usesThe MITRE Corporation Confidence 100
[certutil](https://attack.mitre.org/software/S0160) is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. (Citation: TechNet Certutil)