C0007: FunnyDream
FunnyDream was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the FunnyDream campaign to possible Chinese-speaking threat actors through the use of the Chinoxy backdoor and noted infrastructure overlap with the TAG-16 threat group.[1][2][3]
Analyst context for executives and security teams
FunnyDream is documented by ATT&CK as a suspected cyber espionage campaign targeting government and foreign organizations in Southeast Asia. Its decision value is that the observed behavior combines common Windows administration utilities, discovery activity, tool transfer, archiving, and campaign-specific backdoors. For leaders, this is a reminder that espionage tradecraft may look partly like normal administration until it is correlated with malware, command execution, and data-staging behavior.
Executive priority
Prioritize this as a validation use case for organizations with Southeast Asia exposure, government/foreign affairs operations, or sensitive regional intelligence, policy, or diplomatic data. The business question is not simply “are we blocking FunnyDream,” but whether SOC, incident response, and endpoint teams can distinguish legitimate administration from discovery, persistence, payload deployment, collection, and exfiltration preparation. Evidence of coverage should support audit and resilience discussions around endpoint visibility, command-line logging, malware response, and data loss investigation readiness.
Technical view
ATT&CK provides no official detection text for the campaign, so defenders should build coverage from the linked relationships. Validate visibility for Windows-oriented execution and discovery behaviors including Windows Command Shell, WMI, System Information Discovery, Process Discovery, System Network Configuration Discovery, Remote System Discovery, and System Network Connections Discovery. Relationship context also identifies use of Tasklist, Systeminfo, ipconfig, netstat, Chinoxy, ccf32, FunnyDream malware, and PcShare. Detection engineering should focus on correlated sequences: command execution followed by host/network enumeration, ingress tool transfer, archive creation, and suspicious backdoor or remote access activity. Treat the resource-development techniques—domains, email accounts, malware, and tools—as threat-intelligence enrichment opportunities rather than direct internal telemetry by themselves.
Likely telemetry
- Endpoint process creation events with command-line arguments for cmd, WMI-related execution, tasklist, systeminfo, ipconfig, and netstat
- Endpoint file creation, modification, and execution events for transferred tools, archives, and malware-like payloads
- Network connection telemetry from endpoints, including outbound sessions and unusual remote access patterns
- DNS and domain reputation/context logs for infrastructure pivoting where available
- Email security and threat intelligence records for suspicious accounts or campaign infrastructure when available
Detection direction
- Tune detections around behavior chains rather than single utilities, because tasklist, systeminfo, ipconfig, and netstat are legitimate administration tools.
- Baseline normal administrative use of WMI and command shell so unusual parent processes, remote execution context, service accounts, or timing stand out.
- Correlate discovery commands with subsequent ingress tool transfer, archive creation, and outbound network activity to reduce false positives.
- Use the named malware and tools from the relationships as intelligence pivots, but do not rely only on signatures because the ATT&CK object does not provide detection logic.
- Review whether telemetry exists on systems where the related Windows malware and utilities would execute; the campaign object itself does not specify platforms.
Mitigation priorities
- First, confirm endpoint logging and retention are sufficient to reconstruct command execution, WMI use, discovery commands, file transfer, archive creation, and outbound connections.
- Second, restrict and monitor administrative execution paths such as command shell and WMI according to operational need, especially for privileged and remote contexts.
- Third, harden malware prevention and response workflows for backdoors, data collection malware, and modified remote access tools identified in the relationships.
- Fourth, improve egress monitoring and data-staging review so archive creation plus suspicious outbound traffic can trigger investigation.
- Fifth, integrate threat-intelligence review of domains, email accounts, malware, and tools into SOC triage without treating campaign labels as proof of attribution.
Analyst notes and limits
The official ATT&CK description links FunnyDream to a suspected Chinese cyber espionage campaign and notes possible Chinese-speaking threat actors, Chinoxy use, and infrastructure overlap with TAG-16. This take treats those as source-reported context, not as a definitive attribution finding. The strongest defensive value comes from validating coverage for the related techniques and software rather than from the campaign name alone.
