C0044: Juicy Mix
Analyst context for executives and security teams
Juicy Mix is a historical 2022 campaign attributed in ATT&CK to OilRig that targeted Israeli organizations using the Mango C#/.NET backdoor. Its defensive value is that it ties together identity theft, Windows execution and persistence, discovery, local data staging, and web-based command-and-control behaviors that can materially affect incident scope and recovery decisions.
Executive priority
Treat this as a validation case for whether the organization can prove coverage across endpoint execution, credential protection, and outbound web traffic monitoring. The most business-relevant questions are: can security teams see suspicious scheduled tasks, PowerShell/VB/.NET activity, browser or Windows Credential Manager access, local data staging, and encoded web C2-like traffic; and can incident responders quickly determine whether credentials or staged data were exposed?
Technical view
ATT&CK does not provide campaign-level detection text or platforms for Juicy Mix, but the relationships point defenders toward Mango on Windows and techniques including Scheduled Task, PowerShell, Visual Basic, web protocols for C2, local data staging, system/software/browser discovery, browser credential access, Windows Credential Manager access, standard encoding, and deobfuscation/decoding. SOC and IR teams should validate telemetry and detections around those behaviors rather than relying on the campaign name alone.
Likely telemetry
- Windows endpoint process creation and command-line telemetry for PowerShell, VB-related execution, .NET processes, and task scheduler activity
- Scheduled task creation, modification, and execution records
- Endpoint file activity showing local staging directories, unusual file aggregation, decoding/deobfuscation activity, or backdoor-related artifacts
- Credential access evidence involving browser credential stores and Windows Credential Manager/Vault access
- Host discovery telemetry for system, software, and browser enumeration
Detection direction
- Because official campaign detection is not provided, build coverage from the related software and techniques rather than assuming a single signature will identify the campaign.
- Tune detections for suspicious scheduled tasks and script execution while accounting for legitimate administration, software deployment, and automation activity.
- Correlate credential-store access with unusual script/.NET execution, discovery commands, local staging, and outbound web traffic to reduce false positives.
- Review visibility gaps around encoded web traffic, TLS inspection limitations, proxy logging retention, and endpoint command-line capture.
- Use relationship-driven context: Mango is associated with Windows, while several related techniques are cross-platform or PRE; validate only the platforms that exist in the local environment.
Mitigation priorities
- Prioritize hardening and monitoring of Windows endpoints where Mango-related behavior is relevant, including script execution controls and scheduled task governance.
- Reduce credential exposure by limiting saved browser credentials where feasible, strengthening credential vault protections, and enforcing strong identity controls such as MFA and least privilege.
- Constrain and monitor outbound web traffic through managed egress, proxy logging, and anomaly review for unusual destinations or encoded payload patterns.
- Improve endpoint logging retention for process creation, command lines, task scheduler events, file staging activity, and credential access signals.
- Prepare IR decision points for containment, credential reset scope, and data exposure review when discovery, staging, or credential-access behaviors are observed.
Analyst notes and limits
This take is based on ATT&CK campaign C0044, its official description, the ESET external reference, and listed relationships to OilRig, Mango, and associated techniques. It is most useful as a control-validation and hunt-planning brief, not as a claim of current activity or guaranteed detection.
The campaign object does not specify platforms, tactics, or official detection guidance. Platform-specific recommendations are inferred only from related Mango and technique records, especially Windows-linked relationships. Local telemetry, asset mix, and approved threat intelligence are required to determine actual exposure and coverage.
Juicy Mix
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1217 | Browser Information Discovery | |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | |
| Enterprise | T1518 | Software Discovery | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1587.001 | Malware Sub-technique | |
| Enterprise | T1555.004 | Windows Credential Manager Sub-technique | |
| Enterprise | T1059.005 | Visual Basic Sub-technique | |
| Enterprise | T1584.004 | Server Sub-technique | |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
S1169: Mango
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5477675b5a56… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET OilRig Campaigns Sep 2023
Hromcova, Z. and Burgher, A. (2023, September 21). OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes. Retrieved November 21, 2024.
Open source URL -
[2]
mitre-attack C0044Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.