G0011: PittyTiger
PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.[1][2]
Analyst context for executives and security teams
PittyTiger is an ATT&CK group entry for a China-linked threat group reported to use multiple malware families for command and control. For leaders, the practical issue is not a single signature: the relationships point to credential theft, remote access tooling, and valid-account abuse, which can turn an initial compromise into persistent access if identity controls and endpoint visibility are weak.
Executive priority
Prioritize validation of credential protection, privileged account monitoring, and remote access governance. This object has no official MITRE detection guidance or group-level platform list, so risk decisions should be based on whether your environment can prove visibility into the related behaviors: credential dumping tools, RAT-style command and control, and valid-account misuse across identity, remote access, and cloud/identity-provider surfaces where applicable.
Technical view
SOC and IR teams should pivot from the group name to the supplied relationships. Validate detections and response playbooks for Mimikatz and gsecdump-style credential dumping, Lurid/PoisonIvy/gh0st RAT-related remote access behavior, and ATT&CK T1078 Valid Accounts activity. Because MITRE does not provide detection text for this group, coverage should be measured by behavior-based telemetry rather than assuming group-specific indicators are sufficient.
Likely telemetry
- Endpoint process creation and command-line telemetry for credential dumping utilities and suspicious access to credential material
- Windows security logs and authentication events, especially privileged logons and unusual lateral or remote access patterns
- Identity provider, VPN, remote desktop, and externally exposed service authentication logs relevant to valid-account abuse
- EDR alerts or forensic artifacts associated with RAT execution, persistence, and command-and-control activity
- Network telemetry for unusual outbound remote access or C2-like sessions from endpoints
Detection direction
- Do not rely on the PittyTiger name alone; map detections to the related software and technique relationships.
- Validate credential dumping coverage for Mimikatz and gsecdump behaviors, including false-positive handling for authorized security testing tools.
- Tune identity analytics for valid-account abuse: impossible or atypical logons, new remote access patterns, privilege changes, and access from unusual infrastructure.
- Review RAT-oriented detections for PoisonIvy, gh0st RAT, and Lurid, using behavior and network patterns where static indicators are stale or unavailable.
- Confirm that cloud/identity-provider and remote access logs are retained long enough to support incident reconstruction for T1078-style activity.
Mitigation priorities
- Harden privileged identity first: enforce MFA where applicable, reduce standing privileges, and monitor administrative account use.
- Improve endpoint resistance to credential theft through credential protection, least privilege, and rapid isolation procedures for suspected dump activity.
- Restrict and monitor remote administration paths, VPN, RDP, and externally available services that could be abused with valid accounts.
- Maintain behavior-based detections for public or widely used tools rather than only blocklists, since related tools may also appear in legitimate testing contexts.
- Prepare IR playbooks that include credential reset scope, token/session revocation, endpoint containment, and review of persistence mechanisms after RAT or credential-dumping findings.
Analyst notes and limits
The most decision-useful relationships are to credential dumping software, RATs, Valid Accounts, and Tool acquisition. These support identity, endpoint, SOC, and IR readiness discussions. The official group description states the group is believed to operate out of China and uses multiple malware types for command and control; no additional attribution or current activity should be inferred from this object alone.
MITRE provides no official detection text, no group-level platforms, and no listed tactics for this intrusion-set object. Platform references come only from related software or technique records. Local environment telemetry, asset scope, and incident evidence are required before assessing exposure or coverage.
PittyTiger
PittyTiger is a threat group believed to operate out of China that uses multiple different types of malware to maintain command and control.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1588.002 | Tool Sub-technique | PittyTiger has obtained and used tools such as Mimikatz and gsecdump.CitationBizeul 2014 |
| Enterprise | T1078 | Valid Accounts | PittyTiger attempts to obtain legitimate credentials during operations.CitationBizeul 2014 |
Groups, software, and campaigns
S0032: gh0st RAT
S0010: Lurid
Lurid is a malware family that has been used by several groups, including PittyTiger, in targeted attacks as far back as 2006. [1] [2]
S0008: gsecdump
S0012: PoisonIvy
S0002: Mimikatz
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 84fac0e52b94… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Bizeul 2014
Bizeul, D., Fontarensky, I., Mouchoux, R., Perigaud, F., Pernet, C. (2014, July 11). Eye of the Tiger. Retrieved September 29, 2015.
Open source URL -
[2]
Villeneuve 2014
Villeneuve, N., Homan, J. (2014, July 31). Spy of the Tiger. Retrieved September 29, 2015.
Open source URL -
[3]
PittyTiger
(Citation: Bizeul 2014) (Citation: Villeneuve 2014)
-
[4]
mitre-attack G0011Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.