ATT&CK provides no official detection guidance for this campaign, and the campaign object lists no platforms or tactics directly. Platform and behavior guidance here is derived from supplied relationships, especially Windows-related malware, utilities, and execution techniques. Local environment baselines, asset exposure, and available telemetry are required before judging risk or coverage.
FunnyDream
FunnyDream was a suspected Chinese cyber espionage campaign that targeted government and foreign organizations in Malaysia, the Philippines, Taiwan, Vietnam, and other parts of Southeast Asia. Security researchers linked the FunnyDream campaign to possible Chinese-speaking threat actors through the use of the Chinoxy backdoor and noted infrastructure overlap with the TAG-16 threat group.[1][2][3]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.005 | Visual Basic Sub-technique | During FunnyDream, the threat actors used a Visual Basic script to run remote commands.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1018 | Remote System Discovery | During FunnyDream, the threat actors used several tools and batch files to map victims' internal networks.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | During FunnyDream, the threat actors used ipconfig for discovery on remote systems.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | During FunnyDream, the threat actors used 7zr.exe to add collected files to an archive.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | During FunnyDream, the threat actors used `cmd.exe` to execute the wmiexec.vbs script.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | During FunnyDream, the threat actors downloaded additional droppers and backdoors onto a compromised system.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1588.001 | Malware Sub-technique | For FunnyDream, the threat actors used a new backdoor named FunnyDream.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1057 | Process Discovery | During FunnyDream, the threat actors used Tasklist on targeted systems.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1583.001 | Domains Sub-technique | For FunnyDream, the threat actors registered a variety of domains.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1049 | System Network Connections Discovery | During FunnyDream, the threat actors used netstat to discover network connections on remote systems.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | For FunnyDream, the threat actors likely established an identified email account to register a variety of domains that were used during the campaign.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1047 | Windows Management Instrumentation | During FunnyDream, the threat actors used `wmiexec.vbs` to run remote commands.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1588.002 | Tool Sub-technique | For FunnyDream, the threat actors used a modified version of the open source PcShare remote administration tool.CitationBitdefender FunnyDream Campaign November 2020 |
| Enterprise | T1082 | System Information Discovery | During FunnyDream, the threat actors used Systeminfo to collect information on targeted hosts.CitationBitdefender FunnyDream Campaign November 2020 |
Groups, software, and campaigns
S1043: ccf32
ccf32 is data collection malware that has been used since at least February 2019, most notably during the FunnyDream campaign; there is also a similar x64 version.[1]
S1044: FunnyDream
FunnyDream is a backdoor with multiple components that was used during the FunnyDream campaign since at least 2019, primarily for execution and exfiltration.[1]
S0096: Systeminfo
Systeminfo is a Windows utility that can be used to gather detailed information about a computer. [1]
S0100: ipconfig
S0057: Tasklist
S0104: netstat
S1041: Chinoxy
Chinoxy is a backdoor that has been used since at least November 2018, during the FunnyDream campaign, to gain persistence and drop additional payloads. According to security researchers, Chinoxy has been used by Chinese-speaking threat actors.[1]
S1050: PcShare
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 634cfc854be3… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Bitdefender FunnyDream Campaign November 2020
Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
Open source URL -
[2]
Kaspersky APT Trends Q1 2020
Global Research and Analysis Team. (2020, April 30). APT trends report Q1 2020. Retrieved September 19, 2022.
Open source URL -
[3]
Recorded Future Chinese Activity in Southeast Asia December 2021
Insikt Group. (2021, December 8). Chinese State-Sponsored Cyber Espionage Activity Supports Expansion of Regional Power and Influence in Southeast Asia. Retrieved September 19, 2022.
Open source URL -
[4]
mitre-attack C0007Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.